How to Prevent Scams and Be a Smarter Traveler
Digital Travel Scams: What Every Malaysian Traveller Should Know
This guide covers only digital scams that are directly linked to travel — booking, planning, and being
on the road. All information is drawn from verified sources including the National Scam Response
Centre (NSRC), MCMC, Bank Negara Malaysia, and international cybersecurity and travel safety
research published in 2024–2025.
As of 2025, AI-driven travel fraud has caused an estimated USD 13 billion in global losses, with
victims losing close to USD 1,000 on average per incident (McAfee, 2025). Malaysians are not
immune — the NSRC recorded RM203.33 million lost to online scams as of May 2024, a figure that
continues to grow.
1. Fake Flight and Hotel Booking Websites
Scammers build websites that closely mimic real airline, hotel, or travel booking platforms such as
Booking.com, Airbnb, AirAsia, or Expedia. They use AI tools to generate realistic property photos,
fabricated guest reviews, and professional-looking designs. Once payment is made, the traveller
receives either a fake confirmation or nothing at all — and the site goes dark.
In 2024, TripAdvisor alone identified and removed over 2.7 million fake reviews, many written by AI.
A 2024 investigation by UK consumer watchdog Which? also found that travellers repeatedly arrived
at properties listed on Booking.com that did not exist, with many struggling to receive refunds.
How to protect yourself:
• Always type the airline or hotel's URL directly into your browser. Do not click links from emails,
ads, or social media.
• Check that the website address begins with 'https' and matches the official domain exactly —
scam sites often use slight misspellings.
• Cross-check any listing on multiple platforms before paying.
• Be especially suspicious of prices significantly lower than the market rate. Scammers rely on
urgency phrases like 'only 1 room left' or 'deal expires in 10 minutes' to pressure you into
skipping verification.
• Pay by credit card where possible — it offers better fraud dispute protection than direct bank
transfers.
2. AI-Generated Phishing Emails and SMS Pretending to Be Airlines or Hotels
Travellers receive emails or SMS messages that appear to come from airlines (e.g. AirAsia,
Malaysia Airlines), hotels, or booking platforms. These messages — now crafted with AI — include
real logos, correct brand language, and even accurate reservation details scraped from data
breaches. They direct you to a fake login page to 'confirm your booking' or 'update payment details',
harvesting your credentials or card information.
AI has made these messages far harder to detect. A 2025 cybersecurity report noted that phishing
emails targeting travellers now replicate legitimate confirmations so accurately that even
experienced travellers are being misled.
How to protect yourself:
• Never click links inside booking-related emails or SMS messages. Always go directly to the
company's official website by typing the address yourself.
• Look for subtle signs: awkward phrasing, a sender email address that does not match the
official domain, or requests to re-enter payment information 'for security purposes'.
• Log into your airline or hotel account directly to verify any booking changes — do not rely on
email links.
• Enable email spam filters and keep your device's security software updated.
• Remember: AirAsia, Malaysia Airlines, and all legitimate companies will never ask for your
password, OTP, or TAC via email.
3. Fake Travel Packages and Tour Deals on Social Media
Fraudulent pages on Facebook, Instagram, and TikTok impersonate travel agencies or popular
travel influencers, advertising heavily discounted tour packages, giveaways, or flash deals. As of 15
July 2025, Malaysian authorities had detected 46,817 scam-related advertisements online —
approximately 80% of which were on Facebook (MCMC, 2025).
These pages look convincing because they use real-looking photos (often AI-generated), fabricated
testimonials, and paid advertising to reach a wide audience. Victims pay via bank transfer to an
individual account and receive nothing.
How to protect yourself:
• Do not pay via direct bank transfer to individuals or pages you have only discovered through
social media.
• Verify that any travel agency is registered with the Ministry of Tourism, Arts and Culture
Malaysia at motac.gov.my before making payment.
• Check whether the social media page was recently created, has few followers, or has
comments disabled — common red flags.
• Report suspicious travel advertisements to MCMC at aduan.skmm.gov.my or by calling 1800
18 2222.
• For better peace of mind, consider booking through platforms that have done the vetting for
you. BeliHoliday (www.beliholiday.com) is a Malaysian platform that lists only registered travel
agents who have been verified, with all listings checked by a real person before they go live —
reducing your exposure to fraudulent operators.
