Fake Booking & Tour Website Fraud: the same scam, in 15+ countries.
From cloned Airbnb listings at 30 percent off to Booking.com phishing emails to typo-domain fake hotel sites to WhatsApp fixer deposits to fake tour-ticket resellers, five mechanics target the modern tourist booking flow. The platform-only rule and the URL-verification rule defeat every variant.
By Bernard Huang, Editor · Updated
Fake booking and tour website fraud runs five mechanics targeting tourist accommodation and attraction bookings: cloned Airbnb listings (real property posted under different host at 20-40 percent lower price; deposit goes to scammer; original listing remains genuine), Booking.com phishing emails ("your reservation has been changed" links to lookalike site; real Booking.com never requests new payment after confirmation), typo-domain fake hotel websites (booking-sites.com / bookings-com.net / hotelitalia-confirm.com running Google ads against tourist searches), WhatsApp / Facebook fixer deposit fraud (Facebook-group third party offers booking at lower price; deposit via PayPal Friends and Family / Western Union disappears), and fake tour-ticket resellers (counterfeit Vatican / Eiffel / Sagrada / Colosseum / Disney skip-the-line tickets that fail QR scan at gate). The universal defenses are two rules: the platform-only rule (pay only inside Booking.com / Airbnb / Expedia / official hotel direct / GetYourGuide / Tiqets / Viator secure checkout; never wire transfer, PayPal Friends and Family, Western Union, or WhatsApp / Telegram payment for any booking), and the URL-verification rule (type booking.com / airbnb.com / expedia.com manually; verify URL spelling exactly; ignore Google search ads; verify hotel direct URL via the hotel official Instagram or Google Business Profile).
"Your reservation has been changed; please update your payment within 24 hours."
You booked a four-night stay in Florence three weeks ago through Booking.com. The hotel: Hotel San Marco Florence. The booking confirmation arrived by email; you saved it; you have the printed itinerary. Tonight, the night before your flight, you receive a new email at 22:14. The sender is "Booking.com Reservation Service." The subject: URGENT - YOUR FLORENCE RESERVATION HAS BEEN CHANGED. The body says the hotel has updated the room category and you need to confirm a small payment difference (12 EUR) within 24 hours or the reservation will be canceled. There is a link: CONFIRM PAYMENT NOW.
You click the link. A page loads, styled like Booking.com: blue header, the same logo, the same fonts. The URL in the address bar reads bookings-com.net. You do not look closely at the URL because you are tired and the page looks legitimate. The page asks for your credit card number, expiration, CVV, and zip code "for the 12 EUR adjustment." You enter the card; you click submit. The page shows a confirmation: "Reservation confirmed. Have a great trip."
Three days into your trip, your card issuer phones you. The card has been used at four ATMs in Bucharest for a total of 4,800 USD. The card is canceled. Your card issuer offers a chargeback under fraud; the chargeback succeeds 21 days later. The 4,800 USD is restored. Your trip is unaffected at the hotel (the original reservation was real and unchanged), but you spent two evenings on the phone with the bank.
This is the Booking.com phishing email variant, the most-documented modern booking-platform fraud. The variant runs at scale globally; the spike is during peak summer when scammers buy ad space against "Booking.com login" searches and harvest emails from data breaches. Real Booking.com never requests new payment after confirmation; the URL is always booking.com (not bookings-com.net or booking-sites.net or any variant).
The defense is two rules. The platform-only rule: pay only inside Booking.com / Airbnb / Expedia / official hotel direct / GetYourGuide / Tiqets / Viator secure checkout. Never wire bank transfer, PayPal Friends and Family, Western Union, or WhatsApp / Telegram payment for any tourist booking. The URL-verification rule: type booking.com / airbnb.com / expedia.com manually into the browser address bar before logging in. Ignore Google search ads. Verify the URL spelling exactly. If a "your reservation has been changed" email arrives, log into the platform directly (manually typed URL) and verify the booking status from the trips dashboard.
That is the Booking.com phishing email variant of the fake-booking-website-fraud family, the most-documented modern booking-fraud pattern. The rest of this page is the five-mechanic playbook, the four other variants where it runs in different forms (cloned Airbnb listing, typo-domain hotel site, WhatsApp fixer deposit, fake tour-ticket reseller), and the two rules that defeat every variant.
