As summer travel peaks, the travel industry is under siege from an unprecedented wave of cyberattacks, experiencing an average of 1,270 attacks per week in 2024, according to Check Point Research. Phishing, credential theft, and ransomware dominate the threat landscape, but cybercriminals are rapidly evolving their tactics, targeting both businesses and unsuspecting travelers with increasingly sophisticated schemes.

In an exclusive interview with Travel and Tour World, Tony Sabaj, Cyber Security Evangelist at Check Point, revealed that the travel industry faces over 1,270 cyberattacks weekly in 2024, driven by sophisticated phishing, ransomware, and AI-powered scams. Sabaj warns of new threats like fake booking confirmations and deceptive AI chatbots mimicking airlines and hotels to steal traveler data. He emphasizes that cloud misconfigurations and third-party vulnerabilities remain major risks, urging travel companies to adopt Zero Trust architectures and strong incident response plans. “Cybersecurity must be treated as a core element of customer safety,” Sabaj insists, highlighting the critical need for proactive defense strategies.

Among the most alarming new scams this season is a surge in fake booking confirmations and cancellation emails. Hackers impersonate trusted brands like Booking.com and Airbnb, sending convincing messages that trick travelers into clicking malicious links or entering login details on spoofed websites. One particularly novel tactic, dubbed “ClickFix,” involves fraudulent sites that mimic Booking.com’s property owner portals. After entering their usernames, victims encounter a fake ReCAPTCHA screen, which, once completed, prompts them to download malware under the guise of verifying they’re human.

Equally concerning is the rise of AI-powered chatbots and fake customer service portals. These bots convincingly imitate airline or hotel support agents, engaging travelers in realistic conversations designed to extract payment data, passport details, or login credentials. Fueled by personal information gleaned from past data breaches, these scams are growing harder to detect, blurring the lines between legitimate service and criminal deception.

Ransomware continues to wreak havoc on the sector, with airlines and hospitality groups frequently in hackers’ crosshairs. Attackers seek to encrypt operational data, demanding hefty ransoms to restore critical systems. Meanwhile, distributed denial-of-service (DDoS) attacks are becoming increasingly common, capable of crippling online check-ins, reservation systems, and customer service portals, disrupting travel plans on a massive scale.

Cloud misconfigurations remain a persistent threat, leaving vast stores of customer data vulnerable. Recent incidents at Hawaiian Airlines and Canada’s WestJet underscore the stakes, as both airlines faced cyberattacks targeting their IT systems. Though flight schedules were maintained, these breaches highlight the fragility of travel infrastructures reliant on interconnected digital services.

Airlines and booking platforms are particularly attractive targets because they handle high volumes of personal and financial data. The complex, interconnected nature of travel IT systems, combined with extensive third-party vendor relationships, amplifies their risk. Hotels, too, are exposed due to outdated systems and inconsistent cybersecurity protocols across properties.

For travelers, vigilance is key. Experts advise booking through trusted sites, enabling multi-factor authentication, avoiding public Wi-Fi without a VPN, and steering clear of unfamiliar QR codes. Meanwhile, travel companies must treat cybersecurity as core to customer safety, strengthening email defenses, adopting Zero Trust frameworks, and rigorously monitoring cloud environments for misconfigurations.

As cyber threats grow more cunning, the travel industry faces an urgent mandate: safeguard travelers’ trust—or risk becoming the next cautionary tale.

Check Point reports the travel industry experienced 1,270 cyberattacks per week in 2024. What types of cyberattacks are most commonly targeting travel businesses right now?

The most common cyberattacks targeting the travel industry right now are phishing, credential theft, and ransomware attacks. According to Check Point Research, there’s been a surge in holiday-themed phishing campaigns impersonating major airlines, hotel chains, and booking services to trick travelers into sharing sensitive data. These attacks are often used to harvest login credentials or plant malware. 

Ransomware operators also continue to target airlines and hospitality groups, aiming to encrypt operational data and demand payment. Distributed denial of service (DDoS) attacks have also become more common, potentially disrupting services like online check-ins or reservation systems.

