- Bots now dominate the threat landscape for travel platforms during peak booking periods
- Fake demand created by bots leads to inflated prices and fewer options for real users
- SMS pumping attacks are draining funds and delaying key notifications for travelers
As summer travel hits its peak, a new concern is emerging that has little to do with rising fuel costs or demand-driven pricing.
A growing volume of automated traffic is now being blamed for driving up flight prices, disrupting bookings, and damaging the experience for travelers, experts have warned.
The 2025 Thales Bad Bot Report claims the travel sector accounted for 27% of all bot-related activity globally last year, making it the most targeted industry.
Travel sector emerges as the top target for automated bot attacks
The report outlines several ways bots are interfering with online travel platforms.
One key issue is “seat spinning,” where bots initiate the booking process but do not complete payment – by hoarding inventory temporarily, they reduce availability and may create a false perception of scarcity, which can influence pricing algorithms.
In some cases, bots resell the tickets they secure through “ticket scalping,” pushing genuine customers toward inflated prices or unavailable flights.
These attacks also exploit messaging systems through what is known as “SMS pumping,” which involves triggering high volumes of text messages to premium-rate numbers, increasing costs for companies and potentially delaying important customer notifications.
“Bad bots aren’t just causing chaos online anymore, they’re hijacking holidays,” said Tim Ayling, cybersecurity specialist at Thales.
“Right now, travel websites are being overwhelmed by bots pretending to be real customers, snapping up tickets, scraping prices, and slowing everything down.”
As more transactions shift to mobile, the problem has become more visible, particularly for last-minute travelers relying on real-time updates.
The bots themselves are becoming easier to deploy, and there is a surge in simpler, more accessible bots, often driven by AI-based tools.
These are not the domain of sophisticated hackers alone. Low-skilled actors can now use basic scripts or free proxy setups to bypass traditional security.
Even the use of VPN and proxy services, typically associated with privacy, is sometimes manipulated to mask malicious traffic, giving bots the appearance of legitimate users accessing from different regions.
Another emerging problem is the targeting of APIs, which power search results, pricing engines, and loyalty programs.
Nearly half of all advanced bot attacks now focus on these areas, and they can interfere with backend functions, slowing down entire websites or even causing them to crash.
Attackers also use advanced techniques to mimic genuine human behavior, making it harder for traditional defenses to detect and block harmful traffic.
Methods such as CAPTCHA, once effective, are no longer reliable, often frustrating real users more than bots.
“Traditional defenses just aren’t cutting it. Travel companies need a smarter, layered approach, blocking credential stuffing attacks and securing vulnerable areas like logins and checkouts through continuous testing and threat monitoring.”
In a digital environment where automation now surpasses human web traffic, the challenge facing airlines and travel sites is less about visibility and more about precision.
