Andersen Cheng sees cyber threats everywhere.

Whenever he books his travel, he always types in a website address manually, doesn’t click on Google links and never saves his card’s details.

As the CEO of cybersecurity company Post-Quantum it’s in Cheng’s nature to be careful, but even for the general public these sorts of precautions are increasingly being prescribed as the travel industry faces a growing number of attacks.

And many experts, including Cheng, warn that rapid advancements in technology and distribution not only embolden hackers, but they are leading to more sophisticated attacks that pose an “existential threat” in the near future.

For many online travel agencies (OTAs) and hotel groups, scams are widespread. Consumers are highly exposed to phishing scams, for example, where they receive an email that appears to be from a well-known source. Some 71% of guests are concerned about the risk of fraud when booking, according to Adyen’s Hospitality Report 2024.

Airbnb says credit card, phishing and holiday scams are the most common types of fraud in the United Kingdom. Those affected lose an average of £1,937 to the fraudsters, its research revealed, which has led in part to a campaign Airbnb launched in February with Get Safe Online to address the issue.

Airbnb also warns more fraudsters are exploiting artificial intelligence (AI), with nearly two-thirds of U.K. adults it surveyed failing to identify AI-generated images of properties as fake.

Beyond the AI threat

AI has certainly entered the cybersecurity battlefield. And Booking.com last year reported a 500% to 900% increase in phishing attacks due to the prevalence of AI tools. But the travel industry has other problems.

“Most vulnerabilities affecting the travel industry are still considered ‘low-hanging fruit,’ meaning they’re relatively easy for attackers to identify and exploit,” said Josh Jacobson, director of professional services at cybersecurity firm HackerOne.

“Automated tools have become widely accessible, significantly lowering the barrier to entry for attackers and supercharging them to exploit common vulnerabilities like Cross-Site Scripting (XSS) and open redirect flaws. As a result, the frequency of these types of attacks continues to rise.”

So-called XSS attacks involve malicious code being injected into otherwise trusted websites, while open redirect flaws involve an attacker taking control of sites where a website or application redirects users.

The Identity Theft Resource Center similarly reports a “big surge” in software flaws as the root causes of most data breaches. “These attacks are often aimed at getting legitimate login credentials to commit other identity crimes or cyberattacks, allowing attackers to steal data without triggering security protections,” said its president, James Lee.

There is little brands can do to prevent consumers falling prey, apart from educating them.

As one of the biggest OTAs, Booking.com’s customers can be targeted with emails or messages requesting payments from hotels who have had their account taken over by fraudsters. Fake listings are another issue. “If its hotels and hosts have been hacked, it can be very difficult to know if the message you receive is genuinely from the hotel or a scammer,” wrote U.K. consumer champion Which? in an article about the common scam practice of fake listings in March this year.

In January this year, Action Fraud (the U.K.’s national reporting center for fraud and cyber crime) issued an alert warning people to look out for unusual messages or phishing emails from hotel accounts using the Booking.com platform. Between June 2023 and September 2024, it said it received 532 reports from individuals, with a total of £370,000 lost.

“Cybersecurity is a major concern across all digital sectors, and travel is no exception. At Booking.com, we’re deeply aware of this reality and invest continuously in advanced technologies like AI and machine learning to detect and block threats before they can have an impact,” a spokesperson for Booking.com told PhocusWire.

“Thanks to the robust measures and systems we have in place and our continuous efforts to enhance them, considering our global scope and the number of transactions we facilitate via our platform, actual incidents are rare. We are in regular contact with both partners and travelers to educate them and share practical tips to help them stay safe and secure online.”

Third-party warning

Another looming threat for travel is the fact there are more channels for consumers to book vacations, as brands experiment with new ways to expand their reach.

“The travel industry is so fragmented, not just in terms of the number of suppliers but also in the actual process flow,” Cheng said.

Travel sellers are always looking for new ways to sell, including social media, which compounds the problem. The Identity Theft Resource Center’s Lee believes third-party vendors are often targets in supply chain attacks because they have access to the data of larger organizations but often lack the same robust cybersecurity protections as larger entities.

