27 percent of all bot attacks in 2024 were directed at the travel industry

It’s holiday season, people want to travel, and many consumers are frustrated. The reason: bots are slowing down travel providers’ websites. A total of 27 percent of global bot traffic in 2024 was attributable to the travel industry, up from 21 percent in 2023. Bots now account for 59 percent of all traffic on travel websites, causing significant disruption and performance degradation.

These bots actively hijack customer accounts, collect price data and hoard inventory. This drives up demand, impairs website performance and reduces revenue. The result: frustrated customers, overloaded infrastructure and damaged brand trust.

These findings come from the recently published Thales Bad Bot Report 2025, a global analysis of automated bot traffic on the internet.

The latest research study shows that the travel industry is now the most affected by bot attacks worldwide. This is particularly acute during the peak summer season, when travel companies face a wave of malicious bot activity that threatens operations, customer experience and revenue.

The rise of simple bot attacks

Simple bot attacks have increased significantly and now account for more than half (52 percent) of bot traffic on travel websites. This increase is due to the growing availability of user-friendly AI tools that allow even inexperienced hackers to flood platforms with disruptive traffic.

APIs: The new line of defence

With nearly half (44 percent) of advanced bot traffic now targeting APIs, core services such as flight and hotel searches, price comparison sites and loyalty programmes are increasingly at risk. As bots become better at mimicking humans, traditional defences such as CAPTCHAs are no longer effective and often hinder genuine users more than they deter attackers.

The main threats to the travel industry

Malicious bots affect travel companies in a variety of ways, including:

• Seat spinning: A threat specific to ticket and travel booking sites, where bots are used to reserve seats by going through the booking process until payment. This can drive up prices, reduce availability and prevent genuine customers from completing their bookings.
• SMS pumping: Exploits SMS for customer notifications and authentication. Bots trigger a large number of messages to premium numbers, driving up costs and disrupting legitimate communications.
• Distortion of the look-to-book ratio: Excessive bot traffic increases the look-to-book ratio, an important metric used by airlines and travel companies to measure their success. The result: a distortion of demand signals and pricing models.
• Unauthorised scraping: Competitors and fraudsters collect price data, undermining pricing strategies and revenue.
• Loyalty programme fraud: Bots use credential stuffing to hijack accounts, steal loyalty rewards and fraudulently collect reward points.
• Ticket scalping: Bots hoard tickets for high-demand routes or events and resell them to real customers at inflated prices.

‘Malicious bots are no longer just causing chaos on the internet, they’re also hijacking holiday trips,’ says Julian Iavarone, Senior Sales Engineer for the DACH region at Thales. ‘Travel websites are currently being flooded with bots that pose as real customers, buy tickets, scrape prices and slow everything down. This frustrates customers and travel companies struggle to distinguish them from bots.’

Conventional defences are no longer enough. Travel companies need a smarter, multi-layered approach that blocks credential stuffing attacks, protects vulnerable areas such as logins and checkouts, and stays one step ahead of bots through continuous testing and threat monitoring. With the summer peak season already in full swing, companies need to act now to protect their platforms before bots take over the holiday rush.