4. Fake Wi-Fi Networks at Airports, Hotels, and Cafes
Scammers set up rogue Wi-Fi hotspots with names designed to look legitimate, such as 'KLIA Free
WiFi' or '[Hotel Name] Guest'. When a traveller connects, the scammer can intercept all unencrypted
internet traffic — including login credentials for banking apps, email accounts, and booking
platforms.
This type of attack is particularly effective in airports, hotel lobbies, and airport transit lounges where
travellers routinely search for free Wi-Fi.
How to protect yourself:
• Confirm the exact Wi-Fi network name with airport staff or hotel reception before connecting.
• Avoid logging into banking apps or making any financial transactions over public Wi-Fi.
• Use a reputable VPN (Virtual Private Network) application whenever connecting to public
networks.
• Use your Malaysian mobile data (roaming or a local SIM) for anything involving personal or
financial information.
5. AI-Generated Fake Travel Alerts via WhatsApp and SMS
Scammers send messages through WhatsApp, Telegram, or SMS impersonating airlines or travel
providers, claiming your flight has been cancelled, your gate has changed, or your booking requires
immediate action. These messages contain malicious links that lead to phishing sites or install
malware on your device.
Because travellers are already in an anxious, time-sensitive state — especially around departure —
they are more likely to click without thinking. AI now enables these messages to be generated in
fluent Bahasa Malaysia and English, making them far more convincing than before.
How to protect yourself:
• Do not click any link in an unsolicited WhatsApp or SMS message relating to your travel, even
if it appears to come from a known airline.
• Check flight status directly on the airline's official app or website.
• Look for warning signs: messages from unknown numbers, spelling errors, or links that do not
lead to the official company domain.
• If you receive a suspicious message claiming to be from Malaysia Airlines or AirAsia, report it
directly to the airline through their official channels.
6. Fake Visa and Immigration Assistance Websites
Websites posing as official government immigration or e-visa portals charge processing fees for
services that are either free or much cheaper through official channels. Some collect personal
passport details and payment information with no intention of processing any application, while
others submit applications incorrectly, causing travellers to arrive at their destination without valid
entry documents.
This is particularly relevant for Malaysian travellers applying for visas to countries such as the
United States, United Kingdom, Schengen countries, Australia, and Japan.
How to protect yourself:
• Always apply for visas through the official embassy or government immigration website of your
destination country.
• For e-visas, search for the official government portal directly — do not trust sponsored links in
search engines, as scam sites frequently appear as paid advertisements.
• Legitimate government visa sites are typically .gov domains. Be cautious of .com or .net sites
claiming to process official visas.
• Never pay a third-party website to submit a visa application on your behalf unless it is a
licensed travel agent you have independently verified.
If You Have Been Scammed Online While Travelling
Act as quickly as possible. The faster you report, the higher the chance of limiting your losses.
• Call the National Scam Response Centre (NSRC) at 997. As of September 2025, this line
operates 24 hours and calls are treated as official police reports — you no longer need to go to a
police station separately.
• Contact your bank's 24-hour hotline immediately to freeze your account or dispute the
transaction. Use your banking app's Kill Switch feature if available.
• Gather all evidence before anything is deleted: screenshots of conversations, transaction
records, website URLs, email headers, and call logs.
• Report scam advertisements or websites to MCMC at aduan.skmm.gov.my.
• For investment-related digital travel scams, check Bank Negara Malaysia's investor alert list at
bnm.gov.my and the Securities Commission at sc.com.my.
Key Contacts
• NSRC Scam Hotline: 997 (24 hours, operated by PDRM)
• PDRM Semak Mule — check suspicious accounts or numbers: semakmule.rmp.gov.my
• MCMC — report online scam content: aduan.skmm.gov.my | 1800 18 2222
• Bank Negara Malaysia TELELINK: 1300 88 5465 | bnm.gov.my
• Ministry of Tourism — verify travel agents: motac.gov.my
Sources: National Scam Response Centre (NSRC) | MCMC | Bank Negara Malaysia | McAfee 2025 Report |
TravelWise | Help Net Security | Away Lands | Euronews Travel | TripAdvisor 2024 Report | Beem Travel | TheTimes
of Noblesville (2024–2025). Information is accurate as of May 2025. Always verify with official sources before
travelling.