In Italy’s hospitality world, behind the convenience of online bookings lurks an increasingly sophisticated threat: scams carried out through virtual credit cards (VCCs) issued by booking portals. This phenomenon is hitting Italian accommodations hard, from small family-run inns to luxury hotels.
Although precise statistics are hard to quantify because these scams often go unreported, industry associations are recording a worrying rise in cases. Reports to law enforcement have surged dramatically over the past two years, with financial losses estimated in the tens of millions of euros per year.
The most affected regions are the most popular tourist destinations: Veneto, Tuscany, Campania, and Sicily top the list of reports, but the phenomenon is quickly spreading to other destinations as well.
What VCCs are and why They’Re Vulnerable
Virtual credit cards are a technology paradoxically designed to increase security: they are single-use digital cards automatically generated by portals like Booking.com, Expedia, or Airbnb to process guest payments. Each VCC contains a temporary card number, an expiration date, and a security code, just like a physical card, but with a crucial difference: they’re intended for one-time use and for a specific amount. All VCCs must be charged within 12 months from the check-out date, as specified by Booking.com. A time window that can become an opportunity for scammers.
Virtual credit cards are used to scam both hoteliers and customers.
Scams Targeting Properties
A classic scam against a property involves the front desk agent receiving a call from someone posing, for example, as a software maintenance technician who needs to update the program. They ask for remote access and claim that without immediate action the ability to receive bookings will be blocked. The call usually comes in the evening and catches the victim off guard, and they often fall into the trap, opening the door to the criminal.
In other cases, criminals obtain virtual card details by bypassing staff through a Trojan horse—malware that masquerades as legitimate software and tricks the user, gaining access to the IT system. It still stems from human error, since Trojans are installed by people, perhaps by clicking a link in an email or downloading files from unsafe sites.
ASAT (Hotel Association) reports that it regularly receives notices of fake bookings made with credit cards that are likely cloned or stolen. In this scheme, criminals use stolen credit card data to generate fake bookings through the portals, creating seemingly legitimate VCCs that the hotel attempts to charge, only to later discover their fraudulent origin.
A more sophisticated mechanism exploits the fact that VCCs have specific time windows for charging. Scammers create legitimate bookings but then manipulate systems to let the cards expire before the hotel can charge them, leaving the property unpaid for services rendered.
Scams Targeting Guests
The most widespread involves fraudulent communications that appear to come directly from the property. Impersonating hotel staff, scammers contact guests requesting a second payment for supposed “security checks” or “booking confirmations.”
Beyond this type of message, there have also been cases where the guest is contacted via WhatsApp. Payment isn’t requested, only the entry of credit card credentials for verification purposes and to keep the booking active. It’s a way to obtain the customer’s card data, presenting the request as a simple technical procedure.
More skilled criminals combine phishing and social engineering techniques, creating fake websites that perfectly mimic booking portal interfaces. Through these sites, they collect sensitive data from both guests and properties, which they then use to generate fraudulent VCCs.
Naturally, even when the theft targets the guest, the property is hit hard because it has suffered the system breach and data leak from which names, addresses, and contacts of guests or prospective guests were stolen. This reputational damage quickly turns into financial loss.
How to Spot a VCC Scam
Warning Signs for Properties
Suspicious Bookings:
- Multiple consecutive bookings from the same IP but with different names
- Requests for premium rooms with full prepayment
- Communications with unusual grammatical or language errors
- Excessive urgency in post-booking communications
Technical Anomalies:
- VCCs repeatedly declined by the payment system
- Discrepancies between the authorized amount and the booking amount
- Requests to change payment details after confirmation
Red Flags for Travelers
- Requests for additional payments via channels other than the official portal
- Emails or messages asking for personal data “for security checks”
- Communications that create artificial urgency (“you must pay within an hour”)
- Suspicious links that do not point to the portal’s official domain
Protection Strategies
More advanced properties are adopting systems that cross-check VCC data with booking portal data in real time, verifying matches between amounts, dates, and reference codes. The adoption of machine learning algorithms can also help identify anomalous patterns in bookings, automatically flagging potentially fraudulent situations for manual review.
For properties that still need to catch up, it’s important to: never request additional payments through unofficial channels; always verify the guest’s identity through the portal’s channels; document any suspicious communication for potential reports.
Major booking portals are also responding to the phenomenon by implementing increasingly sophisticated security measures.
Booking.com, for example, has introduced AI systems to monitor suspicious transactions and strengthened user identity verification protocols.
However, the open nature of these digital ecosystems makes it impossible to eliminate risk entirely, making active collaboration between portals, properties, and competent authorities essential.
What to Do in Case of a Scam
For Properties
- Immediate report: Contact the Postal Police right away and file a formal report
- Documentation: Keep all documents related to the fraudulent transaction
- Portal communication: Report the incident to the booking portal through official channels
For Travelers
- Block cards: Immediately block all credit cards involved
- Bank notification: Contact your bank to report suspicious transactions
- Police report: File a report with the nearest Postal Police office
- Monitoring: Check your statements regularly in the following months
VCC scams are a real and growing threat to Italy’s tourism industry. However, with the right combination of technology, training, and vigilance, risks can be significantly reduced. The digital transformation of hospitality shouldn’t be halted by fear of scams; it must be accompanied by a cybersecurity culture that protects every player in the tourism value chain.
One thing is certain: the human factor remains crucial. Staff must be properly trained to recognize the signs of a scam and to correctly handle payment verification procedures. The training landscape is complex, and choosing the right path is critical to effectiveness. It’s important to rely on those who make cybersecurity training their mission, staying aligned with the evolution of crime and technology and offering targeted, ongoing programs that enable all staff to spot and stop a cyber scam in time.
For the tourism sector—as for all industries—it should now be clear that digital security isn’t a cost but a necessary investment in sustainability and reputation. Only prepared and aware properties will be able to continue offering guests the excellence of Italian hospitality, protecting it from the pitfalls of the digital world.
