Bot Abuse Analysis and other Fraud Benchmarks - Travel & Hospitality Industry

Q1 2024

The travel and hospitality sector is facing a variety of cyber challenges, especially during peak seasons. To improve the experience for authentic travelers, online businesses may ease security protocols, believing that the substantial volume of real transactions will surpass any fraudulent ones. Malicious entities can manipulate this leniency by creating deceptive bookings or exploiting stolen payment information, resulting in financial setbacks for service providers and their consumers. Fraud should no longer be considered an acceptable cost of doing business.

This industry brief utilizes data from our comprehensive bot abuse analysis, focusing on the top attack vectors in travel and hospitality during Q1, Q2, and Q3 2023. It seeks to provide data-driven insights into attacks on the travel and hospitality sector, offering effective detection and prevention strategies. Insights are drawn from the Arkose Labs Global Intelligence Network, which includes major corporations and category leaders. These entities, prime targets for cyber threats, provide a unique perspective for monitoring and analyzing cyber activities.

Attack type by industry in H1 2023:

Attack type by industry in H1 2023

We analyzed billions of sessions worldwide across industries, between January 2023 and September 2023, and assessed three primary attack vectors fraudsters use to launch various cyberattacks. In sum, these methods generated billions of attacks in the first half of 2023 and into Q3, comprising 73% of website and app traffic measured. That means almost ¾ of web traffic to digital properties is malicious.

Percentage of legitimate traffic vs. bots and malicious traffic

In the travel sector, criminals dedicate substantial time and resources to activities such as credential stuffing, phishing attacks, and other fraudulent endeavors. But when faced with robust site protection, bad actors can no longer achieve the economic gains they seek and ultimately move on. This principle underlies the core philosophy of Arkose Labs—making attacks too costly for adversaries to persist.

The Bad Side of Bots

Basic Bots, Intelligent Bots, and Human Fraud Farms

Malicious bots play a key role in the strategy of attackers, executing precise and impactful attacks tailored for the travel and hospitality sector. Notably, a staggering 76% of web traffic in the travel and hospitality sector is attributed to bad bots.

The percentage of traffic by industry that comes from bad bots:

The percentage of traffic by industry that comes from bad bots

Between Q1 2023 and Q2 2023, intelligent bot traffic experienced a nearly fourfold increase. This growth surpassed basic bots and played a pivotal role in the overall surge of approximately 167% in bot attacks during the same period.

The Intelligent Bot Uprising

While the prevalence of automated threats is a significant concern, there has also been a marked 26% uptick in human-based attacks during Q3. When malicious bots fail to make it past security defenses, threat actors turn to human fraud farms to complete their mission.

Fraud farm attacks

Beating these adversaries demands technology that dynamically targets human solvers and applies adaptive, time-consuming challenges. With this capability in place, travel and hospitality businesses can defeat the economics behind attacks that exploit human labor at scale.

Intelligent Bot Attacks Top 5 countries of apparent origination

Fraud Farm Attacks Top 5 countries of apparent origination

Two Cyber Threats Driving Bot Attacks in Travel

Two technology trends, influenced by powerful economic forces, are driving the surge in bot and human fraud farm attacks:

1. Generative AI (GenAI):

GenAI technology poses a multifaceted threat to the travel and hospitality sector, enabling attacks through various means. GenAI helps bad actors craft convincing phishing emails, targeting customers with deceptive communications from travel businesses. These emails, meticulously personalized using publicly available information, convincingly mimic the communication style and branding of the legitimate business. As unsuspecting consumers interact with these emails, they may inadvertently disclose sensitive information, including login credentials and personal details.

GenAI-generated phishing emails may offer exclusive travel deals, personalized vacation packages, or enticing loyalty program rewards. The deceptive nature of these communications makes it challenging for recipients to discern the fraudulent intent. Within these emails, there may be links leading to counterfeit login pages or malicious attachments aimed at compromising user systems.

Example of travel phishing email

2. Cybercrime-as-a-Service (CaaS):

Bad actors are advancing their skills by embracing the CaaS model, deploying bots and unleashing attacks that cause trillions of dollars in damages. This shift lowers the barrier to entry and grants access to cybercrime for a broader range of actors, making it easier to launch attacks with limited technical skills.

The CaaS model directly impacts travel and hospitality by establishing an online bazaar where cybercriminals can easily procure ready-made bots, tools and expertise, like “customer service” and “training” modules. These marketplaces enhance the efficiency and reach of cyber threats, posing an immediate risk to the security of online transactions, consumer data, and overall operations.

The affordability and popularity of these marketplaces are pressing security teams to bolster their efforts against these rising threats. The widespread impact, economic incentives for cybercriminals, increased sophistication of attacks, and the potential monetization of stolen data contribute to the need for enhanced vigilance. As these marketplaces attract a broader range of threat actors and pose challenges in terms of reputation management and regulatory compliance, security teams must stay ahead of evolving attacks.

CaaS quote by Arkose Labs CEO

Industry Benchmarks

In the first half of 2023, nearly every industry experienced an increase in the number of attacks. Here are the top 5 sectors under attack, by volume:

Industry Benchmarks

The Growing Scourge of Attacks

The Growing Scourge of Attacks

Arkose Labs Can Help

Arkose Labs safeguards businesses by disrupting the financial incentives driving bot attacks. Our long-term bot mitigation and account security solutions focus on protecting critical user touch-points: account login and registration. By identifying hidden attack signals and undermining attackers' return on investment, we enhance security without compromising user experience.

Benefits of working with Arkose Labs

Our unique platform, Arkose Bot Manager, analyzes user session data to assess context, behavior, and reputation, classifying traffic based on risk profiles. Suspicious traffic faces enforcement challenges, distinguishing between legitimate users and fraudsters to block automated activities and ensure a secure consumer experience.

The difference between Arkose Labs and our past solution is night and day for us. Previous defenses created a bad user experience, while Arkose Labs solves the problem and makes it fun for our users.

Antoni Choudhuri


Book a Meeting

Meet with a fraud and account security expert

Request a customized demo to learn more.