Are Bots Threatening the Travel Industry?

Alex McConnell
Alex McConnell
06/05/21
3 Minute read
Are Bots Threatening the Travel Industry?

Article Contents

    In 2019, the travel and tourism industries contributed £106 billion to the British economy, supporting 2.6 million jobs. The Covid-19 pandemic was estimated to have cost the international tourism market upwards of $1 trillion as governments across the globe issued strict Covid travel restrictions and the travel market ground to a halt. Flights were canceled, and even domestic travel was limited, meaning international tourism arrivals dropped by 87% between January 2020 and 2021.

    Now that restrictions have lifted, the travel industry has started to bounce back, recovering 63% of pre-pandemic levels in 2022. However, with an increase in bookings comes an increase in bot activity.

    The travel bot problem

    The same bot threats as previous years are hitting the tourism industry hard:

    While the attacks may be similar to those witnessed before, what has changed is the volume, speed, and sophistication of such threats.

    Price and availability scraping

    In travel, web scraper bots are mainly used to collect fare and availability information. Threat actors advertise the scraped information at lower price points on secondary sites, motivated by the financial rewards of charging commissions, stealing personal data, or generating advertising revenue.

    88% of travel businesses surveyed by Netacea said that price scraping bots had a negative financial impact on their business in 2022. If uncontrolled, scraping can impact top-line revenue, bottom line profits and customer experience, including:

    • Loss of competitive price advantage and potential auxiliary sales such as car rental and insurance
    • Skewed look-to-book ratios (used by the travel industry to measure the number of people visiting a website compared to those who make a purchase)
    • Inaccurate number of website viewers interested in a certain product or booking, leading to reduced conversions and misleading website analytics
    • Gathering data used in more sophisticated attacks such as spinner or denial of inventory bots

    Denial of inventory

    Denial of inventory across travel websites involves making fake reservations for hotel rooms, restaurants, holidays and flights, and holding these bookings until the ticket, room or booking becomes sold out. The bot reserves the item for up to 20 minutes, during which time genuine customers perceive there to be no availability left, and the perpetrator attempts to sell the item on for a profit. Once the website has cleared the basket of the held reservation, a new bot will pick up that availability and repeat the process until the inventory is successfully sold

    The objectives of a denial of inventory attack include:

    • Generating high and fast profit off the back of a fairly low-risk opportunity
    • Defeating the competition by sending customers to a rival website
    • Disrupting availability by making an application unusable as part of an application-layer denial of service attack

    Account takeover

    Credential stuffingcredential cracking and phishing techniques are used as the first step in attacks which result in account takeover across the travel industry. Travel website accounts hold valuable assets such as membership points, frequent flyer miles, loyalty programs or cards that can be sold on for a profit. Plus, saved payment details and personally identifiable information (PII) have value across the dark web.

    Of travel businesses surveyed by Netacea, 86% said credential stuffing, which is the first step of account takeover attacks, had cost them financially in 2022. After a threat actor uses username and password combinations to gain access, a secondary attack then makes a fraudulent booking on the account.

    The impact of losing saved payment details and PII to threat actors is both financially and reputationally damaging. While the organization may not be directly at fault, the cybersecurity breach means it is left to pay the ICO (or equivalent) fine, reimburse any affected customers, and face the PR repercussions of publicly losing customer data.

    Keeping your travel organization protected

    As attacks on the travel industry evolve, it’s a crucial time for businesses in the travel and tourism sector to invest in their cybersecurity and put a dedicated bot management solution in place to deal with the most sophisticated threats.

    Netacea’s revolutionary bot management technology is helping organizations across the travel and hospitality industry to detect and protect against malicious bot threats. Our consultative approach, paired with our server-side, machine learning technology, allows us to seamlessly integrate with your business and deliver accurate, intelligent and effective bot mitigation.

    Block Bots Effortlessly with Netacea

    Book a demo and see how Netacea autonomously prevents sophisticated automated attacks.
    Book

    Related Blogs

    Blog
    Alex McConnell
    |
    18/12/24

    Scalper Bot Targets Christmas 2024: Criminal Groups Cash in on Low-Value Items

    Learn about the changing landscape of scalping. From hobbyists to professional criminal groups, uncover the dangerous evolution of scalping in the digital age.
    Blog
    Alex McConnell
    |
    13/12/24

    How Bots Exploit Seasonal Bot Traffic to Bypass Defenses

    Uncover the strategies used by bot operators to outsmart defenses, and how anti-bot tools are combating seasonal bot traffic.
    genesis market banner image
    Blog
    Alex McConnell
    |
    03/12/24

    Protecting Your Business from Web Scraping as a Service

    Protect your business from Web Scraping as a Service threats. Learn how advanced scrapers challenge websites and how intent-based detection can help safeguard your online assets.

    Block Bots Effortlessly with Netacea

    Demo Netacea and see how our bot protection software autonomously prevents the most sophisticated and dynamic automated attacks across websites, apps and APIs.
    • Agentless, self managing spots up to 33x more threats
    • Automated, trusted defensive AI. Real-time detection and response
    • Invisible to attackers. Operates at the edge, deters persistent threats

    Book a Demo

    Address(Required)
    Privacy Policy(Required)