New research finds that automated bots now make up a majority of traffic to travel websites, accounting for significant disruption across the global tourism sector.
The 2025 Thales Bad Bot Report provides a detailed examination of automated bot activity online and indicates that the travel industry has overtaken other sectors as the most targeted for such attacks. The report highlights that nearly 60% of visits to travel sector websites are now coming from bots rather than actual users, creating an array of challenges for businesses and travellers alike.
Rising bot traffic
According to analysis in the latest report, 2024 saw 27% of all global bot traffic directed at the travel industry, a notable increase from the 21% recorded in 2023. This traffic has led to degraded site performance and operational difficulties for many travel businesses, with bots systematically targeting booking systems, pricing engines, and loyalty scheme infrastructure.
The increased automation behind these attacks means that travel companies are now consistently experiencing issues such as inventory hoarding, artificial inflation of prices, and the theft of loyalty points. The aftereffects extend directly to consumers, who face slower booking platforms, price changes, and difficulties completing legitimate transactions.
Tim Ayling, Cybersecurity Specialist at Thales, emphasised the extent of the problem.
“Bad bots aren’t just causing chaos online anymore, they’re hijacking holidays. Right now, travel websites are being overwhelmed by bots pretending to be real customers snapping up tickets, scraping prices, and slowing everything down. It’s leaving customers frustrated and businesses struggling to keep up.
Simple bots on the rise
One aspect identified by the report is the surge in basic, or “simple”, bot attacks. These now represent 52% of all bot-driven incidents affecting the travel sector. Industry analysts attribute this rise to the growing accessibility of AI-based automation tools, enabling even those with limited technical ability to launch disruptive campaigns against travel providers.
API vulnerabilities exposed
APIs, which underpin many essential online travel services such as flight and hotel searches, dynamic pricing, and reward schemes, have become a key focus for attackers. The report notes that 44% of advanced bot attacks in 2024 specifically targeted these interfaces. As the sophistication of bots increases, traditional safeguards like CAPTCHAs are proving less effective, and they may even create additional barriers for genuine users seeking to make bookings.
Impact on industry and consumers
The study identifies a series of threats that particularly affect travel businesses:
Seat spinning: Within the airline sector, bots reserve flight seats up to the point of payment, holding inventory in limbo and limiting availability for real customers. This can drive prices higher and contribute to booking failures.
SMS pumping: Bots exploit messaging services by triggering large quantities of SMS notifications or authentication messages to premium-rate numbers, inflating costs and interrupting legitimate customer communication channels.
Look-to-book distortion: Automated traffic raises the ratio of website visits to actual bookings, distorting crucial business metrics and confusing demand forecasting models.
Data scraping and ticket scalping: Malevolent actors scrape price data to undermine competitive strategies, while ticket scalpers use bots to obtain large numbers of tickets on popular routes, later reselling them at higher prices.
Loyalty programme fraud: Bots attempt credential stuffing attacks to gain unauthorised access to customer accounts, enabling theft of reward points and fraudulent activity within loyalty ecosystems.
Calls for better defences
According to the findings, organisations relying on existing methods such as CAPTCHAs are likely to find them insufficient as cyber actors adapt their techniques. Tim Ayling commented on the need for new measures:
“Traditional defences just aren’t cutting it. Travel companies need a smarter, layered approach blocking credential stuffing attacks, securing vulnerable areas like logins and checkouts, and being one step ahead of the bots through continuous testing and threat monitoring. With summer peak season approaching, businesses must act now to protect their platforms before bots take over the holiday rush.”
The report concludes that the scale and sophistication of bot attacks show no signs of abating, leading to concerns for both industry viability and customer experience as online travel activity intensifies throughout the year.
