AI Is Rewriting the Travel Scam Playbook — Here Is What Merchants Need to Know
Mark Kalinowski’s father got a call out of the blue. The caller congratulated him on winning a free trip to Florida. All he needed to do was pay a $200 holding fee. He handed over his credit card number. The trip never existed.
That was more than a decade ago. Since then, the stream of travel scams has become a flood — and artificial intelligence has been the accelerant.
Online travel giant Booking.com reported in 2024 that AI had fueled an increase in travel scams of between 500 and 900 percent over the previous 18 months. In one month alone, Flight Centre Canada worked with Google and other search engines to take down more than 200 fraudulent listings on impostor websites. The scams are growing faster than platforms can take them down.
How the Scams Work
Fraudulent websites routinely copy photos and descriptions from legitimate hotel, airline, and cruise line sites to create the impression that customers are booking directly with those companies. Some go further: they replicate loyalty program login pages, send phishing emails that mirror official communications, and set up fake vacation rental listings that look entirely credible.
“If you book from one of these sites, there is no guarantee you will get the room you paid for, and you may not find out until you arrive at the destination — and by that time, your money is likely gone,” Toronto-Dominion Bank warned in a recent advisory to customers.
The pattern is familiar, but the scale is new. AI tools allow scammers to generate convincing websites, emails, and advertisements at a volume that was simply not possible before. The result is an environment where every merchant — airline, hotel, cruise line, or tour operator — must assume that some percentage of their potential customers is being redirected through fraudulent intermediaries.
Loyalty Points: The New Target
Beyond fake bookings, loyalty rewards points have emerged as a primary target. Unlike credit cards, which carry federal fraud protections, loyalty points currently lack equivalent regulatory coverage. When a traveler’s miles are stolen, recovery depends entirely on the program’s own policies.
Linda Roth, a frequent traveler, discovered that nearly 200,000 of her American Airlines AAdvantage miles had been stolen from her account over a single weekend. The stolen miles were used to purchase gift cards. When Roth tried to report it, she faced a common obstacle: American Airlines’ fraud department is not staffed on weekends.
“They will steal your stuff on the weekend when there is no way to report it,” Roth noted.
Clint Henderson of The Points Guy experienced a similar breach. Scammers drained his American Airlines account and used his miles to book rental cars in New York City. American Airlines ultimately valued his stolen 449,500 miles at $13,260. “These things do have value,” Henderson said. “I do not think in this day and age you can have your fraud department only open business hours Monday through Friday. I think that does not work anymore.”
Experts say hackers often scan the dark web for breached usernames and passwords, then use those credentials to access loyalty accounts and transfer points to gift cards or other accounts before the theft is detected.
What This Means for Travel Merchants
For merchants operating in the travel space, the rise in AI-powered scams creates both a customer trust problem and a dispute risk. When customers fall for fraudulent bookings made through third-party sites, they may not realize the booking was not legitimate until they arrive at a property — or until they find a charges on their statement they cannot reconcile.
Friendly fraud is a related concern. A segment of travelers deliberately disputes legitimate charges after consuming the service, a pattern that is particularly prevalent in high-value travel transactions. Under Visa’s 2026 VAMP thresholds, every chargeback moves a merchant’s ratio more than in lower-value e-commerce categories.
Travel merchants face four distinct friendly fraud patterns: service-failure disputes where the traveler was genuinely unhappy, booking-error disputes where the wrong person completed the purchase, “I did not travel” disputes where fulfillment is hard to prove, and high-value single-transaction disputes that disproportionately affect the merchant’s VAMP ratio. Each requires a different evidence strategy, and server-side transaction data alone is often insufficient.
What Merchants Can Do
The most immediate step is educating customers. Remind them to book directly through official websites, to verify bookings with the provider after purchase, and to be wary of deals that look too good to be true. Encouraging customers to enable multifactor authentication on their loyalty accounts — and offering merchants’ own fraud teams 24/7 coverage — reduces the window of opportunity for bad actors.
On the dispute side, travel merchants should invest in browser-layer evidence capture at the time of booking. Device ID, real client IP, and session behavior data create a stronger representment case under CE 3.0 than server-side transaction records alone. For “I did not travel” disputes, check-in confirmation data — boarding pass scans, hotel key-card issue logs — combined with booking-session evidence can be decisive.
The threat landscape is evolving rapidly. Merchants that treat fraud prevention as a static, set-it-and-forget-it function will find themselves falling behind. Those that build dynamic defenses, communicate actively with customers about verified booking channels, and maintain complete evidence chains at every touchpoint will be better positioned to protect their revenue and their reputation.
The scammers are using AI. The merchants that fight back need to do the same.
Sources: BNN Bloomberg (May 7, 2026); KCRA 3 / The Points Guy (May 5, 2026); cside.com (May 6, 2026).
