You call the number in the confirmation email…and discover you somehow booked through a third-party booking agency. Oh, and your room can’t be changed, only canceled, and if you cancel they will keep your money. Or, even worse, you get to the hotel and they have heard of neither you nor the company you supposedly booked through.

You were just victim of the one popular current version of the cloned website scam. Thankfully, it’s likely that your credit card company will take your side and return the money.

What Is a Cloned Website Scam?

In a cloned website scam, the scammers copy or “clone” a legitimate website. The victim thinks they are on a site they intended to visit – whether it’s a hotel site, Australian Medicare (one recent phish has been tricking elderly Australians into visiting a cloned version of the myGov site that processes payments), or even Amazon.

The copy of the website can be astonishingly exact, or just an approximation with copied logos, but the intent is to separate you from your money, your credit card number, or your login credentials.

human error

Human error is the most common cause of data breaches

What Variants of the Scam Are out There?

There are several variants of the cloned website scam:

  • Straight up phishing. The site is harvesting your credit card/banking details, your login credentials for an e-commerce site, or both. In many cases you might not even know you were “got” until you see spurious purchases on your card or find that somebody has been ordering things from Amazon under your name and shipping them as gifts.
  • The fake purchase scam. In this scam, you buy a product through the cloned site… and never receive it. Or you receive a shoddy knock off. This may, of course, be combined with stealing your card, but some of these scammers will simply hope that you won’t bother disputing charges on small amounts. Often, the amounts taken from individuals are less than $200, with some scammers taking $20 or so from each victim.
  • The booking fee scam. This is particularly common in the travel industry – in fact, cloning hotel websites is rampant. In this scam, you get what you intended to buy, but the scammer pockets $10-15 in “administrative” or “booking” fees.
  • Advance fee frauds. In some cases, cloned banking sites are used to deliver standard 419 scams such as “next of kin” scams or everyone’s old favorite, the Nigerian scam.
  • Drive-by downloads, where a cloned website is used to download malware onto your computer. This can include ransomware. I have yet to hear of any specific situations of website cloning being used for cryptojacking, but it is probably happening. Malvertising can also be a problem.
  • Click fraud. The cloned website may simply be defrauding advertising networks with tricky click-throughs.
  • SEO theft. In some cases, the target of the cloning is not customers, but the company whose site is being copied. Competitors will sometimes use a cloned website to try and steal Google rankings.

How Can You Protect Yourself?

A really good cloned website can be nearly impossible to distinguish from the real thing. Even experienced people have been known to fall for some of these sites, although scammers tend, as always, to target the elderly… or the rushed. The scammers use a number of tactics, which include:

  • Scraping the legitimate site and then simply editing a few details that relate to the scam.
  • Copying logos and other images.
  • Typo squatting – this is when a scammer buys a domain that is one letter or number away from the original. For example, would be a typo squat of
  • Having actual phone customer service. Yes, some of these people have call centers, and have been known to instruct their workers to lie and pretend to be somebody else.
  • Linking to press releases and news about the brand they are targeting.
  • Setting up bogus logins that allow you to see bogus account statements.
  • Offering financial incentives or “special deals.”
  • Paying for Google ads so that the fake website appears above the legitimate one in a search.

Protecting yourself, thus, means keeping an eye open for some of these things:

  • As always, never click on links in emails. Type in the URL or use an existing bookmark. Phishing through email is the number one way that people are caught out by these kinds of scams.
  • If doing a Google search for, say, a hotel room or plane tickets, don’t click on the sponsored ads, but scroll down and look for the actual hotel’s URL. (I recommend always booking directly through the hotel. Even legitimate third-party booking sites can cause problems and increase the risk of your reservation being lost).
  • Double check the URL before you enter any login credentials or your credit card number. Make sure it is not typo squatted. In the above-mentioned MyGov scam, Australian seniors were being redirected to rather than the real
  • Never enter login credentials or credit card numbers if the site is showing as http. Often, scammers are careless about security certificates.

What If You Are a Victim?

This scam is so common, so prevalent, and often so well done that more and more people are falling victim. Here’s what to do if you realize that you were tricked by a cloned website.

  1. If you logged into the clone, immediately go to your real account and change the password.
  2. Contact your credit card company. Dispute any transactions made through the site. If possible, screenshot the fake site so you have proof – these sites often vanish very quickly when a complaint is made. They will also be able to put a fraud watch on your account.
  3. Contact the company whose website was cloned, whether or not it is a company you normally do business with. They can take legal action against the fraudsters and/or warn their customers. If it’s a small company and they aren’t taking it seriously, it may also be worth contacting their website or e-commerce provider.
  4. If the purchase is travel-related, contact the actual vendor and make sure they have your reservation. Few things are worse than showing up at a hotel to find they haven’t heard of you and have no vacancies.

Get Surfshark for $1.99/mo

30-day money-back guarantee with every plan