in this case
- Randy and Becki Rupp, a retired federal law enforcement agent and travel coach, received a convincing WhatsApp message that appeared to be from their Bolzano hotel, complete with specific booking details and flawless writing, requesting they re-enter credit card information through a link.
- Only a technical glitch — a landing page that wouldn’t load — saved them from the scam, prompting Becki to contact the hotel directly through the official website, where staff confirmed there was no problem with their reservation.
- The near-miss illustrates how AI has made travel scams nearly impossible to detect, with McAfee reporting a 900 percent surge in AI travel scams and one in five Americans getting scammed while booking travel, with losses ranging from $500 to over $1,000.
Randy Rupp thought he’d seen it all. A retired federal law enforcement agent with years of experience spotting fraud, he and his wife, Becki, were planning a hiking trip to Italy’s Dolomites. They’d booked their hotel in Bolzano months earlier through an online travel agency.
Then came the WhatsApp message that nearly got them. The message appeared to come from hotel staff and included specific details about their booking.
“It was very well written,” says Becki Rupp, a travel coach who’s helped countless clients navigate travel logistics. The scammer requested they re-enter their credit card information through a provided link.
Fortunately, a technical glitch saved them from getting ensnared.
“The landing page for the confirmation wasn’t working,” she remembers. That technical hiccup prompted her to contact the hotel directly through its official website. And, as it turns out, there was no problem with their reservation.
A new age of travel fraud
The Rupps’ close call illustrates a disturbing trend: AI is making travel scams nearly impossible to detect.
Traditional red flags like poor grammar and obvious spelling mistakes have vanished, thanks to ChatGPT and Gemini. Today’s AI-powered scams feature flawless language, authentic-looking websites, and sophisticated social engineering that can fool even the most experienced travelers.
“Travel scams have proliferated with AI,” says Cayce Myers, a communication professor at Virginia Tech. “Scams play on urgency because people don’t have time to think and reflect on whether this is a genuine interaction or something that is manufactured through AI.”
The numbers are staggering. McAfee reports a 900 percent surge in AI travel scams in the last year, with one in five Americans getting scammed while booking travel. Of those who lost money, 13 percent reportedly lost over $500, and 5 percent lost more than $1,000.
“The landing page for the confirmation wasn’t working.” Actually, information entered on a web page can be transmitted before you click submit, send, or save. Since 1995 and the introduction of JavaScript, your browser can send information back to the server at any time. Possibly even character by character as you type.
Just opening a web page can send some information about you. Like confirmation that you received an email. This is because a link can contain data that is unique to you.
By the way, none of these behaviors are inherently evil, and in fact such technology can be quite beneficial when not misused.
But, in the end, little has changed just because of the Internet. Remember the scene in the Roman rental car office in the film “European Vacation,” where the robbers have tied up the real agent and pretend to be him. Fraud, deceit, and misrepresentation are as old as the Bible.
Read more insightful reader feedback. See all comments.
How AI supercharges travel scams
How are scammers using AI to deceive you? This list is long.
Deepfake voice calls
Scammers now clone voices to impersonate airline representatives, hotel staff, or even travel companions in distress. These calls often include real booking details stolen from data breaches.
“But the rhythm or timing of the voice is usually off a little, or sounds a little too perfect,” says Mike Engelhart, chief technology officer at iSeatz.
AI-generated phishing
Gone are the days of obvious phishing emails. AI now crafts messages with perfect grammar and authentic branding that mimic legitimate travel confirmations.
“AI technology can create messages that look very legitimate, without the errors you would normally expect,” says Edward Tian, CEO of GPTZero.
Fake booking sites
AI generates entire travel websites complete with stolen photos, fabricated reviews, and cloned interfaces of legitimate platforms like Airbnb or Booking.com.
AI-manufactured reviews and content
Fraudsters use AI to generate fake travel reviews or create social media personas offering discounted trips. Travel pictures and videos generated and edited using AI are used to lure people into paying for travel packages or tours that don’t exist.
These red flags still work
Despite AI’s sophistication, experts say certain warning signs remain reliable.
- Payment methods. Legitimate businesses don’t request payment via cryptocurrency, wire transfers, gift cards, or peer-to-peer apps like Venmo or Zelle.
- URL irregularities. Look for slight misspellings like “Booklng.com” instead of “Booking.com” or unusual domains ending in “.xyz” instead of “.com.”
- Contact verification issues. If a “customer service” representative can’t verify basic booking details they should have access to, it’s likely a scam.
“Genuine providers can always confirm a booking reference, ticket number, and previously stored payment method without asking the customer to supply them,” says Nic Adams, co-founder of 0rcus.
But perhaps the biggest giveaway has to do with timing.
