- Boots now dominate the landscape of threats for travel platforms during peak booking periods
- The false demand created by bots leads to inflated prices and fewer options for real users
- SMS pumping attacks exhaust funds and delay key notifications for travelers
While summer trips are reaching its peak, a new concern is emerging which has little to do with the increase in fuel costs or the prices focused on demand.
An increasing volume of automated traffic is now blamed for having increased the flight prices, disrupting reservations and damaging the experience of travelers, experts warned.
The BAD BOT report of Thales 2025 claims that the travel sector represented 27% of all the activities linked to Bot last year, which makes it the most targeted industry.
The travel sector appears to be the highest target for automated bot attacks
The report describes several ways whose robots interfere with online travel platforms.
A key problem is the “rotation of the seats”, where the bots launch the reservation process but do not finish payment – by temporarily hoaxing stocks, they reduce availability and can create a false perception of rarity, which can influence the pricing algorithms.
In some cases, the bots resells the tickets they secure thanks to a “scalping of tickets”, pushing real customers to inflated prices or unavailable flights.
These attacks also exploit messaging systems through what is called “Pumping SMS”, which consists in triggering high volumes of text messages with higher rate numbers, increasing costs for businesses and potentially delay significant customer notifications.
“Bad robots are only online chaos, they divert the holidays,” said Tim Ayling, cybersecurity specialist at Thales.
“Currently, travel websites are overwhelmed by robots pretending to be real customers, take tickets, scratch prices and slow down everything.”
While more and more transactions move to mobile, the problem has become more visible, especially for last -minute travelers who rely on real -time updates.
The robots themselves become easier to deploy, and there is an increase in simpler and more accessible robots, often motivated by AI-based tools.
These are not the domain of sophisticated pirates alone. Low -skilled players can now use basic scripts or free proxy configurations to get around traditional security.
Even the use of VPN and Proxy services, generally associated with privacy, is sometimes handled to hide malicious traffic, giving bots the appearance of legitimate users accessing different regions.
Another emerging problem is targeting APIs, including power search results, pricing engines and loyalty programs.
Almost half of all advanced bot attacks are now focused on these areas, and they can interfere with Backend functions, slow down whole websites or even crash.
The attackers also use advanced techniques to imitate authentic human behavior, which makes more difficult for traditional defenses to detect and block harmful traffic.
Methods such as Captcha, formerly effective, are no longer reliable, often more frustrating real users than robots.
“Traditional defenses simply do not cut it.
In a digital environment where automation now goes beyond human web traffic, the challenge facing airlines and travel sites concerns less visibility and more precision.
