What Happened
Australians heading into the winter travel season are being warned to slow down and pay close attention, as a wave of sophisticated travel scams bypasses the security flags most people still rely on. Reporting by The Senior, published 10 June 2026, details how criminals are using artificial intelligence to run schemes that look, sound, and feel entirely real.
SCAMAssist digital forensic IT investigator Simon Smith put it plainly: "What used to be the Nigerian prince in 2010 is now a perfectly fluent, polite message." The broken English and suspicious grammar that once gave scams away are gone. Generative AI writes better than most of us do, and it does so at scale.
Two tactics are doing the most damage right now. The first is reservation hijacking, where scammers compromise a hotel's account credentials on Booking.com or Airbnb and then send messages directly through the platform's own chat system. The second is QR-code quishing, where a fake QR code - placed in an email, a printed flyer, or even a physical location - redirects travellers to a fraudulent payment page.
Why It Matters
The reason these scams are working is not that Australians are careless. It is that the old visual cues no longer mean anything. When a message arrives inside Booking.com or Airbnb's own messaging system, as Smith explains, "every visual cue says 'this is real'." The chat thread is the same, the logo is the same, the property name and booking reference are the same. There is nothing obviously wrong to catch.
That is the point. The scammer is not impersonating the platform from the outside. They are operating inside it after compromising a hotel's account credentials. The trust is borrowed, not faked.
Older Australians face a particular risk. Smith noted that "an older Australian who would refuse to give card details over the phone may now comply when an AI 'Trust and Safety officer' reads back their correct itinerary." The AI has the booking details because the hotel account was already compromised. Hearing your own information read back to you is deeply reassuring - and that is exactly what makes it dangerous.
SecurityBrief Australia reports that AI-driven scams are surging across the country, with Australian shoppers losing an average of AUD 445 each. That figure reflects the broader consumer fraud picture, and travel scams sit squarely within it.
Key Details
Reservation hijacking works because the scammer never has to pretend to be the platform. They get inside a legitimate hotel account, then send a message that looks like routine pre-arrival communication. The timing is deliberate. These messages often land one or two days before check-in, when travellers are distracted with packing, transport, and last-minute arrangements. Attention is split. The instinct to just click and confirm is strong.
QR quishing adds a physical dimension. You scan a code, a page opens, it looks right, and you enter your card details and approve payment before you have properly checked who you are paying. Smith's description of the experience is direct: "You scan, open, enter details, and approve payment before you have properly checked who you are paying."
The recovery path matters too. Smith is clear on this: "If you enter your card details into a fake site, your first route is your bank, not your insurer." Travel insurance policies generally do not cover voluntary card entry on fraudulent sites. The bank's fraud team is the right first call, and speed matters.
Background and Context
The shift in scam quality tracks directly with the public availability of large language models from late 2022 onward. Before that, the grammar errors in phishing emails were a genuine filter - not a perfect one, but a real one. Scammers who could not write convincing English were easier to catch. That filter is gone now. Any scammer with access to a basic AI writing tool can produce fluent, contextually appropriate messages in any language.
Travel platforms have become attractive targets partly because of how much personal data flows through them. A booking confirmation contains your name, travel dates, property address, check-in time, and often a partial payment record. That data, once a hotel account is compromised, gives a scammer everything they need to sound authoritative.
The Australian consumer protection framework - including the Australian Consumer Law and the work of the ACCC's Scamwatch - provides reporting pathways, but enforcement against offshore criminal operations is slow. The practical protection has to come from individual awareness, which is why warnings like this one matter.
For businesses thinking about how AI intersects with trust and fraud risk, Mindiam's AI strategy work and AI training programmes address exactly these dynamics - how AI tools change the threat surface and what organisations need to understand to respond. Our AI automations practice also works with clients on identifying where automated processes create new exposure.
What Comes Next
Scam tactics will keep improving as the underlying AI tools improve. The gap between a real platform message and a fraudulent one will narrow further. Platforms like Booking.com and Airbnb are aware of the credential-compromise problem and have been working on account security, but the attack surface is large - thousands of hotel and property accounts, many managed by small operators with limited IT resources.
For travellers, the practical steps are specific. Before clicking any payment link in a booking message, go directly to the platform's app or website and check your booking from there. Do not scan QR codes in emails without verifying the destination URL first. If an AI voice calls you with your booking details and asks for card confirmation, hang up and call the platform directly using a number from their official site.
If you do enter card details on a site that turns out to be fraudulent, call your bank immediately. Do not wait to see if a charge appears. The faster the bank is notified, the better the chance of stopping or reversing the transaction.
For organisations in travel, retail, and financial services, understanding how AI is being used against your customers - and building that into your AI strategy - is no longer optional. See also Mindiam's work across the retail sector and our editorial standards for how we verify and report on these issues.
Frequently Asked Questions
What is reservation hijacking and how does it work?
Reservation hijacking is a scam where criminals gain access to a hotel or property manager's account on a booking platform such as Booking.com or Airbnb. Once inside, they send messages directly through the platform's own chat system, so the message appears in the traveller's legitimate booking thread with the correct logo, property name, and booking reference. Because the scammer is operating from inside the platform rather than impersonating it from outside, there are no obvious visual cues that anything is wrong. The message typically asks the traveller to confirm payment details or click a link, and it often arrives one or two days before check-in when attention is divided.
What is QR quishing and why is it hard to spot?
QR quishing is a form of phishing that uses QR codes instead of text links. A fraudulent QR code - which can appear in an email, a printed document, or even a physical sign - redirects the person who scans it to a fake website designed to capture card details. The problem is that most people scan a QR code and trust the page that opens, especially if it looks like a familiar brand. By the time you have entered your details and approved a payment, you may not have checked the URL at all. The speed and convenience of QR codes is exactly what makes them useful to scammers.
Why are older Australians particularly at risk from AI-powered scams?
Older Australians often developed their scam-awareness habits in an era when the warning signs were different - poor grammar, suspicious phone numbers, requests that felt out of place. Those signals are largely gone now. An AI system that calls you, speaks fluently, and reads back your correct booking itinerary does not trigger the same alarm. SCAMAssist investigator Simon Smith noted that an older Australian who would refuse to give card details over the phone may now comply when an AI voice with the right information asks them to confirm. The familiarity of the information is the trap.
What should I do if I think I have entered my card details on a fraudulent site?
Call your bank immediately - do not wait to see whether a charge appears on your statement. As Simon Smith noted, your first route is your bank, not your insurer. Travel insurance policies generally do not cover losses from voluntarily entering card details on a fraudulent site. Your bank's fraud team can freeze the card, flag the transaction, and in many cases reverse a charge if they are contacted quickly enough. After contacting your bank, report the incident to Scamwatch via the ACCC's website.
How can I verify a booking message is genuine before clicking anything?
The safest approach is to ignore links and payment requests in messages entirely and go directly to the platform's official app or website. Log in there and check your booking from within the platform. If there is a genuine payment issue or request, it will appear in your account. Do not use phone numbers or links provided in the message itself. For QR codes, check the URL the code resolves to before entering any information - most phone cameras show a preview of the destination URL before you open it.
