DataDome

How to Protect Travel Websites from Bot & AI Agent Threats

Table of contents
Last update: 1 Feb, 2026
|
min

Bot attacks and malicious AI agents pose persistent challenges for travel websites. As such attacks become more frequent and sophisticated, implementing effective protection has become more challenging than ever. Travel companies must recognize and mitigate the risks, as the downside can be very costly.

With AI agents now representing a growing share of online traffic, travel businesses need visibility and control over their online traffic to understand whether a visitor is a human, bot, or AI agent—and what their intent is.

In this article, we’ll take a look at how cybercriminals target travel websites by using malicious bots and AI agents to access sensitive customer data and scrape valuable information. We’ll break down the top threats to be aware of and share how to contain them without compromising the user experience. 

Key takeaways

  • Travel websites face a 48% bad bot traffic rate, with AI agents adding new attack vectors
  • Price scraping, credential stuffing, and inventory hoarding cost the industry $21 billion annually
  • Only 7.1% of travel sites are fully protected against simple bot attacks
  • Intent-based detection distinguishes legitimate users from malicious bots and AI agents in real time

How bad bots & AI agents affect the travel industry

Travel and hospitality sites lose a significant amount of revenue to fraud, with some reports putting travel fraud losses at $21 billion annually. Statista reports that 48% of all web traffic to travel sites comes from bad bots. 

While DataDome’s 2025 Global Bot Security Report showed that travel was one of the most protected industries online, the report still found that only 7.1% of travel websites are fully protected against simple bot attacks. This protection gap is especially concerning as AI-powered agents increasingly automate price monitoring, credential testing, and data extraction at scale.

Insufficient protection can lead to steep penalties for travel businesses. For example, in 2019, British Airways was fined £183M for data breaches by the UK’s data protection regulator, the Information Commissioner’s Office (ICO). Understanding how to stop bot attacks is critical for avoiding similar penalties and protecting revenue.

Common types of attacks against travel websites

Price scraping

Price wars are a fact of life in the travel industry, and some unscrupulous actors will send bots to scrape and check pricing on competitor sites. This way, they can ensure their own website always shows a lower price. 

Travel sites typically rely on dynamic pricing strategies to capture the most deals possible given a wide range of customer attributes. Scraping bots nullify these pricing strategies as they consistently undercut the price.

The volume of bot traffic we had was just amazing. Some people were scraping our data to bolster their own shopping databases, some bots came from competitors, and we even suspected that certain customers were scraping us for price comparison purposes. Either way, we didn’t want to give away our data for free, so we needed to stop this activity.
Celine Lavoie
VP Operations at Softvoyage

Scraping is not limited only to price data. Scraper bots can actually lift the entire contents of a website, only to reuse your data for their own purposes or sell it on the illegal market. AI agents can be particularly effective at evading basic protections, using adaptive behavior to appear more human-like.

Scalping & seat spinning

Scalping bots are sent out to buy up the entire supply of an offer to resell it later at a higher price—much like real-world ticket scalpers. Not only does this damage the travel company’s reputation, but it also prevents real customers from making purchases.

Inventory hoarding is another concern, as seat spinning bots hold or block airline reservations without paying for them, creating fake demand and inflating prices. This makes it difficult for legitimate customers to find availability and can significantly impact revenue.

And for travel aggregators that connect directly to airlines or railways to facilitate purchases, sending malicious traffic to partners also represents a credibility risk. 

After implementing DataDome, Rail Europe found that 30% of its incoming traffic was malicious. DataDome now stops this traffic at the edge, ensuring it has no impact on infrastructure or partner relationships.

Carriers expect clean traffic. If we were sending garbage volume, it would hurt our credibility. With DataDome, we can confidently say we’re keeping things clean.
Ilgün Ilgün
CTO of Rail Europe

Credential stuffing & cracking

Credential stuffing involves using giant databases of stolen credentials to attempt to log in to your travel website. The reason this works is that people often use the same email and password combination for more than one account. Credential cracking (also known as a brute force attack) is another large volume attempt that uses trial and error to “guess” the right credentials to gain account access.

In both cases, success depends on large volume and a cloaked origin of attack. Malicious bots accomplish this by launching attacks from a variety of IP addresses. Both credential stuffing and cracking are used to take over accounts and steal resources such as loyalty points or miles. Sensitive information, such as credit card numbers, can also be accessed through these types of bot threats.

BlaBlaCar, Europe’s leading carpooling platform, faced a surge of account takeover attempts during a sensitive acquisition period. With DataDome’s protection, they maintained service integrity and protected 40M+ member accounts without disruption.

Layer 7 DDoS

Layer 7 DDoS attacks flood a website with high levels of traffic with the intent to cause significant load time delays or a complete site crash. So instead of seeing the website, visitors might get a ‘The connection has timed out’ message. Typically, hackers use these kinds of attacks to disrupt competitor websites, which can result in huge revenue losses.

It was a continuous chicken and egg situation. Every time we did something, the bots would come back with a different strategy. We needed a solution that could learn from our traffic patterns and block proactively, rather than just using known criteria.
David Annez
Head of Engineering at Loveholidays

How travel companies fight bad bots & malicious agents

In many cases, travel brands first notice bot threats due to abnormal spikes in site traffic that do not match normal peak activity, or when peak traffic volumes significantly exceed forecasts. Some companies implement infrastructure-level protections or manual bot filtering in an attempt to curb illegitimate traffic.

Manual defenses work as long as the traffic levels are low. However, this is very resource-consuming. Major bot attacks may cause huge spikes in traffic that are impossible to manage manually.

Some security measures can block repeated failed login attempts that come from the same IP address. However, those primitive defenses fail to stop bot networks that make it look like visitors are coming from many different IP addresses and devices.

AI agents are also opening up new avenues of agentic fraud. AI agent spoofing is widespread, with DataDome’s Galileo Threat Research team reporting a 2.4% impersonation rate for PerplexityBot. Often, these AI agents are trusted by default, and fraudsters are exploiting that trust.

DataDome offers protection designed for this new reality—analyzing the intent behind every request to detect AI agent spoofing, bot attacks, and fraud without blocking legitimate traffic.

DataDome offers real-time bot protection for travel apps, websites, & APIs

Today’s hyper-sophisticated bot and AI agent threats require an agile and intelligent security response. DataDome delivers industry-leading protection through intent-based detection. Named a Leader in The Forrester Wave™: Bot and Agent Trust Management Software, Q2 2026, DataDome:

  1. Analyzes 5 trillion signals daily across hundreds of enterprises
  2. Detects intent in real time—whether bot, human, or AI agent—with 99.99% accuracy
  3. Blocks threats in under 2 milliseconds at the edge with <0.01% false positive rate
  4. Shares threat intelligence across 35+ global PoPs, automatically protecting all customers when new attacks emerge
We were really impressed by DataDome’s ability to accurately detect malicious activity. The algorithm immediately identified a lot of bot requests that were previously unknown or unidentified.
Paul Lin
Senior Cloud Architect at KKday

 With DataDome, travel companies regain visibility and control over all traffic—from traditional bots to agentic AI—protecting revenue while delivering seamless experiences for legitimate travelers. 

Interested in what DataDome can do for your travel website? Book a demo to learn more, or try our free Vulnerability Scan to test your site’s defenses today.

DataDome
dd product home overview

Still exploring?

Start with an on-demand demo.