Are Bots Threatening the Travel Industry?

In 2019, the travel and tourism industries contributed £106 billion to the British economy, supporting 2.6 million jobs. The Covid-19 pandemic was estimated to have cost the international tourism market upwards of $1 trillion as governments across the globe issued strict Covid travel restrictions and the travel market ground to a halt. Flights were canceled, and even domestic travel was limited, meaning international tourism arrivals dropped by 87% between January 2020 and 2021.

Now that restrictions have lifted, the travel industry has started to bounce back, recovering 63% of pre-pandemic levels in 2022. However, with an increase in bookings comes an increase in bot activity.

The travel bot problem

The same bot threats as previous years are hitting the tourism industry hard:

• Price and availability scraping
• Denial of inventory attacks
• Account takeovers

While the attacks may be similar to those witnessed before, what has changed is the volume, speed, and sophistication of such threats.

Price and availability scraping

In travel, web scraper bots are mainly used to collect fare and availability information. Threat actors advertise the scraped information at lower price points on secondary sites, motivated by the financial rewards of charging commissions, stealing personal data, or generating advertising revenue.

88% of travel businesses surveyed by Netacea said that price scraping bots had a negative financial impact on their business in 2022. If uncontrolled, scraping can impact top-line revenue, bottom line profits and customer experience, including:

• Loss of competitive price advantage and potential auxiliary sales such as car rental and insurance
• Skewed look-to-book ratios (used by the travel industry to measure the number of people visiting a website compared to those who make a purchase)
• Inaccurate number of website viewers interested in a certain product or booking, leading to reduced conversions and misleading website analytics
• Gathering data used in more sophisticated attacks such as spinner or denial of inventory bots

Denial of inventory

Denial of inventory across travel websites involves making fake reservations for hotel rooms, restaurants, holidays and flights, and holding these bookings until the ticket, room or booking becomes sold out. The bot reserves the item for up to 20 minutes, during which time genuine customers perceive there to be no availability left, and the perpetrator attempts to sell the item on for a profit. Once the website has cleared the basket of the held reservation, a new bot will pick up that availability and repeat the process until the inventory is successfully sold

The objectives of a denial of inventory attack include:

• Generating high and fast profit off the back of a fairly low-risk opportunity
• Defeating the competition by sending customers to a rival website
• Disrupting availability by making an application unusable as part of an application-layer denial of service attack

Account takeover

Credential stuffing, credential cracking and phishing techniques are used as the first step in attacks which result in account takeover across the travel industry. Travel website accounts hold valuable assets such as membership points, frequent flyer miles, loyalty programs or cards that can be sold on for a profit. Plus, saved payment details and personally identifiable information (PII) have value across the dark web.

Of travel businesses surveyed by Netacea, 86% said credential stuffing, which is the first step of account takeover attacks, had cost them financially in 2022. After a threat actor uses username and password combinations to gain access, a secondary attack then makes a fraudulent booking on the account.

The impact of losing saved payment details and PII to threat actors is both financially and reputationally damaging. While the organization may not be directly at fault, the cybersecurity breach means it is left to pay the ICO (or equivalent) fine, reimburse any affected customers, and face the PR repercussions of publicly losing customer data.

Keeping your travel organization protected

As attacks on the travel industry evolve, it’s a crucial time for businesses in the travel and tourism sector to invest in their cybersecurity and put a dedicated bot management solution in place to deal with the most sophisticated threats.

Netacea’s revolutionary bot management technology is helping organizations across the travel and hospitality industry to detect and protect against malicious bot threats. Our consultative approach, paired with our server-side, machine learning technology, allows us to seamlessly integrate with your business and deliver accurate, intelligent and effective bot mitigation.