Fake booking sites & travel phishing in Korea (2026): how to book hotels, KTX and tours without getting scammed
You found a Seoul hotel for half price, a KTX deal that's almost too good, or an email saying you "won" a free stay near Insadong — and all you have to do is click and confirm. Pause right there. As Korea heads into peak summer travel season, Korean security researchers and media report a sharp rise in phishing sites and apps that impersonate well-known travel booking platforms, luring visitors with fake discounts and prize emails that carry malware or quietly harvest your logins, card numbers, and even passport scans. The good news: almost every one of these scams falls apart the moment you know the handful of habits below. Here's how to book Korean hotels, trains, and tours without handing your identity to a stranger.
What's happening this summer
Korean security firms and outlets (boannews, dailysecu and others) have flagged a seasonal surge in fake travel websites and apps built to look almost exactly like the real thing — same logos, same layout, a domain that's just one or two letters off. Researchers describe two main moves:
- Look-alike booking sites and apps that copy a famous platform's design and a near-identical web address, so the page where you "log in" or "pay" is actually feeding your details straight to the scammer.
- Lure emails and messages with subject lines like "special accommodation discount," "you've won a free stay," or a fake booking confirmation for a reservation you never made. The link or attachment installs malware or drops you on a credential-stealing copycat page.
This isn't only a Korea problem — global researchers tracked travel-sector phishing rising well over 100% in recent years — but it lands hardest in summer, when millions of visitors are actively booking and a "limited-time deal" feels normal. The same reports note these scams now blend into SMS and messenger chats, not just email, so the old "just don't open spam" advice isn't enough on its own.
Why scammers want your travel data
It's not just your card. Security researchers tracking the dark web report a busy trade in stolen travel identity data: scanned passports, visa stickers, airline mileage accounts, and booking records. Reported prices give a sense of scale — a scanned passport can go for as little as $10, while a fully verified high-value passport can fetch $5,000 or more; hijacked reservations and loyalty accounts are resold at steep discounts too.
That's why a fake "verify your booking" page often asks for far more than a payment — it wants a passport photo, your full birth date, and your home address. To a scammer, a foreign traveler's passport scan plus a live card is a complete, sellable identity kit. Treating those documents as carefully as your card is the whole game.
How to spot a fake booking site or app
You don't need to be technical. These checks take seconds and catch the vast majority of fakes:
- Read the domain letter by letter. Scammers use "typo-squatting" — an extra letter, a swapped one, or a weird ending (think booking-deal-kr.com instead of the real address). If the spelling feels even slightly off, leave.
- The padlock means encrypted, not honest. A 🔒 https lock only means the connection is private — scammers buy those too. It is not proof the site is legitimate.
- Type the address yourself, or use a bookmark. Don't reach a "login" or "pay" page by tapping a link in an email, SMS, or chat. Open a fresh browser tab and type the official site, or use the app you already trust.
- Only install apps from the official Apple App Store or Google Play. Never sideload a travel app from a link someone messaged you, even if it shows a familiar logo.
- "Too cheap" is the oldest red flag. A room or KTX ticket priced far below everyone else is bait, not luck.
- Real companies don't demand your passport in a chat. If a "host," "agent," or "verification" page wants a passport photo plus card details to release your booking, stop.
Quick red-flags checklist
| You see this | What it usually means | Do this |
|---|---|---|
| Email/SMS link to a "discount" or "prize" booking | Lure to a copycat site or malware | Don't click. Go to the official app/site directly. |
| Domain spelled slightly off | Typo-squatting fake | Close the tab. Re-type the real URL. |
| "Confirm your booking" for a trip you didn't book | Fake confirmation phishing | Ignore it; check status only in the real app. |
| Page asks for passport photo + card to "verify" | Identity-harvesting page | Never send. Leave the page. |
| Price far below every other site | Bait pricing | Assume it's a scam. |
| Seller insists on bank transfer / crypto only | No chargeback = no recourse | Refuse. Pay by card only. |
Safe booking habits for Korea
A few specific habits make booking in Korea low-risk:
- Use official and established platforms. For trains, book on the official Korail site or its Korail Talk app rather than a deal page that "resells" KTX tickets. For hotels, prefer the property's own official site or a well-known, established booking app you reached yourself — not a link from an email.
- Pay by credit card, never bank transfer. A card gives you chargeback protection if the booking turns out to be fake. Bank transfers, gift cards, and crypto are favorites of scammers precisely because the money is gone for good.
- Turn on two-factor authentication (2FA) for your airline, mileage, and booking accounts. If your password leaks in a breach, 2FA is what stops a stranger from draining your miles or hijacking your reservation.
- Keep passport photos off chats and email. Some legitimate check-ins need ID, but a real hotel does this through its own secure system at the front desk or verified portal — not a stranger asking you to message a passport scan to "confirm."
- Be careful on public Wi-Fi. Airport and café networks are convenient but easy to snoop on. Avoid logging in or paying over open Wi-Fi; use your mobile data or a trusted VPN for anything sensitive.
- Watch for fake "booking confirmation" follow-ups. After you book legitimately, scammers sometimes send a copycat "update your payment" message. Always re-check your reservation inside the official app, never via the message's link.
If you've been scammed — who to call
Acting fast limits the damage. Do these immediately, in order:
- Call your card issuer right away to freeze the card and dispute the charge. The sooner you report, the stronger your chargeback.
- KISA 118 — Korea's internet incident hotline, run by the Korea Internet & Security Agency, free and 24/7. Dial 118 from any phone in Korea, or report online at boho.or.kr, for phishing sites, malware, and hacked accounts.
- Korean cyber police (ECRM) — file a cybercrime report at ecrm.police.go.kr, the National Police Agency's online reporting system, for fraud and stolen money.
- 1330 Korea Travel Hotline — the official tourism hotline offers free English (and other languages) help 24/7 and can guide you on next steps. Dial 1330 in Korea.
- If your passport was compromised, contact your embassy and watch for identity misuse; consider changing passwords and enabling 2FA on any account you reused that password on.
None of this should make you nervous about visiting Korea — booking a trip here is overwhelmingly safe and smooth. The scammers are simply counting on travelers being in a hurry. Slow down for ten seconds, type the real address, pay by card, and keep your passport out of chat windows — and you've defeated nearly every trick in this year's playbook.
Quick links
- KISA Boho-nara (118) — report phishing sites, malware, hacked accounts (24/7; dial 118).
- Korean Cyber Crime Reporting (ECRM) — National Police online fraud reporting.
- 1330 Korea Travel Hotline — free 24/7 English tourism help (dial 1330).
- Korail (official KTX booking) — book trains on the official site or Korail Talk app.
- Dailysecu — summer surge in travel booking site phishing (Nuri Lab) (Fake travel sites/apps, discount & prize lure emails carrying malware; verify official URLs)
- Boannews — fake travel event phishing (Fake travel-event and discount phishing campaigns)
- KISA Boho-nara / KrCERT — internet incident reporting (118) (KISA 24/7 hotline (118) for phishing, malware, hacked accounts)
- Korean National Police Cyber Crime Reporting (ECRM) (Official police system to report online fraud)