- Check Point Research warns summer vacation scams are surging, with hospitality/travel firms hit by 2,291 weekly attacks in May 2026 alone
- Attack volume doubled vs. May 2023; 47k+ new travel domains registered, 1 in 112 already flagged malicious
- Booking, Airbnb, and Skyscanner spoofed; travelers urged to verify domains before entering personal or payment data
Scams targeting people looking to book their summer vacations are spiking, researchers have claimed – and not only that, but the volume of attacks is significantly larger than last year, or the year before, indicating a growing problem.
Security experts Check Point Research found that in May 2026 alone, the hospitality, travel, and recreation sector recorded 2,291 average weekly cyberattacks per organization. The attacks rose 24% month-over-month, while the volume more than doubled compared to May 2023.
Cumulatively, over the last three years, the company found there has been a 122% increase in attacks on the industry.
Spoofed website
At the same time, the global year-over-year rise across all industries was just 2% which, CPR argues, means criminals are specifically targeting holiday-goers:
“This is not a general uptick in cyber crime that happens to touch travel. It is a deliberate, seasonal intensification targeting an industry that processes enormous volumes of personal and financial data precisely when people are distracted, rushing, and eager to secure a good deal.”
A major part of these scams are phishing emails and fraudulent, spoofed websites, and these have shot up significantly. In May 2026alone, CPR says there were 47,318 new travel-related domains registered, which is up 33% from April and up 19% compared to May last year.
To make matters even worse, among these domains one in every 112 is already classified as either malicious, or suspicious. That doesn’t mean that the other 111 are legitimate, it simply means many others are…
