When a Donegal hotel group discovered twelve separate fake listings for their properties across Booking.com, Expedia, and Airbnb last year, they had already lost over €40,000 in bookings. Guests had arrived at the reception desk holding confirmation emails for stays that had never been booked through the real hotel. The deposits — paid to a fraudster's account using stolen payment methods — were gone. The guests were furious. The hotel's reputation on review platforms absorbed the consequences of a fraud it had not committed. Fake listing fraud is now a recurring and serious threat to Irish hospitality businesses, and Donegal hotels are among those most frequently targeted.
How the Fraud Works
The mechanics of fake listing fraud are straightforward, which is part of what makes it so effective. A fraudster identifies a well-reviewed hotel — typically one with consistent bookings, strong ratings, and a recognisable name. They then create a duplicate listing on a major booking platform using photos stolen from the hotel's real website, a description copied from the genuine listing, and a fraudulent email address designed to look similar to the real one.
The fake listing is priced at 30 to 50 percent below the hotel's real rate. A guest searching for accommodation in Donegal sees two listings for the same property — one at €120 per night, one at €60. They book the cheaper option and pay a deposit. The fraudster either disappears with the money, sends a fake confirmation email and then cancels after the non-refundable window closes, or directs the guest to the real hotel with documentation that cannot be honoured.
The guest arrives. The hotel turns them away. The guest posts a negative review. The hotel is blamed for a fraud it had no part in.
Beyond fake OTA listings, two related fraud variants are affecting Irish hospitality businesses. Rate parity manipulation occurs when a fraudster gains access to the hotel's genuine listing — often through a compromised staff account — and changes the pricing to undercut other channels. SEO poisoning involves creating a fake website that mirrors the hotel's real site and ranking it ahead of the genuine site in Google search results, capturing bookings before the guest reaches the real hotel.
Has your hotel checked its listings on all major booking platforms in the last 30 days? Book a free 20-minute strategy call — we can help you audit your online presence and close the gaps that fraudsters exploit.
The Data Problem Underneath the Revenue Problem
When a guest books through a fake listing, they hand over their full personal and payment information to the fraudster. Name, contact details, email address, card number, and in some cases passport details for international visitors. This data is then sold on criminal marketplaces or used directly for identity theft and follow-on phishing attacks targeting the same individual.
The guest blames the hotel. The Data Protection Commission in Ireland requires that businesses report data breaches involving third-party misuse of their brand where it causes harm to data subjects — a requirement that adds regulatory complexity to what is already a commercial and reputational crisis.[^1] An Garda Síochána's National Cyber Crime Bureau has documented multiple cases where fake listing operations formed part of larger organised fraud networks targeting Irish tourism businesses.[^2]
The NCSC Ireland has also noted that hospitality businesses are increasingly targeted by fraud operations that combine fake listings with credential theft, using phishing emails impersonating booking platforms to harvest login details for genuine OTA accounts.[^3]
Five Controls That Protect Your Revenue
The measures that prevent fake listing fraud are not complex or expensive. They require consistency and attention rather than significant technology investment.
Claiming and verifying your Google Business Profile is the single most important step for most Irish hotels. A verified profile gives you control over your hotel's appearance in Google search results and maps, and makes it significantly harder for a fake listing to displace your real one. If you have not claimed your profile, do it today. It is free and takes less than an hour.
Monitoring your listings weekly on all major platforms — Booking.com, Airbnb, Expedia, TripAdvisor — should be a standing task for front desk or revenue management staff. Set up Google Alerts for your hotel name combined with the word "booking." Any new result that you have not created yourself should be investigated immediately.
Securing your OTA accounts with strong unique passwords and two-factor authentication prevents the rate parity manipulation variant. Restrict account access to the staff members who genuinely need it and review the access list when employees change roles or leave. Monitor login history on each platform for access from unfamiliar devices or locations.
Creating a response procedure for when you discover a fake listing is important before you need it, not after. The procedure should include: taking screenshots of the fraudulent listing as evidence, reporting immediately to the platform through their official dispute process, filing a report with An Garda Síochána, and notifying guests who may have been affected.
Auditing any physical QR codes at your property is relevant if you use them for menus, payments, or check-in processes. Fraudsters place fake sticker codes over legitimate ones in high-footfall hotel locations. Check them weekly. Where possible, display QR codes on digital screens rather than printed stickers.
The cost of monitoring your listings weekly is measured in minutes. The cost of missing a fake listing operation is measured in thousands of euros and months of reputational recovery.
What to Do Right Now
If you have not already taken the steps above, start this week with three actions.
First, search for your hotel on Google, Booking.com, and Airbnb. Look for any listing that uses your photos, name, or description but has different contact details or pricing. If you find one, screenshot it and report it to the platform immediately.
Second, claim and verify your Google Business Profile if you have not done so. Go to google.com/business, search for your property, and follow the verification process. Google sends a postcard with a verification code to your registered business address.
Third, review the login credentials for every OTA account your hotel uses. Change any password that has not been updated in the last six months. Enable two-factor authentication on every platform that supports it.
Fake listing fraud is growing because it works. But it is also preventable with basic operational security habits applied consistently. Hotels that monitor their online presence regularly and secure their platform accounts are substantially less vulnerable to this type of fraud.
Related Reading
- NIS2 and Hospitality: What Donegal and Sligo Hotels Must Do Before the Deadline
- Quishing: QR Code Phishing Scams and What Every Irish Business Owner Needs to Know
- Seasonal Staff Cybersecurity: What Irish Hospitality Businesses Need to Know
[^1]: Data Protection Commission, guidance on data breach notification obligations: https://www.dataprotection.ie [^2]: An Garda Síochána, National Cyber Crime Bureau cybercrime resources: https://www.garda.ie/en/crime/cyber-crime/ [^3]: NCSC Ireland, guidance on phishing and online fraud for organisations: https://www.ncsc.gov.ie/advice-for-organisations/
Pragmatic Security — Cybersecurity advisory for Irish businesses. Based in Donegal, Ireland. CISA, CISSP, CISM certified advisors.