The hospitality and travel sector experienced a dramatic surge in cyberattacks, with organizations facing an average of 2,291 weekly attacks in May 2026, representing a 24% year-over-year increase and a cumulative 122% rise since 2023. Cybercriminals registered 47,318 travel-related domains in May 2026 alone, with one in every 112 classified as malicious or suspicious. Three coordinated bulk-registration campaigns were identified, including sequential hotel-lure domains, American Express and Lloyds Travel Choice impersonations, and widespread Fora Travel brand abuse across 108 TLDs. Active phishing operations target major platforms including Booking.com, Airbnb, and Skyscanner through lookalike domains designed to harvest credentials and payment information. These attacks deliberately intensify during peak summer booking season when travelers are distracted and eager for deals, exploiting the industry's high volume of personal and financial data processing.