Fake hotels, airline ticket scams and AI travel traps are an increasing risk for travelers
Digital scams connected with travel are no longer limited to suspicious ads, non-existent apartments and poorly translated email messages. Ahead of the new summer travel season, travelers around the world are facing far more convincing forms of fraud: fake hotel websites that look almost identical to official ones, accommodation ads with photos that can be created by artificial intelligence, phishing messages that contain real booking data, and airline ticket offers that disappear as soon as the payment is made.
According to warnings from the U.S. Federal Trade Commission, known by the abbreviation FTC, travel scams often begin with an advertisement, phone call, message or email offering free, extremely cheap or time-limited trips. The Commission warns that dishonest companies or criminal groups may be behind such offers, and the consequence for the consumer may be paying hidden fees, losing money or revealing personal and financial data. Requests for payment by bank transfer, gift cards, cryptocurrencies or money transfer apps are particularly highlighted, because such payment methods often leave victims with little or no possibility of recovering funds.
The scale of the problem is also visible from broader fraud statistics. The FTC announced that in 2024 consumers reported more than 12.5 billion dollars in losses due to fraud, 25 percent more than the year before. AARP, citing FTC data, states that in 2025 more than 64,000 reports of fraud connected with travel, vacations and timeshare arrangements were recorded.
Fake hotel websites look increasingly professional
One of the most widespread forms of fraud concerns fake or misleading hotel websites. Better Business Bureau, an American organization for consumer protection and monitoring business credibility, warns that travelers often find themselves on a website that looks like the official website of a hotel or a well-known booking agency. Such websites are often reached through search engines, ads or links that appear near the top of search results. The photos may be professional, the prices convincing, and the booking process familiar enough that the user does not suspect that he is in the wrong place.
According to examples cited by Better Business Bureau, victims may discover after entering card details that they have been charged a higher amount than the one displayed, that fees were added which had not been clearly highlighted, or that the hotel has no record of their booking at all. In some cases, the user thinks he is booking a room directly with the hotel, while in reality it is a third party that is not clearly presented or a completely fake website. Such a model is especially dangerous because it is not always based on obvious fraud: the user may receive a confirmation, but it may not be valid at the real hotel or may contain terms that are significantly less favorable than expected.
Artificial intelligence further complicates the recognition of fake ads. AARP warns that AI tools help criminals clone legitimate travel websites, create convincing addresses and designs, and produce content that no longer reveals the typical signs of fraud. Accommodation photos may be computer-generated, descriptions professional, and fake reviews written in a style that resembles real travelers' experiences.
The safest approach, according to the recommendations of the FTC and Better Business Bureau, is to check the website address, compare the domain name with the hotel's official channels, not rush with payment and, if possible, contact the hotel directly before paying. If the accommodation is located in a resort or complex, the FTC recommends calling reception and confirming the location, booking terms and the existence of the property. Special caution is needed when a website asks for an unusual payment method, when cancellation terms cannot be obtained in writing, or when the user is pressured with messages that the offer is valid for only a few more minutes.
Reservation theft uses travelers' real data
A newer form of fraud that is increasingly mentioned in security warnings is so-called “reservation hijacking”. In this scenario, the fraudster does not send a general message to thousands of people, but contacts a person who really has a hotel, apartment, car rental or flight reservation. The message may contain the name, travel dates, location, booking number or other data that create the impression that it comes from the real service provider. It is precisely this combination of accurate information and an urgent payment request that makes the scam convincing.
In May 2026, WIRED described how such scams work: criminals use booking data they can obtain through compromised accounts, security incidents, social networks or other sources, and then contact the traveler claiming that there is a problem with payment, card confirmation or keeping the reservation. The goal is to get the person to pay money into the fraudster's account or enter card details on a fake website. Messages often introduce an element of urgency, for example the claim that the reservation will be canceled if the payment is not made immediately.
Additional concern was caused by a security incident confirmed by Booking.com in April 2026. According to a Guardian report, the platform informed some users that unauthorized parties had accessed certain booking data. The company stated that financial data had not been accessible, but that potentially exposed information could have included booking details, names, email addresses, physical addresses, phone numbers and messages exchanged with the accommodation. According to the same report, Booking.com changed the PINs of affected reservations and notified guests.
Such data by itself does not necessarily enable direct theft of money, but it significantly increases the credibility of subsequent fraud attempts. If a message contains the correct arrival date and the name of the property, the user may more easily believe that it is a real problem with the booking. Booking.com, according to WIRED, emphasized that it does not ask users for credit card data by phone, email or SMS, and that it does not request payment by bank transfer different from the terms listed in the reservation. That is why it is crucial that every suspicious message be checked exclusively through the official app, user account or contact details published on official websites.
Attacks on hotels open the way for scams targeting guests
Travel scams do not target only end users. Microsoft Threat Intelligence announced that since December 2024 it had been tracking a phishing campaign falsely presenting itself as Booking.com and targeting employees in hospitality and the hotel industry. According to Microsoft, the campaign was aimed at people in organizations that probably work with the booking platform, and it was recorded in multiple regions, including Europe, North America, Oceania and parts of Asia. The attack used a social engineering technique known as ClickFix, in which the user is shown a fake error or instruction for “fixing” a problem.
This type of attack is important for travelers because a compromised account of a hotel or renter can serve as a springboard for more convincing messages to guests. When a fraudster gains access to a real communication channel or booking data, the message no longer looks like typical spam. The guest may receive it in the context of an existing booking, with details that an unknown person should otherwise not know. That is why the security of travel platforms does not depend only on user caution, but also on the protection of the accounts of hotels, apartments, agencies and other partners.
