- The bots now dominate the threat panorama for travel platforms during maximum reserve periods
- The false demand created by the bots leads to inflated prices and less options for real users
- SMS pumping attacks are draining funds and delaying key notifications for travelers
As summer trips reach their peak, a new concern that has little to do with the increase in fuel costs or prices driven by demand is emerging.
Now it is blamed at an increasing volume of automated traffic for increasing flight prices, interrupting reserves and damaging experience for travelers, experts have warned.
The 2025 BAD Bot report states that the travel sector represented 27% of all activities related to Bot worldwide last year, which makes it the most specific industry.
The travel sector emerges as the main objective for automated bot attacks
The report describes several ways in which the bots are interfering with online travel platforms.
A key issue is “turn the seat”, where the bots initiate the reserve process but do not complete the payment, by grabbing the inventory temporarily, reduce availability and can create a false perception of scarcity, which can influence price algorithms.
In some cases, the bots resell the tickets that ensure through “ticket scallar”, pushing genuine customers to inflated prices or flights not available.
These attacks also exploit messaging systems through what is known as “SMS pumping”, which implies unleashing high volumes of text messages to premium rate numbers, increase costs for companies and delay important customer notifications.
“The bad bots not only cause chaos online, they are kidnapping vacation,” said Tim Ayling, a cybersecurity specialist in Thales.
“At this time, travel websites are being overwhelmed by the bots that seek to be real customers, collecting tickets, scraping prices and slowing everything.”
As more transactions change to mobile devices, the problem has become more visible, particularly for last minute travelers that depend on real -time updates.
The bots themselves are becoming easier to implement, and there is an increase in simpler and more accessible bots, often driven by AI -based tools.
These are not the domain of sophisticated computer pirates. Little qualified actors can now use basic scripts or free proxy configurations to avoid traditional security.
Even the use of VPN and proxy services, typically associated with privacy, is sometimes manipulated to mask malicious traffic, giving the bots the appearance of legitimate users who access from different regions.
Another emerging problem is API orientation, that energy search results, price engines and loyalty programs.
Almost half of all advanced Bot attacks now focus on these areas, and can interfere with the backend functions, slow down the entire websites or even make them crash.
Attackers also use advanced techniques to imitate genuine human behavior, which makes it difficult for traditional defenses to detect and block harmful traffic.
Methods such as captcha, once effective, are no longer reliable, often frustrating real users more than bots.
“Traditional defenses simply do not cut it. Travel companies need a smarter approach and in layers, blocking credential filling attacks and ensuring vulnerable areas such as session latest and payments through continuous tests and threat monitoring.”
In a digital environment where automation now exceeds human web traffic, the challenge facing airlines and travel sites has less to do with visibility and more about precision.