Meanwhile, “too many platforms touch customer data, and every new integration increases the attack surface,” according to Mike Putman, founder and CEO of Custom Travel Solutions, a SaaS platform for closed-user groups such as membership or loyalty programs. This was the case for Caesars Entertainment in 2023, when it suffered a “social-engineering attack” on an outsourced IT support vendor, leading to a $15 million ransom payment.

HackerOne’s recent security report showed that “open redirect vulnerabilities” increased by 92% on its previous year’s report, as travel firm’s rely heavily on marketing, often embedding referral and affiliate links.

“Integrations with third-party services like booking systems, payment gateway and ads can also increase the risk of open redirect vulnerabilities if user inputs, such as URLs, are not properly validated,” said HackerOne’s Jacobson.

Harvest now, decrypt later

While travel companies rightly use security measures like multifactor authentication and Payment Card Industry Data Security Standard (PCI DSS) compliant solutions, they may become redundant.

Most vulnerabilities affecting the travel industry are still considered ‘low-hanging fruit,’ meaning they’re relatively easy for attackers to identify and exploit.

Josh Jacobson, HackerOne

Cheng’s company Post-Quantum is a cyber security company focusing on quantum-safe security and identity solutions, and he cautions against the travel industry’s reliance on biometric identification.

“With the advancement in AI and quantum computing, it really is a big problem,” he said. “I can guarantee a lot of the banking apps or credit card apps [that] say use voice or face and you are in—that’s going to crack to be honest, because now AI can fake all these.”

Further ahead—admittedly several years or even decades—Cheng warns of a global threat called “Harvest now, decrypt later” where hackers steal large amounts of encrypted data, then sit on it waiting for more powerful computers in the future to unlock it.

It’s serious enough that in 2022, the United States passed a bipartisan law called the Quantum Computing Cybersecurity Preparedne,ss Act. The National Institute of Standards and Technology in 2024, meanwhile, selected Post-Quantum to look at how the world can replace hardware, software and services that use public-key algorithms, so data is protected from future quantum attacks, described as the world’s greatest existential cybersecurity threat.

Cheng recommends the use of “attestation” over “authentication” for the travel industry. With authentication, a guest at a hotel may hand over their passport to be scanned, which could potentially be misused.

With attestation, if the ID is secured centrally, checking in may require simply handing over another piece of information. “As a trained computer auditor, the Holy Grail is an incomplete record,” Cheng said. “If a picture is incomplete, logically, mathematically, you can never complete the entire puzzle.”

With sensitive information held by other parties, he argues “bad guys can never link them all up.” This “decentralized identity” trend is already picking up pace in Europe, for example, while in the U.S. the Real ID law came into play this month after 20 years of development.

Booking.com, meanwhile, advises customers to follow practical steps to stay safe, including keeping personal information private. “No legitimate transaction will ever require a customer to share sensitive information like credit card details via email, chat, messages, texts or phone,” the OTA said.

Costly mistakes

For businesses that succumb to fraud, there are severe consequences. U.K. retailer Marks & Spencer, for example reportedly, saw £1 billion wiped off its value in wake of a ransomware attach in April, while U.K. construction firm Arup lost $25 million in a deepfake scam last year.

For travel, reputational damage causes concern too.

“The cost-benefit of cybersecurity always favors the bad guys,” said HackerOne’s Jacobson. “They spend a fraction of what defenders do because they are not bound by norms and laws. But, there is so much more to determining the value of cybersecurity solutions than the price tag. Preventing or mitigating the emotional and physical tolls of cybercrimes, along with the financial impacts, is worth the cost.”

People power

Yet a powerful, and possibly underestimated, protection against fraud is people.

“What hotels often don’t realize is that one of their biggest vulnerabilities is their employees falling for phishing scams,” said hospitality technology provider Cloudbeds, which recently published its own report into common scams.

For example, it says an employee will want to log into their property management or other cloud-based software system, but instead of going to the software’s URL directly, they Google their software provider and are fed spoof accounts that mimic the software provider’s login page but are in fact phishing sites. Once the employee enters their login information, the hackers are then able to access the hotel’s entire account.

Therefore, one of the most important things hotels can do is educate their employees and require them to take phishing and cybersecurity training.

“People are the cornerstone of cybersecurity, meaning you simply can’t rely solely on the latest and greatest technology. Even the most secure systems are vulnerable without informed and well-trained staff,” said Eric White, chief technology officer of property management system Eviivo.