Bogus tourist tax and fake levy sites, four mechanics behind the official-looking payment portal.
A lookalike Bali Tourist Levy site that captures your card details a week before your trip. A Roman hotel that bills you imposta di soggiorno twice on a 4-night stay. A "customs officer" at Phnom Penh airport demanding 30 USD cash for an exit tax that has been abolished since 2018. A man in a high-vis vest near Venice Santa Lucia station demanding 5 EUR cash for the city-entry tax. Four mechanics across 8 countries, defeated by the same five-second rule: verify the domain on the official tourism authority site.
Bogus tourist tax and fake levy sites run four mechanics across 8 countries: pre-arrival lookalike payment portal (most-documented for the Bali Tourist Levy launched Feb 2024 and Italian imposta di soggiorno), hotel double-charge, fake airport exit tax cash demand, and fake city-entry tourist tax (Venice Contributo di Accesso variant). The universal defense is one five-second rule: verify the official domain on the destination's tourism authority site before entering card details. The defense in depth is reviewing hotel receipts for duplicate tourist-tax line items, refusing all cash exit-tax demands without printed receipts, and paying city-entry taxes only via the city's official online portal.
"Pay your Bali Tourist Levy now — instant confirmation."
You search Google for "Bali Tourist Levy payment" three days before flying out. Indonesia's official Bali Tourist Levy, launched February 14, 2024, costs 150,000 IDR (about 10 USD) per person and can be paid online before arrival or at the Denpasar Ngurah Rai (DPS) airport on arrival. The first Google result is a sponsored ad: "balidigital.travel - Official Bali Tourist Levy · Pay Now · Instant Confirmation." The site uses the official Bali tourism logo, the same blue-and-orange color scheme as the real portal, and a clean payment form asking for name, passport, arrival date, card details.
The real official portal is at lovebali.bali.id (a .bali.id government subdomain operated by the Bali Provincial Government). The phishing site balidigital.travel is one of the 50+ lookalike domains that have appeared since the variant launched alongside the levy. The Indonesian Ministry of Tourism and the Bali Provincial Government issued advisories in March 2024; the Bali Provincial Police anti-phishing division has flagged 50+ domains for takedown but new ones appear faster than the takedowns process.
You enter your card details on balidigital.travel. The site charges 12 USD (slightly more than the official 10 USD; the markup is one of the variant's tells). You receive a "confirmation" email with what looks like an official receipt; the QR code on the receipt is non-functional. Your trip arrives; at DPS airport, the official Bali Tourist Levy counter does not recognize the receipt. You pay the 150,000 IDR again at the airport (this time at the official counter). Total cost: 12 USD + 10 USD = 22 USD instead of 10 USD. Your card details, however, are now in the phishing operator's database; over the next 4-12 weeks, fraudulent charges of 50-200 USD typically appear on the card before the issuer flags the pattern.
The variant has been documented continuously since the levy launched. The phishing operators register new domains weekly with patterns like balipay.travel, lovebali-pay.com, bali-tourist-levy.id, balidigital-pay.com. The Bali Provincial Government's official Twitter/X account (@bali.gov.id) regularly posts the official URL: lovebali.bali.id. Defense: bookmark the official portal before searching; never click the first Google ad result for tourist tax payments.
You take ninety seconds to think. You file a chargeback claim with your card issuer for the 12 USD on balidigital.travel as "merchant misrepresentation". You set the daily limit on the affected card to 50 USD via the issuer app. You change the card the next time you're home (the issuer issues a new number). Total fraud loss capped at 12 USD plus the airport-tax double-pay 10 USD = 22 USD; could have been 200-500 USD if the card had not been frozen quickly.
That is the canonical pre-arrival lookalike payment portal variant of the bogus-tourist-tax family. The rest of this page is the four-mechanic playbook, the four other places where it runs in different forms (Italy hotel double-charge, Phnom Penh airport, Venice gates, Barcelona hotel), and the verify-the-domain rule that defeats every variant.
