Post-pandemic travel is gaining momentum, with spending topping levels not seen since 2019. However, there’s another upward trend that’s not so reassuring: a steady rise in malicious bot traffic as bad actors ramp up their targeting of the travel and hospitality sector. Over the first 10 months of 2022, bot traffic increased by 54 percent, including a rise in malicious bot activity.

The Good, the Bad and the Costly

It’s important to recognize that not all bot activity is malicious. In fact, we can sort bots into three broad categories:

  • Benign bots: These include search engine bots and those performing network monitoring functions, such as measuring performance or checking for vulnerabilities. These bots perform essential functions that support a positive online experience for visitors.
  • “Grey” bots: These bots can have an impact on revenue and are open for interpretation. They fall into a middle category that some feel these are acceptable, while others feel differently. These are commonly aggregators performing price and inventory scraping as they search out the best deals. As they do price checks, aggregators often generate high volumes of queries to paid reservations services, driving up costs for travel organizations.
  • Malicious bots: These are bots purpose-built to infect a system with malware to steal data or perform other fraudulent activities. In the travel and hospitality industry, bad actors often target the loyalty and reward points that have gone unused during the pandemic. This often involves brute force “credential stuffing” attacks aimed at taking over legitimate customers’ accounts and stealing their points.

Three-Prong Bot Strategy

Since bot operators have a diverse set of motivations, the challenge is how to reduce your risk of an attack without negatively impacting the guest experience. Achieving this calls for a three-prong strategy to apply the optimal response for the diverse set of bots visiting your site:

  1. Detection: The first step is detecting bots that may be malicious. The bad actors are sophisticated, constantly developing new tactics to circumvent defenses. Simply tracking known suspicious IP addresses isn’t enough. Countering the threat requires a comprehensive approach that looks at a range of factors, including biometric analysis. Evaluating how the user is interacting with the site when logging in can help determine whether it’s a human customer or a bot. It also involves looking at device attributes, using big data to analyze how devices appear across the internet globally to detect anomalies. A key area of focus for technology development in this area is on creating a deeper, more nuanced understanding of user identity, analyzing a broader range of risk and trust factors.
  2. Categorization: It’s also critical to differentiate known from unknown bots. Distinguishing known aggregators or web crawlers from unknown sources — or from bots impersonating known sources — requires sophisticated analysis.
  3. Management: Once bots have been detected and characterized, it’s possible to create a menu of options for how they will be handled. Benign bots could proceed freely, while grey bots could be handled differently — perhaps serving up “stale” information to aggregators to avoid metered calls to a reservation service. For bots categorized as malicious, it may be tempting to block them. However, this approach can backfire, prompting bad actors to switch up their tactics and make them even harder to detect. A better strategy may be to make it more difficult or more costly for attackers. For example, serving up a deceptive response or one that requires more compute resources can raise the cost for the bad actor and encourage them to seek out a softer target.

Striking the Right Balance

At the core of this three-prong strategy is the need to minimize friction for legitimate guests while making life difficult for malicious bots. As bad actors continue to up their game, striking this balance requires skills and technology that few travel and hospitality organizations have in-house. And doing it yourself can be costly.

A research report by Ponemon Institute estimated that the total average, annualized cost of credential stuffing to an organization exceeds $6 million. This includes the cost of IT staff time for protection, detection and remediation, the cost of application downtime, and the cost of customer churn. This doesn’t include the cost of any fraud, which could range up to many millions in the event of a widespread exploit. The same study revealed that 48 percent of organizations surveyed don’t believe their security budget is sufficient to prevent or contain credential abuse attacks. Working with a network partner that has demonstrated expertise and sophisticated technologies for bot detection, categorization and management can be a cost-effective alternative to trying to meet the challenge internally.

For better or worse, bots are an inescapable reality in today’s travel and hospitality industry. But by taking a strategic approach to detecting, categorizing and managing the onslaught, it’s possible to give your guests a friction-free online experience while giving malicious bots the boot.