Check Point Software Technologies Ltd. (NASDAQ: CHKP), a pioneer and global leader in cybersecurity solutions, through its threat intelligence division Check Point Research (CPR), has revealed a growing threat of phishing scams and impersonation websites targeting travelers ahead of the 2026 summer travel season.
Every summer, hundreds of millions of people plan trips by booking flights and hotels online, while cybercriminals simultaneously begin exploiting these opportunities. CPR investigated the threat landscape ahead of the 2026 summer travel season. The findings indicate a surge in threats, highlighting the need to pause and remain vigilant before clicking 'confirm booking'.
Attacks Concentrated on the 'Hospitality, Travel & Entertainment' Sector
In May 2026, the 'Hospitality, Travel & Entertainment' sector recorded an average of 2,291 weekly cyberattacks per organization, a 24% increase compared to the same month the previous year. In contrast, the global average year-on-year increase across all industries was only 2%, underscoring the disproportionate rise in attacks targeting this sector. The number of attacks targeting this industry has risen from 1,032 in May 2023 to 2,291 in May 2026, representing a cumulative increase of 122% over three years.
This is not merely a coincidental spillover of rising cybercrime into the travel industry. It is a seasonal, deliberate escalation of attacks, strategically timed to exploit periods when people are rushing to make travel arrangements and may be distracted by the pursuit of favorable deals—targeting an industry that handles vast amounts of personal and financial data.
Nearly 50,000 Travel-Related Domains Registered in May Alone
In May 2026 alone, 47,318 new travel-related domains were registered, a 33% increase from the previous month and 19% higher than in May 2025. One in every 112 of these domains has already been classified as malicious or suspicious. Many others remain dormant, waiting for the peak traffic of the summer travel season to activate.
From April and May data, CPR identified three organized mass domain registration campaigns. The first involved over 210 sequentially registered domains mimicking hotel services, using naming patterns such as 'hotel-stay[N].com' and 'stay-hotel[N].com'. These indicate a single attacker automatically building a large-scale phishing infrastructure.
The second campaign impersonated well-known financial brands such as American Express and Lloyds Bank's 'Lloyds Travel Choice', using domains that combine recognizable brand names with keywords like 'happytrip' or 'travelchoice'. These are deployed on the '.ink' top-level domain (TLD), frequently used for short-term phishing attacks.
The third campaign targeted the 'Fora Travel' brand. By registering similar domains across 108 different TLDs—including '.cruises', '.miami', and '.international'—attackers employ a 'saturation strategy' to flood domain spaces with lookalike sites, increasing the likelihood that users will be redirected to fake sites regardless of what they type into their browsers.
Fake Websites Impersonating Booking.com, Airbnb, and Skyscanner Are Already Active
CPR's threat intelligence has confirmed not only infrastructure-level threats but also active phishing sites impersonating trusted and well-known online travel booking services.
'bookingni[.]com' meticulously mimics the Booking.com login flow to steal authentication credentials and credit card information. Additionally, organized campaigns using 'booking-cn[.]com' and 'booking-hk[.]com' target Chinese-speaking travelers, displaying prices in Chinese yuan and featuring banners for a 'Mid-Year Summer Sale' timed to peak booking periods—effectively localizing fake versions of Booking.com's homepage. The same attacker has also been found operating 'booking-jp[.]com' and 'booking-zh[.]com'.
'airbnb-ca[.]com' is a geographically targeted spoof site aimed at users planning trips to Canada. It displays photos of the Canadian Rockies and lists accommodations in major cities such as Montreal, Toronto, Vancouver, and Banff, convincingly mimicking the genuine Airbnb site.
Additionally, multiple domains impersonating Skyscanner—such as 'skyscanners[.]shop' and 'skyscanners[.]life'—display fake hotel packages for Malaysian resort destinations advertised as 'early-bird prices', appearing authentic while attempting to deceive users into paying deposits or booking fees. However, no actual reservations are made upon payment.
Recommended Measures to Protect Against Travel-Related Phishing Scams
In addition to being aware of the existence of fake booking sites, it is crucial to understand how to identify them:
Instead of clicking links in emails or ads, type the URL of travel websites directly into your browser.
Carefully verify the domain name before entering login or payment information. These attacks often rely on subtle one-character differences to deceive users.
Use credit cards instead of debit cards for online bookings. Credit cards offer stronger fraud protection and smoother dispute resolution in case of issues.
Enable multi-factor authentication (MFA) on your frequently used travel service accounts.
Be cautious of deals that appear unusually cheap or strongly pressure you to book immediately. Such urgency is often intentionally created.
Travel-related cyber threats follow a nearly identical seasonal pattern each year. Attackers operating fake booking sites meticulously plan and prepare in advance, just like legitimate travel providers, waiting for the surge in traveler searches during the summer demand peak.
This press release is based on a blog post originally published in English on June 15, 2026, U.S. time.
About Check Point Research Check Point Research provides
FACT BOX
- Source: PR TIMES
- Category: Survey
- Organizations: Booking.com / Airbnb / Skyscanner
- Products / services: Check Point Threat Intelligence / Check Point Research