Read the full Bali scam guide โKey Takeaways
The verify-the-domain rule
Bogus tourist tax depends on you accepting the official-looking payment portal at face value. Real national tourism authorities and city governments publish their tax-collection portals on .gov, .bali.id, or established subdomains; the lookalike-phishing operators register similar-but-not-identical domains within weeks of any new tourist tax launch. The defensive routine is one five-second check: verify the official domain on the tourism authority site. The play falls apart instantly because the lookalike domain is never on the official list.
- Verify the official tourist tax domain before paying online. Bali Tourist Levy: lovebali.bali.id. Italian imposta di soggiorno: paid at hotel checkout. Venice city-entry tax: cda.ve.it. Phishing sites use lookalike domains. Verify the domain on the official tourism authority site before entering card details.
- Refuse hotel double-charge for tourist tax. Italian imposta di soggiorno is paid once at checkout, capped at 3-7 EUR per person per night. Some hotels add the tax twice. Refuse the second charge: "L'imposta e gia inclusa nel preventivo della prenotazione."
- Reject "airport exit tax" cash demands. Most countries that have an exit tax include it in the airline ticket. If a "customs officer" demands cash, verify with the airline counter before paying. Real exit taxes are receipted.
- Verify city-entry tax on the city's official site. Venice introduced a 5 EUR city-entry tax in April 2024 paid only at cda.ve.it. Fake "municipal staff" near gates demand cash; the real tax is paid online before arrival.
- Use a virtual or low-limit card for any online tourist tax payment. Privacy.com, Capital One Eno, Chase virtual cards limit exposure. If the portal turns out to be phishing, the virtual card limits the loss to the single small payment.
The four mechanics
Different geographies and tax types lean on different mechanics within the same family. Here are the four sub-variants documented globally. Each has a recognition tell, a primary geography, and the routine step that defeats it.
1. Pre-Arrival Lookalike Payment Portal
The most-documented 2024-2026 variant. When a country or city introduces a new tourist tax that requires online payment, phishing operators register lookalike domains within weeks. The Bali Tourist Levy generated 50+ documented phishing domains within 6 months. The fake portals use official logos and color schemes, accept card details, produce a "confirmation" that cannot be verified at the destination.
Defense: verify the official domain on the destination's tourism authority site; bookmark the official URL. Most reported in: Bali Tourist Levy lookalikes (balidigital.travel, lovebali-pay.com); Venice Contributo di Accesso lookalikes (post-April 2024); Bhutan tourist fee lookalikes; emerging EU touristic-zone digital tax portals.
2. Hotel Double-Charge
Italian imposta di soggiorno is paid once at hotel checkout, capped at 3-7 EUR per person per night depending on city. Some hotels add the tax twice (once on the original booking, once on the checkout receipt). Same pattern with Spanish IGIC tourist tax in Mallorca / Tenerife / Ibiza, French taxe de sejour in Paris / Nice, Amsterdam toeristenbelasting, and Manchester / Edinburgh visitor levy.
Defense: review the receipt at checkout for any duplicate tourist-tax line. Most reported in: Italian 3-star hotels in Rome, Florence, Venice, Milan, Naples; Spanish 3-star and below in Mallorca, Tenerife, Ibiza; Paris budget hotels; Amsterdam mid-tier hotels; UK Manchester / Edinburgh post-2024 visitor levy.
3. Fake Airport Exit Tax
Most countries that have an exit tax include it in the airline ticket price; the tourist does not pay separately at the airport. The variant runs as: a "customs officer" or airport staff at departure demands 25-50 USD cash citing 'exit tax', 'departure tax', or 'tourist tax'. Real exit taxes are receipted with official letterhead; cash-on-the-spot is the variant.
Defense: verify with the airline counter; demand a printed receipt with official letterhead. Most reported in: Phnom Penh PNH airport historically (Cambodia exit tax officially abolished 2018 but informal demands persist), Sharm el Sheikh SSH for Russian/CIS tourists; some Lome and Conakry West African airports; rare in Latin America.
4. Fake City-Entry Tourist Tax
Venice introduced the Contributo di Accesso (city-entry tax) in April 2024: 5 EUR per day for day-trippers. The official portal is cda.ve.it. The variant runs as: fake "tourist police" or "municipal staff" near Santa Lucia train station, vaporetto stops, or Piazzale Roma demand cash for entry. The real Venice tax is paid online before arrival; no one collects cash at the gates.
