Posted in Fraud & Risk

The Scam Surge: How AI Is Reshaping Travel Fraud and What Operators Can Do About It

Posted on
by Editor

The Scam Surge: How AI Is Reshaping Travel Fraud and What Operators Can Do About It

Travel merchants and hospitality operators are facing a new reality. AI-powered scams targeting travelers have surged dramatically, and the volume of fraudulent activity shows no signs of slowing. The Booking.com data breach in April 2026 only underscored how much personal booking data is now in criminal hands, creating a more sophisticated threat environment than the industry has encountered before.

Reservation Hijacking: A New Layer of Risk

The mechanics of travel fraud have evolved. The most concerning new vector is what security researchers call reservation hijacking. Scammers use stolen booking data — names, dates, phone numbers, email addresses — to impersonate hotels, airlines, or rental companies. They call or email travelers with urgent requests for payment, using exact knowledge of the reservation to sound completely legitimate.

A recent WIRED report detailed how these scams work in practice. Fraudsters target employees at hospitality companies to gain system access, or exploit wider data breaches like the one that exposed Booking.com customer information in April 2026. With reservation details in hand, they contact travelers directly, often requesting bank transfers or credit card details “to secure” or “upgrade” bookings.

The Booking.com breach did not expose financial information, but the combination of personal and booking data is enough to run highly convincing schemes. Affected customers have been notified, but the incident illustrates how much damage can be done even without payment card numbers.

The Scale of the Problem

Booking.com disclosed in 2024 that AI had fueled an increase in travel scams of between 500 and 900 percent over the preceding 18 months. The company said the tools had significantly expanded the range of fraudulent approaches available to criminals.

In Canada, the Association of Canadian Travel Agencies and Travel Advisors warned that scams now span phishing emails, fake vacation listings, and loyalty point hacks. Flight Centre Canada reported working with Google and other search engines to remove more than 200 fraudulent listings on impostor websites in a single month.

Mark Kalinowski, a financial educator at the Credit Counselling Society, described how even sophisticated travelers fall victim. “Someone called and said, ‘Hey, good news, you won a trip to Florida. It’s all paid for. Just pay that $200 upfront holding fee,'” he recalled. His father’s experience is now representative of a broader pattern.

Operators who process bookings through third-party platforms face particular exposure. Fraudulent websites frequently scrape photos and details from legitimate hotel, airline, and cruise sites to create convincing facsimiles. Travelers who book through these lookalike sites may arrive at destinations to find no reservation, or worse, have payment details harvested for future fraud.

What Merchants and Operators Need to Watch

The fraud environment has shifted in ways that demand active attention from operators at every level. Three patterns stand out as particularly relevant for travel merchants.

First, payment fraud tied to reservation data is becoming more common. Criminals who obtain booking details through breaches or phishing campaigns use that information to construct convincing social engineering attacks. These may target the travelers themselves, or attempt to access merchant systems by impersonating customers with verified reservation data.

Second, friendly fraud remains a persistent challenge in travel. The combination of high transaction values, complex cancellation windows, and multiple intermediaries creates dispute opportunities that some customers exploit deliberately. Chargeback rates in travel consistently exceed most other e-commerce verticals.

Third, AI-generated phishing campaigns are becoming harder to identify. What used to require manual crafting of emails and fake websites can now be automated at scale, with AI generating convincing messages in multiple languages and adapting in real time based on victim responses.

What Operators Can Do

Several steps can meaningfully reduce exposure. Operators should audit their third-party distribution channels and verify that booking platforms in their supply chain maintain current security certifications and fraud detection capabilities. Direct customer communication should include clear guidance on how the company will and will not contact them regarding payments or account changes.

Payment processing should include velocity checks, device fingerprinting, and behavioral anomaly detection that can flag suspicious transactions without blocking legitimate travelers. Machine learning models that adapt to new fraud patterns in real time are more effective than static rule lists, particularly as AI-enabled threats continue to evolve.

Reservations that originate from high-risk channels or exhibit unusual behavior patterns should receive additional verification before confirmation. This creates friction for a small percentage of bookings but significantly reduces the risk of fraudulent transactions slipping through.

The Regulatory Landscape

Regulators are beginning to respond to the surge in travel fraud. New payment security requirements under PSD3 and updated SCA (Strong Customer Authentication) guidance in several markets are pushing operators toward more robust transaction verification. Merchants operating across multiple jurisdictions should monitor evolving requirements, particularly in the European Union and United Kingdom where payment regulation is advancing most quickly.

TheEU’s updated payment services regulation includes specific provisions addressing fraud liability allocation, which may shift some responsibility to payment processors and issuers. Operators who have not reviewed their fraud liability exposure in light of these changes should do so before the new rules take full effect.

A Growing Problem That Demands Better Tools

Travel fraud is not a problem that will resolve on its own. The combination of abundant booking data, sophisticated AI tools, and high transaction values makes the sector an attractive target for criminal operations. Operators who rely on outdated fraud detection or manual review processes are taking on unacceptable risk.

The path forward requires layered defenses: better verification at booking, smarter payment processing, clear customer communication, and ongoing monitoring for new attack vectors. Merchants who invest in these capabilities now will be better positioned as the threat environment continues to intensify.

Sources: WIRED (May 10, 2026); The Canadian Press via Wings Magazine (May 7, 2026); Booking.com breach coverage; Association of Canadian Travel Agencies.

Editor

With decades of combined experience spanning all facets of the travel and merchant processing industries, our editorial team brings unparalleled insight to Travel Merchant News. Our expertise encompasses every angle of the travel sector, from seasoned travelers who have explored the world to travel operators who have built and managed successful tourism businesses. On the merchant processing side, we've worked extensively with payment solutions tailored specifically for the travel space, understanding the unique challenges and opportunities that travel businesses face in payment processing, transaction management, and financial operations. This comprehensive knowledge allows us to deliver content that truly speaks to the needs of travel professionals navigating the complex intersection of travel services and merchant solutions.

You May Also Like

More From Author

Loyalty Points Fraud Is Escalating: What Travel Merchants Need to Know

AI Is Rewriting the Travel Scam Playbook — What Merchants Need to Know

Leave a Reply

Your email address will not be published. Required fields are marked *