Read the full booking-fraud universal guide โKey Takeaways
The platform-only rule and the URL-verification rule
Every variant of fake booking website fraud is defeated by the same two rules. The platform-only rule: pay only inside the booking platform secure checkout (Booking.com, Airbnb, Expedia, hotel direct site, GetYourGuide, Tiqets, Viator official sites). Never wire bank transfer, PayPal Friends and Family, Western Union, or send WhatsApp / Telegram payment for any tourist booking. The platform secure checkout has chargeback corridor and dispute mediation; off-platform payments do not. The URL-verification rule: before paying, verify the URL exactly. Type booking.com (not booking-sites.com or bookings-com.net or booking-confirmation.com) manually into the browser address bar. Ignore Google search ads at the top of results. For hotel direct sites, verify the URL on the hotel official Instagram or Google Business Profile.
The first rule addresses the chargeback-corridor asymmetry. Major booking platforms provide payment escrow (the host or supplier does not receive funds until after stay / service), chargeback corridor through Visa / Mastercard / Amex, customer-service mediation for disputes, and host / supplier verification. Off-platform payments via PayPal Friends and Family, Western Union, bank transfer, or chat-app payment provide none of these protections. The funds, once sent, are typically unrecoverable. The platform may charge a small premium (3-15 percent service fee) but the protection is worth it for any booking over 100 USD.
The second rule addresses the URL-deception asymmetry. Phishing operators register domains that mimic real platforms (bookings-com.net, booking-sites.com, booking-confirmation.com, hotelitalia-confirm.com) and run Google ads against tourist searches. The fake site is styled identical to the real platform; the URL is the only tell. Manually typing the platform URL bypasses the entire phishing chain.
The third defense is the verify-listing rule. For Airbnb: check the listing has 50+ reviews from at least 6 months of history; verify the host has a Superhost badge if claimed (the badge is not transferable to clone accounts). For hotel: check Google Reviews (1,000+ for established hotel; 5-15 indicates a ghost listing); cross-reference the hotel name on Booking.com / TripAdvisor. For tour: check TripAdvisor reviews; legitimate operators have 100+ reviews over multiple years.
The fourth defense is the phishing-email refusal. Booking.com, Airbnb, and Expedia do not send emails asking for new payment after confirmed booking. If you receive a "your reservation has been changed, click here to update payment" email, it is phishing 100 percent of the time. Verify status by logging into the platform directly (manually typed URL) and checking the booking from your trips dashboard.
The fifth defense is the chargeback corridor. Always pay by credit card with chargeback rights for any tourist booking. Visa, Mastercard, Amex all support fraud chargebacks for booking platforms; recovery rate for documented platform-fraud is high. Keep all communications, screenshots of the listing, payment confirmation, and any phishing email; submit chargeback within 30 days of discovery.
The five mechanics
Fake booking website fraud runs five distinct mechanics targeting modern tourist booking flows. The mechanic varies; the deception strategy is identical: route the tourist payment outside the platform protection layer.
1. Cloned Airbnb listing (global)
A scammer copies a real Airbnb listing (photos, description, address) and posts it under a new host account at 20-40 percent lower price. Tourists who do not verify the listing book and pay; the scammer accepts the booking, then disappears or claims the property is not available on arrival, refusing to refund. The original real listing remains genuine. Documented globally โ popular cloning targets include established Airbnb apartments in Barcelona, Lisbon, Rome, Mexico City, NYC. Defense: check the host has 6+ months of review history, 20+ verified reviews, and a Superhost badge if claimed; cross-reference the property address on Google Street View; if price is suspiciously below comparable listings, the variant is likely.
2. Booking.com phishing email (global)
After a legitimate Booking.com reservation, the tourist receives an email claiming to be from the hotel or from Booking.com saying "your reservation has been changed, please update your payment." The email contains a link to a fake site styled like Booking.com; entering payment information on the fake site sends it to the scammer. Documented globally; spike during peak summer season. Real Booking.com / hotels do not request new payment after confirmation. Defense: verify booking status by logging into Booking.com directly (manually typed URL); never click links in unsolicited emails.