“Urgency is often a major red flag,” says Zoey Jiang, who teaches business technology at Carnegie Mellon University. “Beware of listings pressuring you with claims like ‘Only 1 left at this price!'”
What to do if you’re caught
If you suspect you’re stuck in an AI scam, stop all communication immediately.
- Contact your bank or credit card company. Ask it to freeze your accounts and dispute any credit card charges immediately.
- Verify your booking independently. “Use an official airline website and the published phone numbers. Do not use a link from an email message — it might be a fake.
- Report the scam. Let the Federal Trade Commission and the FBI’s Internet Crime Complaint Center know about it. To recover your money you may have to file a report as part of your dispute.
- Reset your passwords. Enable two-factor authentication on all accounts.
- Document everything. Save screenshots, emails, and call logs. You may need them later.
“The faster you act, the better your chances of stopping any payments or reversing the charges,” advises Anusha Parisutham, the senior director of product at the AI company Feedzai.
Is there a fix to stop the AI scams?
Travel companies are fighting back with technology. They’re using tools like biometric verification — using face scans to prevent deepfake impersonation. They’re also implementing better cryptographic email signing to verify authentic communications and deploying AI scam detections to identify synthetic content.
“The same tools being used to deceive can also be used to protect,” notes Engelhart of iSeatz. “But it takes cross-platform collaboration and design choices that prioritize clarity over speed.”
Perhaps the most insidious aspect of AI travel scams is how they exploit our trust in technology. Travelers often assume that sophisticated, well-designed communications must be legitimate.
“Scammers count on silence and shame to keep their efforts going,” says Petros Efstathopoulos, vice president of research and development at RSAC, a cybersecurity conference. “By reporting the fraud and speaking out, you help protect others.”
The Rupps’ experience offers an important lesson: Even cybersecurity professionals and experienced travelers aren’t immune. The key is maintaining healthy skepticism in an age when perfect presentation no longer guarantees authenticity.
In a world where AI can clone voices, forge emails, and create entire fake travel experiences in minutes, the most powerful defense remains the most human one: pause and verify, and trusting your instincts when something feels off.
Otherwise, you might need a glitchy website to save your vacation.
Your voice matters
AI has created a new era of travel scams featuring flawless writing, authentic-looking websites, and deepfake voice calls that can fool even experienced travelers. McAfee reports a 900 percent surge in AI travel scams, with one in five Americans getting scammed while booking travel.
- Should travel companies be legally required to implement AI detection systems to protect customers from sophisticated scams that impersonate their brands?
- Have you or someone you know been targeted by a travel scam that used convincing language, real booking details, or urgent requests for payment or personal information?
- Do you think you could spot an AI-generated travel scam, or have they become too sophisticated to detect without technical help?
What you’re saying
Readers shared their own near-misses with sophisticated AI scams — from WhatsApp messages with exact booking details to flawless phishing emails — revealing that even scam experts can be fooled. The conversation centered on one hard truth: when AI eliminates traditional red flags, “pause and verify” becomes the only reliable defense.
-
Even experts are getting caught
LeeAnneClark, a longtime scam watcher who teaches others to recognize fraud, nearly fell for an Airbnb scam with her exact name, booking ID, and condo details sent via WhatsApp. She actually entered her credit card before the website locked up, making her realize it was fake. She suspects a security breach at the property management company since they’d heard of it happening to other clients, but neither Airbnb nor the company would take responsibility. AJPeabody caught a phishing scam when his password manager couldn’t find credentials for the fake login page, then noticed the email provider had supposedly “moved to Bulgaria.”
-
The old rules still apply — never trust the link
David Kingsley argued that nothing has fundamentally changed: never give information to someone who calls you, never click links in emails, and always call companies at numbers you already have — not from Google searches. He even tells his own bank that their cold calls violate their own security protocols and refuses to engage. Jennifer is adding “independent verification” to her pre-trip checklist, ignoring links entirely and calling official numbers herself. LonnieC noted the irony that we’re going back to person-to-person contact for security, though Ed Sackley pointed out that accessing real humans is nearly impossible unless you’re an elite customer.
-
Technology is both the weapon and the shield
Berkinet explained that data can be transmitted from web pages before you click submit — since 1995, JavaScript has allowed browsers to send information character by character as you type. But he noted that none of these behaviors are inherently evil and can be beneficial when not misused, reminding readers that fraud is “as old as the Bible” with a reference to the “European Vacation” rental car scam scene. The Brown Crusader called the 900 percent surge in AI scams deeply concerning, noting that when ChatGPT and Gemini eliminate poor grammar and syntax, “pause and verify” becomes the only reliable security protocol against flawlessly manufactured interactions.
