Lorraine Williamson
Travellers booking holidays in Spain are being warned to take extra care this summer, as fake Booking, Airbnb, and Skyscanner-style websites, phishing messages, and WhatsApp hotel scams become more convincing.
Cybersecurity researchers say criminals are using the start of the summer travel season to exploit rushed bookings, last-minute deals and people’s fear of losing a reservation.
The scams range from cloned booking websites that steal payment details to WhatsApp messages that appear to come from a real hotel or apartment after a traveller has already made a genuine reservation.
Why travellers are being targeted
The warning comes as millions of people across the UK, Spain and Europe search for summer accommodation, flights and weekend breaks.
Check Point Research says cyberattacks on the travel, hospitality and recreation sector have risen sharply, with the company reporting a 122% increase over the past three years. In May 2026 alone, researchers detected 47,318 newly registered travel-related domains, up 33% on April and 19% compared with May last year.
The company says one in every 112 of those newly registered travel domains was already classified as malicious or suspicious.
That does not mean every new travel website is dangerous. But it shows how quickly criminals are creating lookalike pages around the exact time people are searching, comparing and paying for holidays.
Fake Booking, Airbnb and Skyscanner-style sites
According to Check Point, researchers found phishing sites imitating major travel brands, including Booking.com, Airbnb and Skyscanner. These sites are designed to look legitimate but are created to steal login details, card information or advance payments.
Hosteltur also reported that fake domains linked to the tourism sector have multiplied this summer, with cloned websites imitating well-known travel platforms and using urgent messages to push people into entering personal or banking details.
Some fake pages copy the appearance of trusted platforms. Others use web addresses that are only slightly different from the real brand, making them easy to miss on a phone screen.
This is why checking the full website address matters, especially before entering card details or logging in.
The WhatsApp hotel scam catching people out
One of the most worrying scams is not aimed at people who have never booked. It targets people who already have a real reservation.
The Cybersecurity Agency of Catalonia has warned that cybercriminals are contacting travellers through WhatsApp, pretending to be tourist accommodation providers. The messages usually refer to real bookings and ask the customer to confirm details through a link.
That is what makes the scam so dangerous. The message may include the correct hotel name, dates or reservation details, making it feel more believable than an ordinary fake email. The aim is to obtain personal or bank details. In some versions, travellers are told their booking may be cancelled if they do not act quickly.
Why the messages feel so convincing
Scammers often rely on urgency. They want people to panic, click and pay before they stop to check. A message may say there is a problem with the booking, that payment has failed, or that the reservation will be cancelled within 24 hours unless the traveller confirms details.
This kind of pressure is a warning sign.
Booking.com has previously said legitimate transactions should not involve customers being asked to share credit card details by phone, email, SMS or WhatsApp. The platform has also warned users to be alert to phishing attempts after a data incident involving certain reservation details earlier this year.
INCIBE, Spain’s National Cybersecurity Institute, said the Booking.com incident involved unauthorised access to certain reservation-related information, including names, emails, addresses, telephone numbers and booking details shared with accommodation providers. It said Booking.com stated that financial information was not accessed.
Even without bank details being exposed, reservation information can help criminals create more convincing scams.
What travellers in Spain should check
Travellers should be especially cautious if they receive a message asking them to click a link, enter payment details or confirm personal information outside the official platform. The safest step is to go directly to the official website or app by typing the address yourself, rather than using a link in an email, text or WhatsApp message.
If the message claims to be from a hotel or apartment, contact the accommodation directly using the phone number or email listed on the official booking platform or the hotel’s own verified website.
Do not use the contact details included in the suspicious message.
Warning signs of a fake travel message
A scam message may look professional, but there are usually clues.
Be careful if the message creates panic, threatens cancellation, asks for urgent payment, contains a strange link, uses poor spelling, or asks for details the platform should already have.
Very low prices can also be a warning sign, especially when the property has few reviews, asks for payment outside the official platform, or pressures the traveller to move the conversation to WhatsApp.
The same applies to fake customer service numbers found through search engines. Travellers should use the contact details provided inside the official app or website, not numbers from random online results.
What to do if you have already clicked
Anyone who has clicked a suspicious link should avoid entering further information and should leave the page immediately.
If bank or card details have already been entered, contact the bank straight away and monitor the account for unusual activity. It may also be necessary to cancel the card.
Travellers should change passwords if they entered login details and should enable two-factor authentication where available.
In Spain, suspicious cyber incidents can also be reported through INCIBE’s cybersecurity helpline, 017.
Spain prepares for summer travel surge as Operation Crossing the Strait begins
Summer bookings need an extra pause
The problem is not that people are careless. These scams are becoming harder to spot because they often use familiar brands, real booking information and the pressure of holiday planning.
That is why the best protection is a short pause before clicking. Check the web address. Open the official app. Call the accommodation through verified details. Never enter card information through a link sent by WhatsApp.
For anyone booking a hotel, apartment, flight or last-minute summer break in Spain, those few extra checks could be the difference between a holiday and a costly scam.