3. Typo-domain fake hotel website (global)
A scammer registers a domain that mimics a real hotel or platform (booking-sites.com, bookings-com.net, hotelitalia-confirm.com) and runs Google ads against tourist booking searches ("book hotel rome", "florence airbnb"). Tourists clicking the ad see a site styled like the real platform; entering payment goes to the scammer. The variant rotates domains daily as Google takes them down. Defense: type booking.com / airbnb.com / expedia.com manually into the browser address bar; ignore Google ads at the top of search results; verify URL spelling exactly before paying.
4. WhatsApp / Facebook fixer deposit (global)
A scammer posts in tourist Facebook groups (e.g., "Italy Travel Tips," "Bangkok Backpackers") or sends WhatsApp messages offering to book hotels, tours, or rentals at lower-than-platform prices. The scammer claims insider connections or off-platform discounts. The tourist sends a deposit via PayPal Friends and Family, Western Union, or bank transfer; the scammer disappears or never delivers the booking. PayPal Friends and Family has no chargeback protection; the loss is permanent. Defense: never pay a deposit outside an official booking platform; if a deal is too good to be true, it is the variant by definition.
5. Fake tour-ticket reseller (global)
A scammer sells "skip-the-line" tickets to major attractions (Vatican Museums, Eiffel Tower, Sagrada Familia, Colosseum, Disney parks, Universal Studios) at lower prices than the official site. The tickets are counterfeit (printed PDFs that fail QR-code scan at the gate) or resold legitimate tickets that are then canceled. Some scammers operate full fake-platform sites mimicking GetYourGuide, Tiqets, Viator. Documented at every major tourist attraction globally. Defense: book only through official attraction sites or verified platforms (GetYourGuide.com, Tiqets.com, Viator.com โ type URL manually); never click ads on social media for "cheap Vatican tickets."
Where it runs
Fake booking website fraud is a global, platform-mediated variant; the operators target high-search-volume booking destinations. The geography below covers the most-documented affected destinations, though the variant operates anywhere there is online tourism.
- Italy (cloned Airbnb, fake tour tickets): Rome (Vatican / Colosseum tour-ticket fakes), Florence (Uffizi / Duomo tour tickets, hotel cloned-site phishing), Venice (San Marco tour ticket fakes, gondola booking fraud), Naples (cloned-Airbnb hotspot), Cinque Terre (cloned-Airbnb), Amalfi Coast (luxury-villa cloned-listing fraud), Milan (Duomo skip-the-line fakes).
- Spain (cloned Airbnb, fake tour tickets): Barcelona (Sagrada Familia tour-ticket fakes, Park Guell fakes, Las Ramblas hotel cloning), Madrid (Royal Palace fake tickets, Prado), Mallorca (cloned-Airbnb beach apartments), Ibiza (cloned-Airbnb hotspot), Seville (Cathedral / Alcazar fake tickets), Granada (Alhambra fake tickets).
- Thailand (cloned Airbnb, fake tour tickets, WhatsApp fixer): Bangkok (Grand Palace fake tickets, Wat Pho fake tickets, Khao San Road WhatsApp fixers), Phuket (cloned-Airbnb beach villas), Koh Samui, Koh Phangan (Full Moon Party ticket fakes), Chiang Mai (elephant sanctuary tour fakes).
- USA (cloned Airbnb, fake Disney / Universal tickets, fake Broadway): NYC (Broadway ticket fakes, Empire State / Statue of Liberty fakes, cloned-Airbnb hotspot), LA (Disney / Universal Studios ticket fakes, Hollywood Walk-of-Fame tour fakes), Las Vegas (show-ticket fakes), Orlando (Disney / Universal fakes), San Francisco (Alcatraz tour fakes, Golden Gate Bridge fakes), Hawaii (luau / cruise fakes).
- Adjacent (also documented): France: Paris Eiffel / Louvre / Versailles fake tickets. UK: London Eye / Tower of London / theatre fakes. Mexico: Mexico City / Cancun cloned-Airbnb. Greece: Acropolis / Mykonos cloned listings. Turkey: Istanbul Hagia Sophia / Cappadocia balloon fakes. Indonesia: Bali villa cloning. Vietnam: Halong Bay tour fakes. Japan: Tokyo / Kyoto cloned-Airbnb, Disney Tokyo ticket fakes. Egypt: Pyramids tour-ticket fakes. Brazil: Rio Christ-the-Redeemer fakes.