For travelers, this means that even a message that appears in a familiar communication context does not automatically have to be safe if it asks for an unusual payment, additional authorization or a move to an external channel. If the supposed hotel sends a link outside the platform, asks for payment to a private account or claims that the card must be “confirmed again” on a new website, this is a clear signal for additional verification. The user should independently open the official app or website, without clicking the link from the message, and check there whether there is any warning.
Airline ticket scams exploit the desire for a lower price
Airline ticket scams often rely on the same psychology as fake hotel ads: a limited offer, a very low price and pressure to make a decision immediately. The FTC warns that travel offers may appear through ads, calls, messages or email, and fraudsters may promise free or significantly discounted services. In the context of flights, this may mean fake agencies, non-existent tickets, suspicious vouchers, “special discounts” or requests that payment be sent by a method that is not usual for legal ticket sales.
Particularly risky may be offers for charter flights and packages in which the user does not clearly know who the organizer is, who issues the ticket and which rules apply in the event of cancellation. The FTC advises checking the terms, cancellation and refund policies before payment, and, for public charter flights, checking whether they are listed with the competent U.S. Department of Transportation. Although that recommendation refers to the U.S. regulatory framework, the general rule applies globally: before paying, the traveler must know with whom he is entering into a contract, who is responsible for the service and whether there is an official complaint channel.
Criminals often target moments when flight prices are high and demand is strong. In such circumstances, users more easily react to the promise of “last seats” or an “exclusive price” that is valid for a short time. If the user is asked to pay for the ticket by cryptocurrency, gift card, bank transfer to a private account or an instant money transfer app, the risk is significantly higher. The FTC explicitly warns that such requests are a typical sign of fraud because, after payment, the money often cannot be tracked or returned.
For additional verification, it is useful to compare the price with several known sources, check whether the agency is registered and search for the company name together with terms such as “scam”, “review” or “complaint”. If it is a website that claims to sell tickets for a well-known airline, it should be checked whether the reservation can be found directly on the carrier's website using the official booking number. A fake email confirmation is not enough; the real ticket must be visible in the carrier's system or with a verified intermediary.
AI changes the appearance of scams, but not the basic warning signs
Artificial intelligence enables fraudsters to quickly create texts, images, ads and websites that look more professional than before. This does not mean that every scam is impossible to recognize, but it does mean that old signals, such as grammatical errors and poor design, are no longer enough. AARP states that AI tools help criminals clone legitimate travel websites, while Microsoft's report shows how sophisticated phishing campaigns can be adapted to the business context and targeted employees. Fraudsters today can combine automation, stolen data and convincing content into an attack that looks personalized.
Still, the basic warning signs remain the same. The first is pressure to make an urgent decision. If a message claims that the reservation will be canceled in a few minutes, that the card must be confirmed immediately or that payment must be made before a short deadline expires, one should stop. The second sign is a request for payment outside the official platform. The third is a change of the usual communication channel, for example moving from the booking app to a private WhatsApp number, an unknown email address or a link that does not belong to the official domain.
The fourth sign is unclear or unavailable documentation. The FTC advises not to sign or pay anything until the user receives the terms of the offer, cancellation rules and refund rules. If the seller avoids a written trail, refuses to send a contract or cannot explain additional fees, it is better to give up. The fifth sign is an unusually low price. Discounts in tourism exist, but an offer that is significantly cheaper than all comparable options must be viewed as a signal for additional verification, especially if it appears only on an unknown website.
How to protect yourself before paying for a reservation
Protection against travel scams begins before entering card details. The user should type the address of a known website into the browser himself or open the official app, instead of clicking an ad or a link from a message. For hotel bookings, it is useful to check the domain, the name of the company processing the payment, cancellation terms and the final price before confirmation. For private accommodation, it is necessary to check whether there is an address, whether the photos match other sources and whether the property can be confirmed through the platform's official channel.
For airline tickets, it should be checked who issues the ticket, whether the reservation can be seen in the airline's system and whether the terms for baggage, flight changes and refunds are clearly stated. If an intermediary claims that the ticket exists, but cannot provide a valid booking number that can be checked with the carrier, payment should be stopped. Special caution is needed with ads on social networks and websites that do not have clear company details, an address, customer support and refund rules.
After booking, the most important thing is not to react impulsively to subsequent messages about payment problems. If a claim appears that the reservation is at risk, the user should independently open the official account and check the status of the booking. For accounts on booking platforms, a strong and unique password is recommended, as well as enabling two-factor authentication when available.
If there is suspicion that fraud has already been committed, the bank or card issuer should be contacted immediately, an attempt should be made to stop the transaction, and passwords should be changed if data were entered on a suspicious website. It is useful to report the fraud to the platform, local consumer protection authorities and competent cybercrime services. Although a refund is not always possible, a quick reaction can limit the damage, prevent additional transactions and help remove fake websites or ads before they deceive other users.
Sources:
- Federal Trade Commission – tips for recognizing and avoiding travel scams (link)
- Federal Trade Commission – data on reported fraud losses in 2024 (link)
- Better Business Bureau – warning about fake hotel websites and booking scams (link)
- Microsoft Security Blog – analysis of a phishing campaign impersonating Booking.com (link)
- The Guardian – report on the security incident and exposed Booking.com user data in April 2026 (link)
- WIRED – explanation of reservation hijacking scams and recommendations for safer communication (link)
- AARP – overview of the most common warning signs in travel scams and the role of AI tools (link)