Defense: pay via cda.ve.it before arrival; refuse all cash demands at gates. Most reported in: Venice Santa Lucia train station exit, Piazzale Roma bus station, ACTV vaporetto stops; same pattern emerging at other cities introducing entry taxes (potential at Bhutan, parts of Spain, Bruges).
Where it runs
Bogus tourist tax concentrates at destinations with newly-introduced or actively-publicized tourist taxes (Bali, Venice, Rome) and at airports with informal cash-collection cultures. The eight countries below cover the bulk of global tourist exposure.
| Country | Documented variants | Iconic location pattern |
|---|---|---|
| ๐ฎ๐ฉ Indonesia | 4 | Bali Tourist Levy phishing sites (50+ documented domains since Feb 2024); airport tax confirmation issues at DPS |
| ๐ฎ๐น Italy | 4 | imposta di soggiorno hotel double-charge in Rome / Florence / Venice / Milan / Naples; Venice city-entry cash demand |
| ๐ช๐ธ Spain | 2 | IGIC tourist tax double-charge in Mallorca, Tenerife, Ibiza hotels; Catalan touristic surcharge variants |
| ๐ซ๐ท France | 2 | taxe de sejour double-charge in Paris, Nice; Provence touristic-zone surcharges |
| ๐ฐ๐ญ Cambodia · ๐ช๐ฌ Egypt | 2 | Phnom Penh airport informal exit-tax cash demand; Sharm el Sheikh airport informal departure tax |
| ๐ณ๐ฑ Netherlands | 1 | Amsterdam toeristenbelasting hotel double-charge variant |
| ๐ฌ๐ง United Kingdom | 1 | Manchester / Edinburgh visitor levy (post-2024) hotel double-charge |
| ๐ฌ๐ท Greece | 1 | Climate-resilience tourist tax double-charge at Athens / Mykonos / Santorini hotels |
Bar width is data-bound at 35 pixels per documented variant. Indonesia (Bali phishing) and Italy (imposta di soggiorno + Venice entry) together account for 50% of global exposure, reflecting how recently both jurisdictions launched or expanded tourist tax collection.
Four more places, four more tax-scam mechanics
The Bali Tourist Levy phishing scene above showed the most-documented 2024-2026 variant. Here are four more places where different sub-variants dominate. Each links to the full city scam guide.
You stay 4 nights at a 3-star hotel near Termini in Rome at 95 EUR per night via Booking.com. The Booking.com confirmation email lists "Total: 380 EUR (includes 56 EUR imposta di soggiorno: 7 EUR per person per night ร 2 persons ร 4 nights)." On checkout, the front-desk receipt shows: "Stay: 380 EUR. Tourist tax: 56 EUR additional." The hotel has billed the imposta di soggiorno twice. You point it out to the clerk: "L'imposta di soggiorno e gia inclusa nel preventivo della prenotazione su Booking.com." (The tourist tax is already included in the Booking.com quote.) The clerk apologizes โ claims it was a "system error" โ and removes the duplicate 56 EUR. The Italian Polizia Annonaria via the Comune di Roma accepts complaints about hotel tourist-tax double-charges; the variant is documented at 3-star and below across Rome, Florence, Venice, Milan, Naples. Federconsumatori publishes annual hotel-bill audits flagging the pattern. Defense: review the checkout receipt against the original booking quote. The duplicate is removable on the spot when challenged; if the hotel refuses, file a credit-card chargeback.
Read the full Rome scam guide โ
You arrive at Venice Santa Lucia train station at 11am on a Saturday in May 2024. As you exit toward the Grand Canal, a man in a high-vis orange vest with "VENEZIA" printed in white block letters approaches: "Sir, the city-entry tax is 5 euros per person, in cash, to enter Venice." The real Venice Contributo di Accesso (city-entry tax) launched April 2024: 5 EUR per day for day-trippers, paid online via cda.ve.it before arrival, with QR-code confirmation enforced at the station perimeter by official Comune di Venezia staff (uniformed, with photo ID). The man in the orange vest is not Comune staff; the official badges are blue-and-gold with a winged-lion crest, and the official enforcement points are inside the station near the cash machines, not on the canal-side. You verify on cda.ve.it via your phone (you'd already paid online before arrival; QR code on phone). You walk past the man without paying. The Venezia Polizia Municipale accepts walk-in reports at the station office; the variant has been documented since the entry tax launched. Defense: pay the Venice entry tax via cda.ve.it before arrival; the QR code on your phone is the only valid proof. Refuse all cash demands at gates regardless of vest or signage.