Can you describe any new or evolving cyber scams specifically targeting travelers this summer that people might not find in standard travel advisories?

Check Point Research has been tracking a noticeable uptick in fake booking confirmations and cancellation emails that appear to be from legitimate travel sites or airlines like Booking.com and Airbnb. These phishing emails often contain malicious links that redirect users to spoofed login pages or to download malware. An even more novel attack being utilized by hackers now is the ClickFix fake ReCaptcha method – in this instance, the hacker creates a fraudulent site, mimicking the booking.com login page from the property owner side. After the user enters their username, a pop-up window appears with a fake ReCAPTCHA asking the user to “verify” they are human. Once the user confirms they aren’t a robot, they’re prompted to download malware, unknowingly.

Another evolving tactic is the use of AI-generated chatbots or customer service portals that resemble hotel or airline support, luring victims into revealing payment details or passport info. These scams are harder to detect because they mimic real customer service interactions and are tailored with personal details combed from earlier data breaches.

We’ve heard about DDoS attacks grounding flights and cloud misconfigurations leaking customer data. Are there recent examples that highlight the scale or impact of these attacks?

Cloud misconfigurations and third-party software vulnerabilities remain key weaknesses in the travel industry. As we’ve seen in recent months, airlines and travel apps have been compromised due to unsecured APIs and exposed cloud storage buckets, leading to the leak of personal traveler data like passport scans, itineraries, and payment information. Just last month, Hawaiian Airlines and Canada’s WestJet suffered recent cyberattacks, which affected its IT systems but luckily were able to operate a full flight schedule and not impact guest travel. 

Which parts of the travel ecosystem—airlines, hotels, booking platforms, transportation services—are most vulnerable to cyber threats right now, and why?

Booking platforms and airlines are among the most targeted sectors because they process massive volumes of sensitive personal and financial data, often across a variety of international systems. The complexity of their IT environments, reliance on third-party vendors, and the push toward digital convenience, i.e., mobile check-in and QR code boarding passes, increase their attack surface. Hotels are also vulnerable due to legacy systems and inconsistent cybersecurity policies across franchise locations. Transportation services, while less frequently targeted, may be exposed through IoT vulnerabilities in smart systems and public Wi-Fi networks.

How are cybercriminals exploiting travelers’ personal information collected during the booking process, and what makes this data particularly valuable?

During the booking process, travelers often share full names, birth dates, passport numbers, travel itineraries, and payment information—a treasure trove for cybercriminals. This data is used not only for identity theft and financial fraud but also to craft highly personalized phishing attacks. For example, a scammer could reference an actual flight or hotel reservation to build trust. Stolen travel data is frequently sold on the dark web and can be used to open fraudulent accounts, apply for visas, or even manipulate loyalty programs and travel credits.

What immediate steps should travelers take before and during their trips to better protect themselves from cyber risks?

Before the trip, travelers should:

1. Book through trusted websites and double-check URLs to avoid fake travel sites.
2. Enable multi-factor authentication (2FA) on all travel-related accounts
3. Avoid public Wi-Fi unless connected through a VPN.
4. Update apps and software before departure to patch vulnerabilities.
5. During their trip, travelers should:
   1. Be cautious with QR codes in unfamiliar places (e.g., fake codes at restaurants or airports).
   2. Use credit cards over debit cards for better fraud protection.
   3. Avoid accessing sensitive accounts (like banking) from public devices or hotel computers.
   4. Turn off Bluetooth and auto-connect features when not in use.

From an industry perspective, what are the top cybersecurity measures travel companies should prioritize right now to avoid becoming the next cautionary tale?

Travel companies should prioritize:

1. Email security and phishing prevention through advanced filtering and employee training.
2. Zero Trust architectures to ensure only verified users and devices access sensitive systems.
3. Cloud security posture management (CSPM) to monitor for misconfigurations in cloud services.
4. Regular vulnerability scanning and patching, especially for third-party tools.
5. Incident response planning, including simulations of DDoS, ransomware, or data breach scenarios.

Given the growing sophistication of travel scams, cybersecurity should now be treated as a core part of customer safety, not just IT infrastructure.

« Back to Page