How Hotels Are Preparing Against AI-Powered Bot Attacks

Today’s travel industry relies on a vast digital ecosystem. For consumers, the ease of online reservations lends convenience and a seamless experience in booking their business travel or vacation. But as ever, fraudsters are waiting in the wings, looking for opportunities to attack companies such as hotels and travel vendors. Bad actors might attempt an account takeover, seizing control of a user’s login to make unauthorised travel purchases or stealing unused loyalty points. Other times, fraudsters working on behalf of competitors use denial of inventory schemes to artificially inflate prices. Bots can be used to write fake negative reviews, causing untold reputational harm. And by deploying AI to orchestrate sophisticated phishing scams, cybercriminals might pose as a hotel or booking agent, duping customers into sharing personal data or credit card details. Arkose Labs data shows that the travel industry is a target. In Q1 2024, 94% of attacks on the airline industry were by bots, up from 79% in Q4 2023, indicating a surge in bot-driven fraud that hospitality businesses should also expect to see. This surge compromises not only sensitive customer data but also the very integrity of travel business operations and their relationships with customers. In this new era of AI-powered bot attacks, traditional security measures are insufficient. Today’s fraudsters are leveraging technology to deploy attacks at scale. But unlike the clumsy and easy-to-spot bot attacks of the past, today’s AI-powered attacks might resemble legitimate traffic much more closely, leaving businesses exposed to fraud until it's too late to stop it.  In a new market survey on AI maturity in cybersecurity, we asked companies about the measures they are taking to stay prepared against AI-powered bot attacks. Here are the top five takeaways from the hotel industry. 

1. Regular monitoring is key to staying prepared 

Survey respondents across all industries agree that when it comes to fraud, prevention is better than cure. Many hotel cybersecurity teams called out regular monitoring as the most important part of their defences against today’s AI-driven attacks.  ‘I am establishing baselines for normal user behaviour, which helps me immediately identify deviations caused by bots,’ one company told us. Thanks to next-generation visible challenges and machine learning algorithms, companies can identify abnormal data patterns that indicate bot activity and put a stop to attacks before they do harm. For example, large traffic spikes might indicate an attack, prompting teams to analyse endpoint activities. A strategic approach is needed. A comprehensive security risk assessment framework can help businesses to evaluate and improve their security, and companies reported combining regular monitoring with human intervention for the best results. 

2. Device fingerprinting and IP tracking means bots can’t avoid detection 

One hotel said that honeypots have helped the team to analyse behaviour and learn about the new ways that attackers are trying to infiltrate its platform. And once these attacks are identified, the next step is to block and stop them.  ‘We are stepping up our game with cutting edge behavioural analytics that sniffs out suspicious activity,’ another hotel business told us. Plus, it is bolstering staff training to spot patterns which seem to be bot-like, so every guest experience stays legit and secure. In the face of today’s more sophisticated attacks, hotels and airlines risk having their platforms flooded with fraudulent traffic, creating a negative experience for genuine users and eroding customer trust. But by applying anomaly detection and advanced behavioural analysis to find and stop bot activity, they can keep the bad actors out of their booking systems. Arkose Device ID gives hotels access to real-time, device-specific tracking, correlating anomalies that are telltale signs of the ‘low-and-slow’ attacks that can spell disaster for travel companies.

3. Combining rate restrictions with human validation is a winning method 

Thorough analysis and a robust defence strategy can help companies to analyse traffic and catch activity that appears to be illegitimate.  ‘We use IP blacklisting and rate limiting to be well prepared against AI powered bot attacks,’ one hotel company told us. Another said that it has used geographical restrictions to limit access to its site from known harmful sources.  Hotels also reported that next generation visible challenges have helped them to control bot activity, echoing the sentiment that the best way to control bots is to deny them access in the first place. This is the principle behind Arkose Matchkey, our AI-resistant visible and non-visible challenge innovation and alternative to conventional CAPTCHAs, that allows real humans to sail through while leaving bots struggling.

4. Multi-factor authentication (MFA) and phishing protection are important defences against AI-powered bot attacks 

Many hotels agree that MFA is an important piece of the cybersecurity puzzle: Some are already using it, and others are in the process of implementing it. When multiple kinds of verification are required to access user accounts, it's more difficult for bots to breach them and steal client data and loyalty points. Enhancing user authentication is one way to increase the barrier of entry for bots. And as some fraudsters deploy phishing attacks designed to steal authentication codes, Arkose Phishing Protection thwarts them, while also warning the hotel about the threat so that it can instruct customers to change passwords and avoid interacting with the illegitimate site. ‘2FA/MFA are important hurdles for fraudsters,’ says Chris Staab, co-founder and partner, Loyalty Security Association. ‘In addition to reverse-proxy phishing attacks to intercept MFA codes, social engineering techniques are also being employed to circumvent MFA. Having a good partner like Arkose Labs is key to staying ahead of this trend.’

5. Investment in AI is here to say 

Maintaining a safe platform in the age of AI means beating fraudsters at their own game. And it's clear from our engaged and motivated hotel industry that developing these strategies is a top priority.  ‘We are continuously investing in AI- powered detection tools to identify and block bot traffic before it can cause any harm,’ one hotel business told us. ‘To stay ahead of AI-powered bot attacks, we're investing in advanced machine learning models,’ said another.  Fighting off attacks using AI will require a multi-layered defence strategy and an agile approach. At Arkose Labs, we’re working closely with clients in all industries to provide the cutting-edge technology along with expert support that they need to succeed in the fight against AI cybercrime.  Want to learn more? Set up a confidential 1:1 meeting with me.