Read the full Venice scam guide โ
You stay 5 nights at a 3-star hotel in Barcelona Eixample at 120 EUR per night booked via Hotels.com. The booking summary shows "Total: 600 EUR + 22.50 EUR Catalan tourist tax (2.25 EUR/person/night ร 2 ร 5)." At checkout, the front-desk receipt shows: "Stay: 600 EUR. Tourist tax: 22.50 EUR." Then a third line: "Tourist tax adjustment: 22.50 EUR." Total: 645 EUR. The clerk explains the second tourist-tax line as "the city's new digital surcharge"; in reality, the Catalan tourist tax is the same 2.25 EUR/person/night charge already on the booking. You point it out: "El IGIC ya esta incluido en la reserva; este segundo cargo es duplicado." The clerk removes the second 22.50 EUR. The Mossos d'Esquadra Tourist Help line +34 932 903 000 (24/7, English) accepts complaints; the Direccion General de Consumo Cataluna publishes quarterly hotel-bill audit summaries. The variant is most-documented at 3-star and below; 4-star and above hotels have stronger billing oversight. Defense: review the checkout receipt against the original booking; the duplicate is removable on the spot when challenged. Spain's IGIC tourist tax is paid once per stay regardless of how many nights.
Read the full Barcelona scam guide โ
You depart Phnom Penh International Airport (PNH) at 8:30pm on a Tuesday after a week in Siem Reap and the capital. You pass through immigration at the international departures gate. As you approach the gate, a man in a tan uniform with a "Cambodia Customs" patch demands "exit tax, 25 dollars per person, cash only, very fast." Cambodia officially abolished the airport exit tax in 2018 (the previous fee was 25 USD, included in the airline ticket since 2018). Informal cash demands have continued at PNH since then, particularly targeting Western tourists at evening departure times. You ask: "Can I see the official receipt with the Cambodia Customs letterhead?" The man hesitates, says "the receipt is at the desk inside, very fast, give me the cash now." You walk past him to the airline counter; the airline rep confirms no exit tax is due. You complete boarding without paying. The Cambodia Tourist Police 097 778 0002 accepts complaints; the Royal Government Civil Aviation Authority has issued statements clarifying no exit tax exists. Defense: verify with the airline counter before paying any cash demand at any airport claiming "exit tax". Real exit taxes are receipted with official letterhead and ticket-included on most airlines; cash-on-the-spot is always the variant.
Read the full Phnom Penh scam guide โRed flags
If two or more of these signals fire when you're paying a tourist tax, route around the encounter. The compounding rule: a single signal might be a coincidence; two signals are a script.
- The tourist-tax payment site appears as a sponsored Google Ad result
- The site domain is similar to but not identical to the official tourism authority domain
- The price is slightly higher than the official tourist tax (markup as a tell)
- The site asks for full card details for a sub-15-USD payment
- The hotel checkout receipt shows two tourist-tax line items
- The hotel clerk calls the duplicate a "city's new digital surcharge"
- An "airport customs officer" demands cash exit tax without printed receipt
- The exit-tax demand is at evening / night departure with reduced staffing
- A "municipal staff" near a city gate demands cash for city-entry tax
- The high-vis vest or uniform does not match the city's official colors / crest
The phrases that shut it down
Refusing the bogus tax works when you signal you have already paid the official portal. The phrase pattern is the same in every language: I already paid online.
