This campaign involves a dramatic increase in cyberattacks targeting the travel and hospitality sector, averaging 2,291 weekly attacks as of May 2026. Cybercriminals have registered over 47,000 travel-related domains, with approximately 1 in 112 classified as malicious or suspicious. Coordinated bulk-registration campaigns include sequential hotel-lure domains and impersonations of major financial and travel brands. Active phishing operations use lookalike domains to harvest credentials and payment data from users of major platforms such as Booking.com, Airbnb, and Skyscanner. The surge in attacks aligns with seasonal travel booking peaks, leveraging the high volume of personal and financial data processed by the industry.

The impact includes increased risk of credential theft and payment fraud for travelers using major booking platforms. Organizations in the hospitality and travel sector face a higher volume of phishing attacks, potentially leading to financial losses and compromised customer data. The use of lookalike domains and brand impersonation increases the likelihood of successful phishing, especially during peak booking seasons when users are more vulnerable.

No official patches or fixes apply as this is a phishing campaign rather than a software vulnerability. Mitigation should focus on user awareness of phishing risks, monitoring for suspicious domains, and implementing email and web filtering to block known malicious domains such as those identified in this campaign (e.g., booking-cn.com, skyscanners.life). Organizations should also verify the authenticity of domains and communications related to travel bookings and payments. Since this is a campaign, continuous threat intelligence updates and domain monitoring are recommended.