August 06, 2025

Bot Voyage! How Bad Bots Are Hijacking the Travel Industry

travel, automation, bots

By Steve Prentice

Imagine planning your dream vacation, only to find prices have mysteriously skyrocketed, flights are suddenly unavailable, and the booking site keeps stalling. The thing is, there’s more to these frustrations than just high demand. Behind the scenes, a silent digital battle is being fought, and travel companies and consumers find themselves together on the frontlines. Steve Prentice dives into the trenches to discover the customer experience conflict.

Why is the Travel Industry Such A Target?

According to the latest Bad Bot Report, the travel sector has overtaken retail as the number one industry targeted by bots in 2024, accounting for 27% of all bot attacks. 

Why the spike? Grainne McKeever, Senior Product Marketing Manager and cybersecurity specialist at Thales, talked with me during the most recent episode of the Thales Security Sessions podcast, Bot Voyage!. As she sees it, there’s a perfect storm out there. The travel sector bustles with transactional activities such as bookings, reservations, and pricing engines, all of which are ideal and fertile landscapes for bot operators. Add to that the rise of AI-driven attack tools that lower the barrier to entry for cybercriminals, and a major problem materializes.

The return of global travel post-COVID, paired with a surge in online booking platforms, means attackers can capitalize on new vulnerabilities while enjoying a lower barrier to entry. In fact, McKeever reveals a surprising trend: simple bot attacks, the kind that don’t require much technical expertise but still cause serious disruption, are outpacing more sophisticated techniques.

Simple Bots, Big Damage

These “low-tech”, simple bots are proving just as harmful as their more advanced cousins. They are quite content to perform manual tasks such as scraping data from travel sites, especially pricing and availability information. This might appear innocuous at first glance, but scraping inflates bandwidth and computing costs, and more significantly, manipulates market dynamics. The scraped data often ends up being used to undercut competitors or confuse customers with misleading pricing elsewhere.

Adding to the noise of this attack is the rise of “bots as a service” in the form of cheap, pre-packaged attack tools that anyone can buy and deploy with no skill required. Combined with AI, this has democratized cybercrime on an unprecedented level.

From Seat-Spinning to Loyalty Fraud

The impacts of bots on travel are alarmingly far-reaching, as McKeever describes. She outlines several bot-related threats specific to travel:

Seat-Spinning Bots temporarily reserve seats on flights or trains without completing a purchase, thus blocking inventory from real customers and leading to lost revenue for the travel company.

Look-to-Book Ratio Skewing: Look-to-Book is a travel industry term for the process a consumer takes from looking for a trip all the way through to booking it and paying for it. It is a critical metric in travel forecasting, which bots easily disrupt by flooding booking sites with fake traffic. When thousands of searches (mostly fake ones) yield only a handful of purchases, the data becomes unreliable, making it harder for companies to adjust pricing and marketing strategies effectively.

  • Loyalty Program Fraud: Bots attempt credential stuffing, using stolen usernames and passwords to take over customer accounts and drain them of points, discounts, or personal data. For travel companies, this represents not just a financial liability but a reputational one as well.

The Weakest Link? It’s Always Humans

McKeever emphasizes that there is always a human behind every bot, whether they work for profit, sabotage, or just as “cyber hooligans.” On the victim side, humans are often the weakest link in the chain, with individuals and companies practicing poor password hygiene, not using multi-factor authentication, and not enforcing cybersecurity best practices.

McKeever points out the irony that the same AI that enables these attacks can also be used to defend against them when companies are proactive enough to adopt it. Behavioral analytics, anomaly detection, and machine learning are all key tools in identifying suspicious traffic and stopping bad bots before they cause harm.

What Can Be Done?

She offers a practical, layered approach to fighting back against bad bots:

Deploy advanced bot protection: Go beyond CAPTCHAs, which are still, surprisingly, one of the most popular security screening tools on travel websites. Modern bots can easily bypass them, even while the rest of us struggle to decide whether a tiny sliver of an exhaust pipe qualifies as “a motorcycle.” Instead, McKeever says, focus on solutions that incorporate AI-driven behavioral detection and anomaly spotting.

Monitor continuously: Security is not a set-it-and-forget-it option. Companies must define what normal traffic looks like by region, volume, or user behavior, and flag deviations early. 

  • Protect APIs: Travel platforms rely heavily on APIs to interact with aggregators and booking systems. These are prime targets and must be secured against automated abuse.

Use honeypots and dynamic rate limiting: These tools can help identify bot activity based on behavior patterns and missteps that real users wouldn’t make. In short, rather than relying solely on defending against an attack, consider leading the attackers into a trap.

McKeever points out the sad but common truth: smaller travel agencies are especially at risk. Unlike their larger counterparts, they may lack the resources or know-how to implement comprehensive bot mitigation strategies. For them, partnering with global distribution systems (GDS) that offer built-in security, like the partnership Thales has launched, is a smart move toward risk pooling and resilience.

Looking Ahead: Regulation and Innovation

As bot attacks rise in frequency and sophistication, McKeever sees tighter regulations across the travel industry, particularly around consumer data and booking systems. She adds that staying ahead of criminals and compliance will require ongoing innovation and vigilance.

Listen and Learn

If you work in the travel industry, or even if you don’t, this episode is a must-listen. Grainne McKeever brings expert insight into the evolving threat landscape and offers a roadmap for defending against it. It’s a sobering look at how something as invisible as a bot can have such tangible effects on prices, trust, and travel. 

Steve Prentice is a specialist in organizational psychology, focusing on the interaction of people, technology and change. He works as a speaker, author, broadcaster and writer, with clients in IT, cybersecurity, government, healthcare, and law, dealing with cybersecurity, AI, blockchain and the future of work. 

Steve is the author of three business books and is a ghostwriter for experts worldwide. He is a visiting lecturer at the at Ontario Tech University, and delivers keynotes, media interviews, white papers, and podcasts on these topics.

Customer Experience

Related articles

The latest cx newsGlobal shifts: AI job cuts, deportation risks, and disturbing travel incidentsContact centreNebula and Cirrus integrate for a cloud-native comms and customer engagement solutionQualtrics and Singapore Airlines Partner For A Customer Experience Jet Boost