Planning a holiday should be exciting, fun, and not a cybersecurity risk. But booking flights, hotels, and rental properties often means sharing sensitive personal and financial information across multiple platforms. Combined with frequent travel scams and recurring data breaches in the travel and hospitality sector, it creates plenty of opportunities for criminals.
This guide covers the most common risks when making travel reservations and explains how to avoid them. Save the adventure for your destination.
Travel bookings combine high-value payments with urgency and emotional decision-making. Attackers love that for several reasons:
- Large upfront payments make scams profitable.
- Booking confirmations often contain valuable personal data, such as names, travel dates, contact details, and sometimes passport information.
- Travelers are more likely to act quickly and overlook red flags.
- Travel and hospitality companies are frequent breach targets due to complex IT environments and third-party integrations.
Recent years have seen repeated breaches involving hotel chains, booking platforms, cruise operators, and airlines, exposing everything from email addresses to passport numbers.
Common travel-related scams
Fake booking websites
Attackers create convincing clones of airline, hotel, and travel booking websites, often promoted through online ads or SEO poisoning (manipulating search engine results). Victims enter payment details, receive fake confirmations, and only discover the fraud later.
Last year we uncovered a campaign using fake Booking.com websites that tricked visitors into infecting their own devices with a Remote Access Trojan (RAT).
Phishing messages about reservation problems
Emails, texts, or messaging app notifications may claim there’s a problem with your booking and urge you to click a link, open an attachment, or call a number. The scammers often impersonate legitimate travel brands and may include real stolen data from previous breaches.
Earlier this year, we wrote about a Booking.com breach that provided scammers with a lot of useful information that could make their messages appear more convincing.
Vacation rental fraud
Scammers post fake listings or hijack legitimate ones on rental platforms. They typically encourage off-platform communication or payments to avoid built-in protections.
In 2024, one of our researchers encountered exactly this type of scam. A supposedly legitimate Airbnb listing in Amsterdam turned out to be fake, and the scammer sent an email claiming to be from TripAdvisor in an attempt to collect payment details.
“Too good to be true” deals
Deep discounts on flights or accommodation are used to lure victims into paying for offers that don’t exist.
If a deal seems unusually generous, look for the catch. Be especially cautious when advertisers claim the offer will end very soon. Creating urgency is one of the oldest tricks in the scammer playbook.
Scam or legit? Scam Guard knows.
Booking.com impersonation scams
Booking.com has become an increasingly popular brand for scammers to impersonate. According to our—anonymized—Scam Guard data, we’ve recently seen:
- Fake cashback emails promising a €435 refund that lead to phishing websites
- In-app messages requesting an additional reservation fee
- Emails containing PDF attachments that require a “secure viewer,” which turns out to be malware
- WhatsApp messages claiming credit card details are missing and directing users to phishing sites
- Text messages linking to fake Booking.com pages and demanding card verification before a deadline
The number of scams impersonating Booking.com has been growing. Since the breach disclosed in April, Scam Guard data shows a 56% increase in Booking.com-related scams compared to the previous period, with weekly volume up consistently across five straight weeks.
How to book travel safely
There are a few simple things that can dramatically reduce your risk:
- Use secure payment methods. Credit cards offer better fraud protection than debit cards or bank transfers. Never pay anyone asking for payment in cryptocurrencies or gift cards.
- Stick to trusted platforms. Even though these are not guaranteed to be safe, using them is better than gambling on an unknown platform.
- Don’t click on sponsored search results. I cannot say this often enough.
- Verify the existence of the booked accommodation through other channels.
- Treat requests to move communication or payment to another platform as suspicious.
- Consider urgent language, unexpected attachments, and mismatched sender domains as red flags.
- Downloads needed to open an attachment are not to be trusted. These downloads often turn out to be malware. To block and remove malware, use an up-to-date, real-time anti-malware solution.
Pro tip: Malwarebytes Browser Guard will block known phishing websites and can even recognize suspicious websites that are not in our database yet.
We don’t just report on threats—we remove them
Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.
