Travel industry faces rising threat from malicious bots

The 2024 Bad Bot Report has highlighted a substantial rise in malicious bot activity targeting the travel and airline sectors. Bots now constitute 44.5% of internet traffic in this industry.

The report indicates that only 51.1% of internet traffic in the travel and airline sector is generated by humans, while malicious bots account for the rest. This is an increase from 37% the previous year. Of the malicious bots identified, 66.1% are deemed evasive, employing sophisticated methods to replicate human actions online.

Bad bots have several negative impacts on the sector. They engage in fare scraping, which involves collecting airline pricing and discount information without consent, affecting metrics such as look-to-book ratios and increasing API costs. This activity has previously led one airline to incur USD $500,000 in monthly API fees.

Unauthorised scraping inflates look-to-book ratios for airlines, resulting in lost revenue from online travel agencies (OTAs) that avoid paying booking fees. This activity also causes airlines to lose valuable insights into genuine customer behaviour.

"Seat spinning" is another tactic bots use, where they simulate genuine customers to reserve flight seats without completing the payment, only to release them at the last minute or resell them at a premium. This is particularly problematic on the day of departure, leading to financial losses and reputational damage for airlines when seemingly full flights unexpectedly have available seats.

Loyalty programme account takeovers are a further concern noted in the report. Criminals employ brute-force attacks on login pages to access customer accounts, stealing loyalty points and transferring them to other accounts. This results in customer dissatisfaction, increased customer service costs, extensive forensic investigations, and challenges in customer retention.

Similarly, criminals use such tactics to steal customer credit card details used on travel websites, leading to financial losses and compromised customer trust.

The report further reveals that 17% of all login requests to travel websites and applications are attempts to take over accounts maliciously. Moreover, the travel sector is the second most targeted industry, accounting for 11.5% of all such attacks, as recorded and mitigated by Imperva.

Nanhi Singh, General Manager of Application Security at Imperva, stated, "The travel sector has bounced back after the disruptions caused by the pandemic, but now faces a growing threat in the form of malicious bots. The knock-on effect of malicious, automated traffic needs to be mitigated, as failing to do so not only impacts airlines but also poses significant risks to customer data. This shift is changing the way organisations approach building and protecting their websites and applications. Organisations in the travel industry must invest in bot management and API security tools to safeguard against these threats."

Identifying malicious bot activity can be challenging, but there are some warning signs consumers can watch for. Rapid or inconsistent price changes may signal bots scraping and manipulating pricing data, while slow website performance could indicate that a site is overwhelmed by bot traffic.

Frequent CAPTCHA requests may suggest a high level of bot traffic, and sudden flight or hotel availability changes could be due to bots reserving and then releasing bookings. Consumers are also advised to stay alert for unsolicited emails or messages offering deals that appear too good to be true, as these may be attempts to direct them to fraudulent sites.

The findings of Imperva's report contribute to a broader understanding of internet traffic, where bots now account for nearly half (49.6%) of all activity worldwide.