95% of Saudi Travel Sites Adopt Email Authentication Measures to Protect Holidaymakers During Peak Booking Season

Proofpoint research reveals Saudi travel brands are taking proactive steps to defend customers from fraudulent emails

Proofpoint, Inc., a leading cybersecurity and compliance company, today released new research revealing that 95% of the top online travel sites* in Saudi Arabia have adopted Domain-based Message Authentication, Reporting and Conformance (DMARC), a key email security protocol that helps protect users from email fraud.  However, only 30% of these sites have implemented it at the highest enforcement level of “reject,” which actively blocks unauthorised emails from reaching inboxes.  

The findings are based on a DMARC adoption analysis of the top 20 online travel sites in Saudi Arabia, as well as across Europe and the UAE.  

DMARCis an email validation protocol designed to protect domain names from being misused by cybercriminals. It authenticates the sender’s identity before allowing a message to reach its intended destination. DMARC has three levels of protection – monitor, quarantine and reject, with reject being the most secure for preventing suspicious emails from reaching the inbox.  

As Saudi Arabia races toward its Vision 2030 tourism goals, digital transformation in the travel sector is accelerating, making secure online communications more vital than ever.

But as consumers eagerly plan and book their getaways, this surge in activity – coupled with a high volume of emails and promotional offers from travel companies – creates a perfect storm for cybercriminals, turning dream holidays into costly scams through sophisticated email fraud.

Key findings from the research include:

• Saudi Arabia demonstrates strong foundational email security adoption with 95% of the country’s top travel websites publishing a DMARC record, one of the highest rates across Europe and the Middle East.

• However, there is room for improvement with only 30% of these sites using the policy at “reject” level, meaning 70% are leaving their customers, staff, and partners more vulnerable to receiving fraudulent emails impersonating these brands.
• On average, 88% of the top travel websites across Europe and the Middle East have published a basic DMARC record. However, only 46% of all travel sites analysed are at reject, meaning 54% of the top travel sites across the regions are leaving customers at risk of email fraud.

“Holiday bookings often represent a significant number of high-value financial transactions and bring experiences of high personal and emotional value, this combination makes travellers prime targets for cybercriminals.

These attackers actively use sophisticated email fraud, especially during peak holiday season, to exploit vulnerabilities,” says Matt Cooke, cybersecurity strategist, Proofpoint. “Fake booking confirmations, too-good-to-be-true deals, and urgent payment requests for supposed flight changes are common tactics. These fraudulent communications can appear highly convincing, putting travellers’ finances and personal data at risk.”

“Travel companies bear a social responsibility to do everything they can to stop convincing scam emails being sent in their name, to holidaymakers,” continues Cooke. “Implementing DMARC technology to its fullest level of ‘reject’ allows travel companies to ​massively reduce the risk of that happening, protecting both their brand and all of the holidaymakers at the same time., it’s a win-win.”

Proofpoint advises consumers to follow these tips to stay safe when booking and managing travel online:

1. Secure your bookings – and your accounts. Use strong, unique passwords for travel accounts and booking sites. Enable multi-factor authentication (MFA) wherever possible to add an extra layer of security.
2. Watch out for fake travel deals – and websites. Be wary of unsolicited offers that seem too good to be true. Scammers create convincing fake websites for airlines, hotels, or comparison sites to steal money and credentials. Always book through official sites or reputable, verified agents.
3. Navigate away from phishing trips – and smishing scams. Stay alert to phishing emails or smishing (SMS phishing) messages regarding flight changes, booking confirmations, or visa applications that demand urgent action or personal details. These often lead to fake login pages designed to capture your information.
4. Don’t get detoured by suspicious links. Avoid clicking directly on links in unsolicited emails, social media messages, or pop-up ads, especially for special offers or urgent alerts. Instead, type the official website address directly into your browser.
5. Check reviews before You book. Fraudulent travel offers, websites, and apps can look deceptively genuine. Before providing payment details or downloading a new travel app, invest time in researching the company, reading independent online reviews, and checking for customer complaints.

To find out more about DMARC, visit: https://www.proofpoint.com/uk/products/email-fraud-defence.

Methodology: *This analysis of DMARC adoption among the top 20 online travel sites in each market in  the UK, Italy, France, Germany, Spain, Benelux, UAE and KSA (as identified by data from Semrush, ecommerce Italia, Fevad, Statista, Ocu, SimilarWeb) was conducted in May 2025.