Four more places, four more booking-fraud variants
Barcelona Sagrada Familia: the cloned tour-ticket reseller
You search "skip the line Sagrada Familia tickets" on Google. The top three results are paid ads. You click the first one, which leads to a site styled like GetYourGuide called "sagrada-skip-line.com." The site offers tickets at 22 EUR (the official Sagrada Familia site shows 26 EUR). You book two tickets, pay by card, receive a PDF in email five minutes later.
You arrive at Sagrada Familia. You scan the QR code at the gate; the gate says INVALID TICKET. The Sagrada attendant explains: "this ticket is from a third-party site that is not authorized; you can buy a real one at the desk for today, but only if seats are available." Today is fully booked. You walk away.
Defense: book only through the official Sagrada Familia website (sagradafamilia.org) or verified resellers (GetYourGuide.com, Tiqets.com, Viator.com โ type URL manually, do not click Google ads). Visa / Mastercard / Amex chargeback under "services not received" recovers the 44 EUR within 30 days. The "sagrada-skip-line.com" site is rotated daily; the operator runs hundreds of sub-domains.
Bangkok Khao San Road: the WhatsApp tour-fixer deposit
You arrive in Bangkok; you want to book a 3-day Northern Thailand tour (Chiang Mai elephants, Doi Suthep, hilltribe village). On Khao San Road, a Facebook group "Bangkok Backpackers" has a post from "Pattaya Tours Thailand" offering the 3-day package at 4,500 baht (about 130 USD), 35% below the GetYourGuide price. You message the operator on WhatsApp; they ask for 2,000 baht deposit via PayPal Friends and Family.
You send the deposit. The operator confirms the booking; you arrive at the meeting point in Chiang Mai three days later. Nobody is there. The WhatsApp number is now disconnected. The Facebook account is deleted. The 2,000 baht is unrecoverable; PayPal Friends and Family has no chargeback.
Defense: never pay deposits outside an official booking platform. GetYourGuide.com / Tiqets.com / Viator.com / TripAdvisor Bookings all have escrow and chargeback protection; the 35% premium is worth it. WhatsApp / Facebook deposits are 100% the variant by definition. The Tourism Authority of Thailand (TAT, tourismthailand.org) maintains a list of licensed tour operators; cross-reference any operator offering off-platform deals.
NYC Times Square: the Broadway ticket fake
You search "Broadway tickets cheap" on Google before your trip. The top ad leads to "broadwaytickets-discount.com," styled like Telecharge or TodayTix. You book two tickets to Hamilton at 195 USD each (official price 350 USD). You pay by card; the e-tickets arrive 10 minutes later as PDFs.
You arrive at the theater. The box office scans the tickets and says "these tickets have already been used by another customer 30 minutes ago." You realize the variant: the operator scrapes resale-platform e-tickets (StubHub, SeatGeek), prints multiple PDFs of the same QR, and sells to multiple buyers; the first to scan wins.
Defense: book Broadway tickets only through official channels (Telecharge.com, TodayTix.com, Ticketmaster, the theater official website). Never click Google ads for "cheap Broadway tickets." Visa / Amex chargeback for "services not received" recovers the funds within 30 days. The NYC Better Business Bureau maintains a list of fake-Broadway-ticket sites; check before purchase.
Florence (cloned Airbnb apartment): the Superbnb-clone
You search Airbnb for a Florence apartment for 4 nights. You find one near the Duomo at 480 EUR for the stay. The photos look professional; the description is detailed. The host is "Marco F." with 3 reviews from 2 weeks ago. You book; you pay through Airbnb. You receive a check-in message from Marco asking you to message him on WhatsApp directly for "key handover details."
You message him on WhatsApp. He says: "the booking website made a mistake; I need a 200 EUR security deposit by bank transfer before key handover; this is standard for high-end properties in Florence." You hesitate. You log back into Airbnb and check the listing; the listing has been removed by Airbnb. You realize the host was a clone of an established Florence Airbnb (you find the original listing under host "Marco F." with 240 reviews over 4 years; same photos).
