How do adversaries defraud travel and hospitality providers?

Attackers will target the features on your travel and hospitality website that provide the biggest payday. It’s easy and inexpensive for them to launch attacks at scale, but the cost to companies can easily reach millions of dollars. Here’s how they do it — and how they fool traditional bot management tools.

The typical customer’s site experience features four stages, all of which are vulnerable: login, browsing, add-to-cart, and checkout.

  • At login, attackers use techniques like credential stuffing to hijack accounts with payment information and steal loyalty points and certificates. They also create fake accounts to abuse promotions such as one-time discounts.
  • Adversaries and competitors build bots to scan your site, using scraping techniques to gather intel on your products, pricing, and inventory. They use this intel to create competitive pricing, set up fraudulent websites to “book”, exploit pricing errors, and more.
  • From there, attackers use bots to reserve bookings, locking down stock to keep real customers from getting it — known as denial of inventory. Many of these reservations are eventually canceled, making it difficult for you to maximize occupancy rates.
  • At checkout, the threats continue. Carding, cracking, and checkout bots perform all sorts of nefarious tasks: testing and using stolen credit/gift card data, guessing missing values for payment data, or inputting promotion codes.


Automated bot attacks rose 239% in Travel & Hospitality over the past year (Source: 2023 LexisNexis).

Where will you see the effects of automated threats in the travel and hospitality industry?

You’ll notice signs starting with complaints from your customers, issues related to your IT infrastructure, and impacts on your bottom line. More specifically:

  • Customers will make reports of stolen accounts, fraudulent activity, and poor site performance — they’ll be less likely to use your site again to book a trip or stay.
  • Strained servers will cause your infrastructure costs to soar as well as costs associated with account verification during the sign-up or log-in process.
  • Bots will skew website and performance metrics and leach money from you in the form of payment and rewards fraud.

The biggest damage? A tarnished brand reputation.

How does Kasada defeat these travel and hospitality threats?

The typical bot management solutions need to allow threats to infiltrate your site before they determine if, indeed, they’re a threat. By then, it’s too late — the damage is done.

Kasada, meanwhile, assumes all requests are guilty until proven innocent, and uses telemetry data, threat intelligence, and behavioral data to accurately detect malicious automation before it enters your site. Plus, Kasada remains effective over time with dynamic detection and strong obfuscation that protect against retooling attempts. The results speak for themselves:

  • Kasada helped Hyatt Hotels, a multinational hospitality company, lock out malicious automation and improve the quality of their data and marketing metrics. As a result, authentic end users saw reduced friction and latency which further preserved a seamless journey for guests and customers.

"The ROI from Kasada was evident and nearly immediate at both the human and machine levels. Here’s an easy way to look at ROI: an attacker gaining access to a single guest account would be unacceptable to us. The first time Kasada prevented an account takeover event, we saw value. We have a robust combination of human expertise, policies, systems, and solutions in place to protect our digital platforms—and we find Kasada to be one of our most valuable controls within our ecosystem.”

Benjamin Vaughn
Vice President and Chief Information Security Officer, Hyatt Hotels

Want to learn more?

Save time, money, and resources — see how we handle the bots.