Take a scam that's been making the rounds in hotels for years. The phone in your room rings at two or three in the morning. The voice on the line says it's the front desk, and that there's a problem with the credit card you used at check-in. They want you to read the number back to confirm it. People do, because they're half-asleep and the call sounds plausible enough. The card details get used somewhere else within hours.
That scam used to be rare because pulling it off needed someone with decent English, a quiet room, and time to dial through hotels one room at a time. Now those barriers are handled by automation, and the voice on the call doesn't even need to belong to a real person. The same applies to fake booking sites, fake airline call centres, fake visa portals, and a handful of other scams that have been around for a while and are suddenly much more polished.
Below are the scams getting the most reports in 2026, with what actually works against them.
Cloned booking sites
You search for a hotel and click on what looks like a real result, maybe something that resembles Airbnb, Booking.com, or a hotel chain. The fonts match, the photos look right, the reviews are there. You book. When you arrive, the address turns out to be wrong, or there's nobody expecting you, or the homeowner is confused about who you are.
These sites used to be easy to spot because of the bad English and obviously stolen images. AI has mostly removed those tells. Today's clones have polished copy, hundreds of plausible-looking reviews, and URLs that are close enough to fool a tired person on a phone screen. Things like Airbnbb dot com, with the extra b. Or Booking-com dot help, which is a different domain from Booking dot com.
The two best defences are simple. Type the URL into your browser yourself rather than clicking through a search ad, and book through the actual app of whatever company you're using. Apps are much harder to fake than a search result.
Fake airline call centres
Your flight gets cancelled, so you Google the airline's customer service number and call the first result. Someone picks up quickly, offers to rebook you, and asks for a small fee that they need to take on the card right now.
In a lot of those cases, the number you've called isn't the airline's. It's a call centre that paid to rank near the top of the search results, and they will charge your card without doing any rebooking. The airline never sees the transaction.
The simplest fix is to install the airline's app before you travel. The phone numbers and chat options inside the app actually go to the airline. Numbers from a Google search increasingly do not.
Travel rewards phishing
You get an email that looks like it's from a major airline or hotel chain. There's an offer in it, and to claim the offer you have to log in to your account. The link takes you to a fake login page that captures whatever you type.
This category has gotten worse because scammers are buying breached data, so the email might use your real name and reference an actual recent trip. AI handles the writing, which means the days of obvious typos and weird phrasing are mostly over.
Travel rewards accounts are worth more than people assume. Hotel points and airline miles get sold like cash on shady marketplaces, and most people don't notice the theft for months because they don't log in often.
The advice here is straightforward. Don't click links in promotional emails, even when they look right. If there's a real offer, it'll show up in your account when you log in directly through the app or by typing the URL yourself.
Bait and switch checkouts
You find a flight at a price that seems good and enter your card details. The site throws an error and asks you to re-enter them. You do, and the booking goes through, but at a slightly higher price. A few days later, your bank shows two charges, and the first one never produced a reservation.
A growing number of low-rent booking sites use pricing engines that show one rate during search and a different one at checkout. Some of them process card details before any reservation is created. When you complain, you get a chatbot that loops you in circles, and the refund policies are written to make sure you don't actually get a refund.
The warning signs are: a price that changes between the search page and the payment screen, a checkout that errors out and asks you to re-enter your card, and customer service that's only available through chat. If you see any of those, walk away from the booking. There are too many decent places to book to risk it on a sketchy one.
Fake government visa portals
Every time a country launches a new visa or arrival system, scam sites pop up that look like the real government portal. India's E-Arrival Card requirement started on April 1, and within a few weeks there were dozens of sites charging "processing fees" of forty or eighty dollars while collecting passport data wholesale. The same thing has happened with the UK's ETA, the US ESTA, and pretty much every new system in recent years.
If you need a visa, an arrival card, or any kind of travel authorisation, find the link from a government source. Your home country's foreign office usually links through to the real portal. Look for official domain endings like dot gov, dot gov dot uk, gov dot in, and so on. Avoid clicking ads, especially in the first few weeks after a new system launches, when scam sites tend to outrank the legitimate ones.
What actually helps
Protection comes down to a handful of habits.
Book through the app. Hotel chains, airlines, cruise lines, and major booking platforms all have apps. Use them for searches, bookings, and customer service. They're much harder to clone than search results.
Slow down at the payment screen. A lot of AI-powered scams work because they push you to act fast: limited-time offers, only one room left, the card "didn't go through, try again." If you feel rushed at checkout, that's a signal to close the tab and come back to it later.
Pay with a credit card. Credit cards have meaningful fraud protection in most countries. Debit cards have less, and wire transfers, gift cards, and crypto have basically none. If a seller insists on one of those, treat it as a serious warning sign.
Check the URL bar. A domain like Airbnbb dot com or Booking-help dot com isn't going to be the real Airbnb or Booking site, and the clones rely on people not looking. Phone screens make this harder, so zoom in or turn the screen sideways if something feels off.
Turn on instant card alerts. Most banks let you set this up. You'll get a text every time a charge hits, which is noisy but useful, because the faster you spot a fraudulent charge the better your chance of getting it reversed.
Be suspicious of the cheapest option. Travel-fraud reporters say this constantly. If most sites are showing four hundred dollars for a flight and one site shows two hundred, the cheap one is usually a problem rather than a deal.
The old advice about spotting scams (look for typos, ugly websites, weird phrasing) doesn't really apply any more, because AI has cleaned that up. What gives modern travel scams away is structural: pressure to act fast, payment methods without fraud protection, customer service you can't escalate to a real person, prices that change between pages, and links you didn't ask for.