Perfect clones of the portals, fake requests for payment and malware affect tourists and hosts in three moves. In May 2025, one out of 21 domain in tourism was malicious. Here’s how to protect yourself.
ATTENTION: it is boom in false booking sites and Airbnb. Non-existent holiday homes, cylon portals and fake payment notices are becoming the norm. In the sights of the scammers there are both vacationers and hosts. According to Check Point Software Technologies, there is a surge of fraudulent sites that imitate widespread platforms such as Booking and Airbnb, putting personal data and bank accounts at risk. In May 2025, a domain on 21 linked to tourism was suspicious or malicious, compared to one out of 33 of the previous year.
How the scams of the fake reservations work: the three most popular patterns
The mechanism is now tested: hackers exploit techniques of spoofing To disguise and show themselves as legitimate operators, manipulating e-mails, websites and even captches. The three recurring patterns in recent weeks to scam both tourists and the hosts that use Booking and Airbnb are three.
First of all, the false payment form. It is the most common scam and is usually activated after a booking has already been carried out. Cybercriminals send an e-mail or SMS that seems to arrive from the official platform, reporting a problem in payment. The message contains a link that leads to a “clone” website, graphically identical to the authentic one (such as Airbnb and Booking for example), but with a slightly different URL. Here the credit card data is asked to reintegrate. Inserting them, you deliver your banking information to scammers. In some cases, the false transaction is even confirmed by a fictitious screen, to make everything more credible.
Then there is the false login for host. In this case the targets are the owners of the accommodation facilities. The scammers offer an access page reserved for hosts on Booking.com, complete with logo, graphics and captcha. After making the “login”, the victim is asked to perform some commands on his computer, for example press “Windows + R”, glue a code and press Enter. This command starts a script that downloads a malware called Asyncrat (Remote Access Trojan), giving the scammer remote access to the device. From that moment, the striker can control the computer, subtract sensitive information or use it for further attacks.
Third trap is the false e-mail of the guest. In this case, the owners of the house/room arrives an e-mail, who seems to come from real guests. The message may concern lost objects, urgent requests or changes to booking. Inside there is always a link that refers to a fraudulent web page, designed to subtract access credentials. In these cases, the attacks are made more effective by the use of artificial intelligence, which customizes each message making it realistic and difficult to recognize as false.
How to defend yourself from summer digital scams
How to avoid falling into a trap? First of all, it is better to book directly on the official channels, manually typing the site’s URL or using reliable platform apps. Never click on links received by e-mail or suspicious SMS. Booking and Airbnb never ask to enter sensitive data in this way. Other useful precautions include careful control of the URLs, the activation of two-factor authentication, the use of a VPN on public wi-fi networks and the installation of updated antivirus software.