If you got hit
You paid 12 USD on a Bali Tourist Levy lookalike site, or your Rome hotel double-charged the imposta di soggiorno, or you handed 25 USD cash to a fake customs officer at PNH. Bogus tourist tax losses are partially recoverable through credit-card chargeback when paid by card; cash payments are rarely recoverable. The actionable response is preventive for the next encounter, plus card-fraud protection for the lookalike-portal variant (the card details captured by the phishing site are typically used 4-12 weeks later for unrelated fraud).
Within 24 hours: file a credit-card chargeback claim if any portion was paid by card. The grounds: "merchant misrepresentation" or "service not as described". Visa and Mastercard chargeback windows are 60-120 days; submit the email confirmation, the website screenshot, and a description of how the site was misrepresented. Success rate is high for the lookalike-portal variant when documentation is clear.
Within 48 hours (lookalike portal variant): freeze and replace the card. The phishing operators sell card details on the dark web; fraud charges typically appear 4-12 weeks later. Visa and Mastercard chargeback covers up to 60-120 days, but the longer the card is active the more likely an additional charge appears. Most US issuers reissue cards within 24-48 hours.
Within 7 days: file a complaint with the country's tourism authority and consumer-protection authority. Indonesia: Ministry of Tourism via lovebali.bali.id complaint form. Italy: Polizia Annonaria via Comune. Spain: Direccion General de Consumo. France: DGCCRF. The complaints help authorities track lookalike-domain registration and update advisories.
- Bali Tourist Levy: lovebali.bali.id contact form; Bali Provincial Government complaints; Indonesian Ministry of Tourism.
- Italy hotels: Polizia Annonaria via Comune; Federconsumatori for hotel-bill complaints.
- Spain hotels: Direccion General de Consumo; OCU (Organizacion de Consumidores y Usuarios).
- France hotels: DGCCRF (signalconso.gouv.fr); UFC-Que Choisir.
- Venice city-entry tax: Comune di Venezia Polizia Municipale at Santa Lucia office.
- Phnom Penh airport: Cambodia Tourist Police 097 778 0002; Royal Government Civil Aviation Authority.
- Visa Global: +1 303 967 1090 (collect from anywhere); chargeback claims via card issuer.
- Mastercard Global: +1 636 722 7111; chargeback claims via card issuer.
Recovery rates: lookalike-portal chargeback 60-80% with documentation; hotel double-charge usually fixed on the spot at 95%; cash exit-tax 0% recoverable. The actionable response is preventive: verify the official domain; review hotel receipts; refuse cash exit-tax demands; pay city-entry taxes only via the official online portal.
Related atlas entries
Sister entries in the Scam Atlas. Bogus tourist tax sits in the Money section alongside DCC and ATM Skimming; the lookalike-portal variant overlaps with QR Code Quishing as a phishing-flavored entry.
Sources
- Bali Provincial Government (bali.gov.id), Bali Tourist Levy launch advisory and lookalike-domain warnings (Indonesia, Feb 2024-ongoing).
- Indonesian Ministry of Tourism, Bali Tourist Levy phishing-domain reports (Indonesia, ongoing).
- Comune di Venezia, Contributo di Accesso (city-entry tax) launch advisory (Italy, April 2024-ongoing).
- Polizia Annonaria via Comune di Roma / Firenze, imposta di soggiorno hotel-bill enforcement (Italy, ongoing).
- Federconsumatori, annual hotel-bill audit reports flagging double-charge variant (Italy, multi-year).
- DGCCRF France, taxe de sejour hotel double-charge complaints (France, ongoing).
- Direccion General de Consumo Cataluna, IGIC double-charge enforcement (Spain, ongoing).
- Cambodia Royal Government Civil Aviation Authority, exit-tax abolition statement (Cambodia, 2018-ongoing).
- The Jakarta Post, Bali Discovery, Bali Tourist Levy phishing investigative coverage (2024-2025).
- r/travel, r/bali, r/Italy, r/spain, r/Cambodia continuing thread monitoring 2018-2026.
Get the full tourist-tax-bogus-levy playbook for your destination.
Each Travel Safety atlas covers every documented tax, levy, and money scam in one country, plus the country's full scam catalog: pickpocket, taxi, ATM, restaurant, fake authority. Buy once, lifetime updates as scams evolve. $4.99 on Kindle.
