We take a look at the first findings on fraudulent campaigns exploiting the 2025 summer holidays.
As every year, the summer holiday season presents juicy opportunities for cybercriminals, and 2025 is no exception. The first reports related to this sector have already been published. Let’s take a look.
Cyberattacks against the hotel sector grow by 48%
Check Point Research (CPR) conducts an annual analysis of cyberattacks targeting the hotel industry, data from May 2025 shows a 48% year-on-year increase in the average weekly cyberattacks per organization in this sector, compared to 2024. When compared to 2023, the increase rises to 78%.
Deceptive tactics aren’t new: fraudulent offers, phishing campaigns impersonating major booking platforms, fake reservation messages… Cybercriminals exploit the specific traits of the summer campaign: excitement for the experience, urgency to grab the best deal, and anxiety about planning the perfect vacation.
But it’s not only the end customers who fall victim; hosts of accommodations and the brands themselves are also targeted through impersonation. Let’s take a look at some examples highlighted in the study.
Examples of Fraudulent Attacks in 2025
Airbnb impersonation
A fraudulent website has been detected, possibly a cloned version, that mimics Airbnb’s reservation payment page under an illicit domain with no affiliation to the brand. Its goal is to capture credit card details and expiration dates. It is likely that this page has been or will be used in phishing or smishing campaigns, or through fraudulent communications in which fake property owners send links to external pages to complete reservation processes.
Booking.com impersonation targeting property owners
Another fraudulent domain detected by Check Point targets the popular booking platform, containing a fake website that mimics the login page for accommodation hosts. In this case, the page’s objective is to distribute malware through a pop-up with a fake reCAPTCHA that downloads a trojan.
They have also detected phishing emails impersonating the brand and targeting hosts, associated with other domains. These emails mimic notifications from Booking.com, stating that the property has received a message from a guest. It is likely that clicking on these leads users to fake login pages like the one we just saw.
An important point noted by Check Point regarding these emails is the use of variations in the CTAs (call-to-action buttons) within the message. According to cybersecurity experts, this is likely an example of generative AI being used to increase the chances of bypassing email spam filters.
Registration of fraudulent tourism domains grows by 55%
This increase in cyberattacks and phishing and spoofing campaigns is equally reflected in the new domains registered in May related to the summer tourism campaign. According to data from the Check Point study, 1 in every 21 tourism domains registered in May, out of a total of 39,000, are fraudulent or suspicious. This represents 5% of the registrations and a 55% increase compared to the previous year.
The implementation of DMARC lags behind in Europe, with 54% exposure to fraud
A recent study by ProofPoint analyzed the level of DMARC implementation among the top 20 websites in the sector across the United Kingdom, Italy, France, Germany, Spain, Benelux, United Arab Emirates, and Saudi Arabia.
Although 88% of them have implemented DMARC, only 46% do so with full enforcement (p=reject). Why is this important?
DMARC is an email validation protocol that currently offers the highest protection against fraudulent emails. That is why, since last year, major companies like Google and Yahoo (and starting this year, Microsoft) require its implementation from brands that send mass emails.
It is based on the SPF and DKIM protocols. If a sender or email fails either of these protocols (SPF verifies that the sender is authorized to send that email, and DKIM validates that it has not been intercepted or modified), DMARC takes effect and, depending on the DMARC policy implemented, the email will or will not reach the recipient’s inbox.
For maximum security for clients and users, brands should implement the reject policy (the third and highest level of DMARC enforcement), as it ensures that fraudulent emails are not delivered.
And this remains the pending task for 54% of the leading tourism platforms in these countries.
Spain leads alongside the United Kingdom
Fortunately, both in Spain and the United Kingdom, 100% of the analyzed platforms have implemented DMARC, and 65% have adopted the reject policy, meaning that in these countries, exposure is 35%.
However, 35% should not be considered a positive figure in 2025, especially when analyzing the leading brands in the sector. It is necessary and essential for brands to step up and implement the basic measures to fight fraud.
We offer a free DMARC check that can be requested here.
Are your shipments secure?
Request a quick ckeck, we will review if you comply with SPF, DKIM, DMARC, and BIMI
In short, tourism campaigns are very attractive to cybercriminals, who now have new tools that make fraudulent campaigns easier to carry out. Although the summer campaign is the most prominent, the sector must also consider new consumption patterns, which have increased the number of vacations and/or trips users take annually.
Therefore, it is urgent for brands in the tourism sector to understand the threats and implement the necessary prevention and anticipation measures. Likewise, we encourage them to take our Online Brand Protection Maturity Test as a starting point for defining their strategy.
Do you need help against online fraud?
Write to us with your inquiry, and we will get in touch with you soon.