Travel Phishing Is Growing Fast

Every summer, millions of people book holidays, flights, accommodation, and experiences online.  Unfortunately, cyber criminals know exactly when this happens.

According to recent research from Check Point, the hospitality, travel, and recreation sector is experiencing one of the fastest increases in cyber attacks globally. Their data shows average weekly attacks against organisations in the sector have increased from 1,032 attacks per organisation in May 2023 to 2,291 attacks per organisation in May 2026, representing growth of 122% over three years.[1]

That is significantly higher than the overall increase seen across other industries.

From our perspective, this is not simply a travel industry problem, but an example of a broader trend.

The Real Story Is Human Behaviour

Cyber criminals have always followed opportunity, but the difference today is how effectively they can scale and automate campaigns around predictable human behaviour.

Travel season provides ideal conditions:

• High transaction volumes
• Increased online bookings
• Time-sensitive decisions
• Financial transactions
• Distracted users
• Personal devices being used outside normal environments

In short, people are busy, excited, and often moving quickly and those conditions create opportunities for attackers.

This is exactly the same pattern we see around:

• Christmas shopping
• Tax deadlines
• Sporting events
• Public sector deadlines
• Major global incidents

The theme is remarkably consistent, as attackers do not simply target technology, but rather they target moments when human behaviour becomes predictable.

 

Nearly 50,000 New Travel Domains

One of the more striking findings in Check Point‘s research was the scale of travel-related infrastructure being created.

During May 2026 alone:

• 47,318 travel-related domains were registered
• 33% higher than April
• 19% higher than May 2025

Check Point also identified multiple coordinated registration campaigns designed specifically to support phishing operations.  Many of these domains imitate trusted travel brands, financial providers, or booking services.  Some remain dormant initially before being activated during peak travel periods.  This demonstrates how organised many phishing operations have become.  These are not isolated scams, they are increasingly industrialised campaigns.

 

Trusted Brands Continue To Be Weaponised

Check Point identified active phishing campaigns impersonating:

• Booking.com
• Airbnb
• Skyscanner
• American Express
• Lloyds Travel Choice

>>> The reason is simple: attackers understand trust <<<

People are far more likely to click a link when they believe it originates from a recognised brand and in many cases, the phishing sites closely resemble legitimate booking platforms, including:

• Branding
• Pricing information
• Login portals
• Booking workflows
• Payment pages

For end users, spotting the difference can be difficult, and that is precisely the point.

 

What This Means For Organisations

While the headlines focus on travellers, organisations should not assume this is purely a consumer issue.

Many business users:

• Book travel through corporate systems
• Access bookings from managed devices
• Use corporate email accounts
• Store payment information online

Successful compromise can lead to:

• Credential theft
• Business email compromise
• Payment fraud
• Identity theft
• Further lateral movement inside organisations

Travel phishing often becomes the initial access point rather than the end goal.

 

Why Traditional Security Awareness Still Matters

The rise of AI-generated phishing has led some organisations to question whether user awareness training still works.

Our view is the opposite:

Human awareness remains one of the most important controls available.

Technology can block many threats, but users still make decisions.

That means organisations should continue investing in:

• Security awareness training
• Phishing simulations
• DMARC enforcement
• Identity protection
• Multi-factor authentication
• Email security controls

The organisations that perform best typically adopt a layered approach rather than relying on a single control.

 

What We Are Seeing Across The UK And New Zealand

Across both markets, phishing remains one of the most common initial access vectors. Yes, the techniques change, but the themes do not.

Whether the lure is:

• Travel
• Invoices
• Microsoft 365
• Courier services
• Banking alerts

The objective is usually the same:

• Capture credentials
• Harvest information
• Establish trust
• Gain access

The organisations experiencing the greatest success are those focusing on reducing risk through multiple layers of protection rather than attempting to eliminate phishing entirely.

The Bigger Picture

The most interesting takeaway from Check Point‘s research is not the number of attacks, it is how predictable the attacks have become as cyber criminals are increasingly building campaigns around human behaviour, seasonal events, and trusted brands.  Travel is simply the latest example.

The organisations that recognise these patterns early are often better positioned to reduce risk before campaigns reach their users.  Ultimately, this is not just a travel security story, but a reminder that cyber security remains as much about understanding people as it does understanding technology.

👉 Contact us to review your email security, phishing resilience, and identity protection strategy.

📞 UK +44 (0) 113 341 0123

📞 NZ +64 (0)9 802 2444

📧 hello@itogether.com

FAQs

• What is certificate automation?
Certificate automation uses technology to automatically discover, issue, deploy, renew, and manage digital certificates without manual intervention.

• What is Trust Lifecycle Management?
Trust Lifecycle Management is the process of managing digital certificates and machine identities throughout their lifecycle, from issuance to retirement.

• Why are machine identities important?
Machine identities allow systems, applications, APIs, cloud workloads, and devices to authenticate securely. They now outnumber human identities in many organisations.

• What are the risks of manual certificate management?
Manual processes increase the likelihood of certificate expiry, service outages, compliance issues, operational inefficiencies, and avoidable security gaps.

• How does certificate automation support Zero Trust?
Certificate automation helps ensure trusted authentication between systems, supporting the continuous verification principles that underpin Zero Trust architectures.

• Why are certificate lifespans being reduced?
Certificate validity periods are being shortened to improve security, support cryptographic agility, and reduce the impact of compromised certificates. The industry is moving towards 100-day certificates by 2027 and 47-day certificates by 2029.

• Why does this matter for UK and New Zealand organisations?
Both markets are seeing growth in cloud, APIs, automation, and machine identities. The operating models may differ, but the need for visibility, ownership, and automated trust management is the same.