Every summer, hundreds of millions of people book flights, reserve hotels, and plan vacations online. And every summer, cybercriminals show up to take advantage of exactly that. Check Point Research tracked the threat landscape heading into the 2026 summer travel season, and what they found should give travelers pause before they click “confirm booking.”
The hospitality sector is under targeted attack
India is experiencing an even more intense threat environment. According to Check Point’s latest Threat Intelligence Report, organizations in India faced an average of 3,296 cyberattacks per week over the past six months, compared with 2,085 attacks per organization globally. The findings suggest that Indian businesses, including those in travel and hospitality, are operating in one of the world’s most heavily targeted cyber environments.
The hospitality, travel, and recreation sector recorded 2,291 average weekly cyberattacks per organization in May 2026; a 24% increase compared to the same month last year. To put that in context, the global year-over-year rise across all industries was just 2%. The sector has more than doubled its attack volume since May 2023, growing from 1,032 to 2,291 weekly attacks per organization over three years, a cumulative increase of 122% over three years.
This is not a general uptick in cybercrime that happens to touch travel. It is a deliberate, seasonal intensification targeting an industry that processes enormous volumes of personal and financial data precisely when people are distracted, rushing, and eager to secure a good deal.
The risks are amplified in India, where 86% of malicious files observed in the last month were delivered via the web. This underscores how fake travel websites, fraudulent booking portals, and malicious online advertisements have become some of the most effective tools for cybercriminals targeting travelers.
Nearly 50,000 fake travel domains registered in one month. The strategy mirrors broader cyberattack trends in India, where Information Disclosure vulnerabilities impacted 72% of organizations in the last month. Such vulnerabilities are particularly attractive to threat actors targeting travel platforms because they can expose valuable personal information, payment credentials, loyalty accounts, booking histories and travel itineraries.
In May 2026 alone, 47,318 new travel-related domains were registered, up 33% from April and 19% higher than May 2025. Among those domains, one in every 112 is already classified as malicious or suspicious. Many others remain dormant for now, waiting to be activated as summer traffic peaks.
Check Point Research identified three coordinated bulk-registration campaigns within the April and May data. The first revolves around over 210 sequentially numbered hotel-lure domains following templates like hotel-stay[N].com and stay-hotel[N].com, all pointing to a single automated actor building phishing infrastructure at scale. The second impersonates American Express and Lloyds Travel Choice, an affiliation of Lloyds Bank with travel reward lures, combining recognizable financial brand names with keywords like “happytrip” and “travelchoice” on .ink domains, a TLD frequently used for short-lived phishing operations. The third targets the brand “Fora Travel” across 108 distinct TLDs, including .cruises, .miami, and .international, a saturation strategy aimed at flooding multiple web domains with lookalike sites to increase the chances of intercepting travelers, no matter what they type into a browser.
Fake Booking.com, Airbnb, and Skyscanner sites are already live
For Indian organizations, credential theft remains a significant concern. Check Point data shows that 7.9% of organizations in India were impacted by infostealer malware during the last month, compared with a global average of 5.2%. These malware families are often distributed through phishing websites and fake booking pages designed to harvest usernames, passwords, payment information and other sensitive data.
Beyond infrastructure, Check Point’s threat intelligence identified active travel phishing sites impersonating some of the most trusted names in online travel booking. bookingni[.]com reproduces the Booking.com sign-in flow to harvest credentials and payment card details. A coordinated campaign using booking-cn[.]com and booking-hk[.]com targets Chinese-speaking travelers with localized versions of the Booking.com homepage, complete with RMB pricing and a “mid-year summer sale” banner timed to the booking peak. The same actor also operates booking-jp[.]com and booking-zh[.]com.
airbnb-ca[.]com targets travelers planning a trip to Canada with a geo-specific impersonation site featuring Canadian Rockies photography and property listings for Montreal, Toronto, Vancouver and Banff
And several domains operating under the Skyscanner name, including skyscanners[.]shop and skyscanners[.]life, display real-looking “presale price” hotel deals at Malaysian resorts before collecting deposits that go nowhere near an actual booking.
Beyond phishing, attackers are increasingly deploying malware and ransomware through travel-related lures. In India, ransomware affected 8.9% of organizations in the last month, nearly double the global average of 4.8%, while botnet activity impacted 17.5% of organizations compared with 10.2% globally. This demonstrates how travel scams can serve as an entry point for broader cyberattacks that extend well beyond a single fraudulent booking.
Recent cyber incidents affecting India further illustrate the growing sophistication of these threats. Researchers have documented campaigns targeting transportation, banking, and enterprise users with phishing emails, fake websites, AI-generated malware and credential-stealing tools. As cybercriminals increasingly adopt AI to automate phishing and social engineering efforts, travel-related scams are becoming more convincing, scalable and difficult for consumers to identify.
How to protect yourself from hospitality & travel phishing scams
Knowing that fake booking sites exist is useful. Knowing how to spot them is what actually keeps you safe.
- Type travel URLs directly into your browser rather than following links from emails or ads.
- Look carefully at the domain before entering any login or payment information, because a single letter of difference is exactly what these campaigns rely on.
- Use a credit card rather than a debit card for online bookings, since credit cards offer stronger fraud protection and easier dispute resolution.
- Enable two-factor authentication on any travel platform account you use regularly.
- If a deal feels unusually urgent or cheap, that pressure is usually engineered.
Travel cyber security threats follow a predictable seasonal rhythm. The people behind fake booking sites plan around the summer surge just as carefully as legitimate businesses do, and they are ready well before most travelers start searching.