Defense: never pay anything outside the Airbnb platform. Airbnb covers the legitimate booking; off-platform demands ("security deposit by bank transfer") are 100% the variant. If a host has fewer than 20 reviews and asks for off-platform payment, walk away. The cloned listing is removed by Airbnb on report; refund is processed through Airbnb resolution center.
Red flags
- Email asking to update payment after confirmed booking. Phishing 100% of the time; real platforms do not request this.
- URL slightly different from real platform (booking-sites, bookings-com). Typo-domain variant; verify spelling exactly.
- Listing price 20-40% below comparable properties. Cloned listing or scam; verify host history.
- Host asks for off-platform payment / security deposit. Cloned listing setup; never pay outside platform.
- WhatsApp / Facebook offer at lower-than-platform price. Fixer-deposit fraud setup.
- Tour-ticket site without TripAdvisor / Google reviews. Fake reseller; book through official site.
- Deposit requested via PayPal Friends and Family / bank transfer. No chargeback protection; the variant.
- "Skip the line" tour ticket below official-site price. Counterfeit ticket likely.
The phrases and links that shut it down
Booking fraud is platform-mediated, not in-person; the "scripts" are the verification URLs and chargeback paths. Type these manually before paying.
If you got hit
If you paid by credit card to a fake site or fake host: file a chargeback within 30 days under "fraud" or "services not received" or "item not as described." Visa, Mastercard, Amex all support booking-fraud chargebacks; recovery rate is high with documentation. Provide screenshots of the listing or website, payment confirmation, the phishing email if any, and the original real listing for comparison. Most card issuers process the dispute within 21-45 days.
If you paid by bank transfer / Western Union / PayPal Friends and Family: the funds are typically unrecoverable. File a police report locally and report to the FBI Internet Crime Complaint Center (IC3.gov) for US tourists, Action Fraud (UK), Signal Spam (France), Polizia Postale (Italy), Australian Cyber Security Centre (ACSC), or the equivalent national cybercrime unit. Document the loss for insurance and tax purposes; some travel insurance policies cover booking fraud (verify policy terms).
Notify the impersonated platform: Booking.com ([email protected] or in-app help), Airbnb (help.airbnb.com resolution center), Expedia (expedia.com customer service), GetYourGuide / Tiqets / Viator. The platform may take down the fake listing or domain, may issue refund through resolution center if the cloned listing was on the platform, and may compensate via host-protection funds if applicable.
Cancel the affected card immediately if you entered card details on a phishing site. Most card issuers have 24-hour fraud lines; the affected card is canceled and a new one issued; existing recurring charges (Netflix, gym, etc.) need to be re-set up on the new card.
Save all evidence. Take screenshots of the fake listing or website, the URL bar showing the fake domain, the booking confirmation email, the phishing email, the host / operator chat history. The chargeback dispute and police report both require this evidence.
Related atlas entries
Sources & references
- Booking.com Trust and Safety: booking.com/trust-and-safety — phishing reporting and account-protection guidance.
- Airbnb Resolution Center: help.airbnb.com — cloned-listing reporting and host-protection.
- FBI Internet Crime Complaint Center: ic3.gov — US cybercrime reporting for booking fraud.
- Action Fraud (UK): actionfraud.police.uk — UK cybercrime reporting.
- Polizia Postale (Italy): cybercrime division for booking-fraud cases.
- Australian Cyber Security Centre (ACSC): cyber.gov.au — Australian cybercrime reporting.
- UK FCO travel advice: international destinations referenced for booking-fraud advisories during peak summer season.
- Tabiji field reports: Booking.com phishing across global tourist destinations, Barcelona Sagrada fake tickets, Bangkok Khao San WhatsApp fixers, Florence cloned-Airbnb, NYC Broadway fakes (2024-2026).
Get the full booking-fraud playbook for your destination.
Each Travel Safety atlas covers every documented booking, accommodation, and tour-ticket scam in one country, plus the full scam catalog: pickpocket, taxi, ATM, restaurant, fake authority. Buy once, lifetime updates as scams evolve. $4.99 on Kindle.
