Proofpoint, Inc., a leading cybersecurity and compliance company, today released new research revealing that 30% of the top online travel sites* in the UK are failing to implement basic cybersecurity measures, leaving holidaymakers at increased risk of email fraud.

The findings are based on a Domain-based Message Authentication, Reporting and Conformance (DMARC) adoption analysis of the top 20 online travel sites in the UK. DMARC is an email validation protocol designed to protect domain names from being misused by cybercriminals. It authenticates the sender’s identity before allowing a message to reach its intended destination. DMARC has three levels of protection – monitor, quarantine and reject, with reject being the most secure for preventing suspicious emails from reaching the inbox.  

This year’s findings illustrate that basic DMARC adoption amongst the top 20 travel sites in the UK has slipped from 100% in 2025 down to 95% in 2026. However, there has been improvement in the number of organisations proactively blocking fraudulent emails from reaching customers, with 70% implementing DMARC at the reject level in 2026, compared to 65% in 2025.

This research comes at a time when travel is becoming an increasingly important financial priority for UK consumers, with 26% now prioritising travel over saving for a home and one in five planning to make holidays their number one financial priority. But as consumers eagerly plan and book their getaways, this shift towards more frequent travel, coupled with a high volume of emails and promotional offers from travel companies, creates a perfect storm for cybercriminals to turn dream holidays into costly scams.

Key findings from the research include:

• While 95% of the top UK travel sites have adopted a basic DMARC record in 2026, this is a decrease from a 100% adoption rate in 2025.
• Only 70% of the UK’s top travel sites are using the policy at ‘reject’ level, meaning almost one third are leaving their customers, staff, and partners more vulnerable to receiving fraudulent emails impersonating these brands. This marks an improvement on last year, with 65% at reject. 

“Booking a holiday is one of the biggest purchases many people make each year, and it’s often accompanied by a flood of emails about flights, hotels, itineraries and special offers,” said Matt Cooke, Cybersecurity Strategist, EMEA at Proofpoint. “Unfortunately, that creates an attractive opportunity for cybercriminals looking to impersonate trusted travel brands and trick people into handing over personal information or making payments. While it’s encouraging to see many travel companies strengthening their email security, too many are still leaving customers exposed to fraudulent messages. By implementing stronger protections, travel brands can make it much harder for scammers to exploit holidaymakers and help ensure travellers can focus on planning their trips with confidence.”

Proofpoint advises consumers to follow these tips to stay safe when booking and managing travel online:

1. Secure your bookings – and your accounts. Use strong, unique passwords for travel accounts and booking sites. Enable multi-factor authentication (MFA) wherever possible to add an extra layer of security.
2. Watch out for fake travel deals – and websites. Be wary of unsolicited offers that seem too good to be true. Scammers create convincing fake websites for airlines, hotels, or comparison sites to steal money and credentials. Always book through official sites or reputable, verified agents.
3. Navigate away from phishing trips – and smishing scams. Stay alert to phishing emails or smishing (SMS phishing) messages regarding flight changes, booking confirmations, or visa applications that demand urgent action or personal details. These can lead to fake login pages designed to capture your information.
4. Don’t get detoured by suspicious links. Avoid clicking directly on links in unsolicited emails, social media messages, or pop-up ads, especially for special offers or urgent alerts. Instead, type the official website address directly into your browser.
5. Check reviews before you book. Fraudulent travel offers, websites, and apps can look deceptively genuine. Before providing payment details or downloading a new travel app, invest time in researching the company, reading independent online reviews, and checking for customer complaints.

To find out more about DMARC, visit: https://www.proofpoint.com/uk/products/email-fraud-defence.

Methodology: *This analysis of DMARC adoption among the top 20 online travel sites in the UK (as identified by data from SimilarWeb) was conducted in June 2026.

About Proofpoint, Inc.

 Proofpoint, Inc. is a global leader in human- and agent-centric cybersecurity, securing how people, data, and AI agents connect across email, cloud, and collaboration tools. Proofpoint is a trusted partner to over 80 of the Fortune 100, over 10,000 large enterprises, and millions of smaller organisations in stopping threats, preventing data loss, and building resilience across people and AI workflows. Proofpoint’s collaboration and data security platform helps organisations of all sizes protect and empower their people while embracing AI securely and confidently. Learn more at www.proofpoint.com.