SecurityBrief Asia - Technology news for CISOs & cybersecurity decision-makers
Asia

Guides

#
cloud security
#
cybersecurity
#
endpoint protection
#
firewalls
#
ransomware

Search

Robotic hands computer airplanes hotel buildings automated online travel bookings
#
AI
#
Cybersecurity
#
Airlines

Automated bots now make up 59% of all traffic to travel sites

Thu, 24th Jul 2025
Author image
By Jed Nykolle Harme, Editor

Automated bots now account for nearly 60% of all traffic to travel websites, with the sector experiencing a significant surge in disruptive attacks, according to a new report.

The 2025 Thales Bad Bot Report, a global analysis of automated internet traffic, found that the travel industry was the most targeted sector for bot attacks in 2024. The data revealed that 27% of all global bot traffic this year was directed at travel-related platforms, an increase from 21% the previous year.

Increasing bot activity

The research highlights a marked shift in the online challenges facing airlines, hotel chains, and travel booking sites. Automated bots now make up 59% of overall visits to travel websites, a development that has coincided with the summer holiday peak season and intensified pressure on digital infrastructure.

According to the report, these bots engage in a variety of disruptive activities, including account hijacking, price data scraping, and inventory hoarding. Such actions can leave legitimate customers facing higher prices, difficulty booking, slow site performance, and occasional booking failures. The increased traffic from bots has also resulted in degraded site performance and weakened customer trust in brands.

Simple attacks on the rise

Simple bot attacks, according to the report, have seen a significant uptick and now represent 52% of all bot traffic targeting travel sites. Experts attribute this rise to the proliferation of user-friendly AI tools, which have enabled less technically skilled cybercriminals to launch disruptive campaigns against these platforms.

API vulnerability

The study underlines that nearly half, or 44%, of advanced bot traffic is now aimed at APIs, which are integral to online flight searches, hotel room availability, and pricing engines. This trend leaves key services and loyalty programmes increasingly exposed, as bots become more sophisticated and human-like in their interactions.

Traditional measures, such as CAPTCHAs, are proving less effective against these advanced bots, whilst often creating friction for legitimate users attempting to book travel or access their accounts.

Key threats identified

The report details several problematic techniques used by bad bots to exploit travel industry systems. These include "seat spinning," in which bots hold airline seats through the booking process up to the point of payment, thus reducing seat availability and artificially inflating prices. Another mentioned threat is "SMS pumping," where bots trigger high volumes of expensive messaging traffic to premium-rate numbers, increasing operational costs.

Additional issues include the distortion of the look-to-book ratio, a crucial metric for airlines which gets skewed when bot activity falsely inflates demand figures. Bots are also used for unauthorised data scraping, allowing competitors or fraudsters to undermine fare strategies, and for credential stuffing to hijack loyalty accounts and steal reward points. Ticket scalping by bots - hoarding high-demand tickets and reselling them at inflated prices - remains an ongoing concern.

"Bad bots aren't just causing chaos online anymore, they're hijacking holidays," said Tim Ayling, cybersecurity specialist at Thales. "Right now, travel websites are being overwhelmed by bots pretending to be real customers snapping up tickets, scraping prices, and slowing everything down. It's leaving customers frustrated and businesses struggling to keep up.

"Traditional defences just aren't cutting it. Travel companies need a smarter, layered approach blocking credential stuffing attacks, securing vulnerable areas like logins and checkouts, and being one step ahead of the bots through continuous testing and threat monitoring. With summer peak season approaching, businesses must act now to protect their platforms before bots take over the holiday rush."

The report emphasises that many of the current security strategies deployed by travel companies are no longer fit for purpose against this new wave of automated threats. The recommendation is for the sector to invest in updated security measures, focusing on layered protections and constant threat monitoring to counteract increasingly sophisticated and human-like bot activity.

Follow us on:
Follow us on LinkedIn Follow us on X
Share on:
Share on LinkedIn Share on X
Related stories
System administrators drive Asia’s AI success amidst rapid change
CREST launches staged programme to guide firms to full cyber accreditation
Digital attack surfaces expand as key exposures & risks double
ManageEngine AD360 adds identity risk & MFA to combat breaches
Siren & Flashpoint partner to boost intelligence investigations

Top stories

Lab 1 report reveals unstructured data heightens breach risks
Global ransomware attacks drop 43% but threats evolve quickly
PT KAI partners with Zimbra for secure & sovereign email upgrade
All top 100 Singapore firms hit by third-party cyber breaches
Motorola unveils 'AI nutrition labels' for safety technologies