Let me tell you about the worst kind of phone call an independent hotelier gets. A guest is standing at your front desk, furious, waving a confirmation email. They booked three nights, paid a 30 percent “service fee,” and the reservation does not exist in your system. They found you online, called the number, gave their card to someone polite and professional, and got robbed. And in their head, that someone was you.
I have walked a few owners through this exact mess, and the gut-punch is always the same: it feels like identity theft, because it is. Someone cloned your booking site, bought ads on your own name, and is harvesting your guests. The good news is that this is a solvable problem with a known playbook. The bad news is that nobody hands you the playbook, so let me.
What you are actually fighting
There are three flavors of this scam, and they overlap.
Lookalike domains. Someone registers grandviewhotel-reservations.com or book-grandviewinn.com or swaps a letter (grandveiw). They copy your homepage, sometimes pixel for pixel, point a booking form at a payment processor they control, and wait for traffic.
Rogue call-center ads. This is the nastier, more profitable one. They do not even need a great fake site. They buy search ads on your hotel name, list a phone number, and run a boiler-room operation that takes “reservations” by phone, charges junk fees, and either books you through an OTA at the last second (pocketing the spread) or simply takes the money and ghosts.
Hijacked listings and review-site clones. A fake “official site” badge, a spoofed entry on a sketchy directory, or a cloned Google Business Profile that reroutes your calls.
The dirty secret of these operations is that they are not hacking you. They are renting attention you never bothered to own. Every branded search result and AI answer you do not control is shelf space a scammer can rent instead.
This connects to a theme I hammer on constantly: if you do not dominate your own name, somebody else will profit from it. It is the same structural weakness that lets OTAs outrank you for your own hotel name — except a scammer is worse than Booking.com, because at least the OTA delivers the room.
Step one: detection, because most owners find out from an angry guest
You do not want the front desk to be your monitoring system. Here is the detection routine I run, and you can do most of it yourself in an afternoon.
1. Search your own name like a confused traveler. Open an incognito window and search these exact strings:
- your hotel name
- your hotel name + reservations
- your hotel name + official site
- your hotel name + phone number
- your hotel name + book direct
Look at the ads first, then the organic results, then the “People also ask” and any AI overview. You are hunting for two things: a phone number that is not yours, and a domain that is not yours dressed up to look official.
2. Ask the AI engines. This is the 2026 wrinkle nobody is checking. Ask ChatGPT, Gemini, Perplexity, and Copilot: “What is the official website and phone number for [your hotel]?” If an AI confidently hands a traveler a scammer’s number, you have a problem that lives entirely outside Google. I wrote more about why this matters in is your hotel invisible to ChatGPT — the same blind spot that hides you also hides impostors from your view.
3. Hunt for lookalike domains directly. A few free moves:
- Search domain registration databases (a WHOIS lookup) for variations of your name.
- Use a typosquatting checker to generate common misspellings, then see which resolve to live sites.
- Set a Google Alert for your hotel name in quotes, plus one for “[hotel name] reservations.”
- Check certificate transparency logs (crt.sh is the usual free tool) for any SSL certificate issued to a domain containing your brand. Scammers need HTTPS to look legit, so the certificate often shows up before you would ever find the site by searching.
4. Watch the money trail. Train your front desk to log every “I booked online and got charged a weird fee” complaint. Three of those in a month is not coincidence. That is a live operation.
Here is a quick reference for the signals and where they point.
| Signal you notice | What it usually means | First place to look |
|---|---|---|
| Wrong phone number in a Google ad | Rogue call center | Google Ads brand complaint |
| Near-identical domain, your photos | Cloned booking site | Registrar + host abuse |
| Guest charged a “service fee” you never charge | Boiler-room reseller | Card processor + ad platform |
| AI chatbot gives a number that is not yours | Poisoned AI answer | Your own AEO/GEO fixes |
| Cloned Google profile rerouting calls | Listing hijack | Google Business Profile support |
Step two: gather evidence before you fire a single shot
Every takedown body — registrar, host, ad platform, payment processor — wants proof, and they want it organized. Sloppy reports get ignored. So before you report anything, build a simple evidence pack:
- Screenshots with timestamps of the fake ad, the fake site, the fake phone number, and any confirmation email a victim received.
- The offending URL and domain, copied as text, not just a screenshot.
- WHOIS records for the lookalike domain (registrar, registration date, name servers).
- Your proof of identity as the real hotel: your trademark registration if you have one, your business license, your real domain registration showing you registered first, and dated photos proving the images are yours.
- A one-paragraph statement of the harm: guests defrauded, fees charged, brand confusion.
Keep one master document, dated, and add to it every time you find a new asset. When you escalate to a lawyer or a UDRP panel, this folder is the difference between a two-week resolution and a two-month one.
Step three: the takedown levers, in order of speed
I work these roughly fastest-to-slowest. Often you fire several at once.
Lever 1 — Ad platform brand complaints (fastest win)
If the scam is running on Google or Microsoft search ads using your name, this is your quickest kill. Both platforms have trademark and impersonation complaint forms. File under their advertising policy for misrepresentation and trademark misuse. A registered trademark makes this nearly automatic; without one, lean hard on the impersonation and “non-permitted business practices” angle (charging fees for a service they cannot deliver). Pulling the ad account cuts off the traffic that funds the whole operation, which is why I start here.
Lever 2 — Registrar and host abuse reports
Every domain has a registrar, and every site has a hosting provider. Both have an abuse contact, usually abuse@[provider] or a web form. Send your evidence pack with a clear, unemotional subject line like “Trademark infringement and consumer fraud — [your domain].” Cite phishing and fraud, not just trademark, because “this site is defrauding consumers” moves faster through an abuse desk than a pure brand dispute. Hosts can suspend a site in hours when fraud is obvious.
Lever 3 — Payment processor and card network
If a victim shares their confirmation, you can often see which processor took the charge. Report the merchant for fraud. Scammers live and die by their ability to take cards; getting a merchant account frozen is a body blow.
Lever 4 — Google Business Profile and listing platforms
If your actual listing was hijacked or a clone was created, work Google Business Profile support directly to reclaim or remove it. This is also the moment to lock down your own profile properly, which I lay out step by step in the Google Business Profile playbook for hotels.
Lever 5 — Legal escalation (UDRP and demand letters)
For a clear-cut cybersquatting case, the Uniform Domain-Name Dispute-Resolution Policy (UDRP) lets you go after the domain itself through the registrar’s dispute process. It is not free and not instant, but for an egregious clone of a trademarked name it works, and it transfers the domain to you rather than just taking it offline. A trademark lawyer’s cease-and-desist also carries real weight when the operator is reachable. This is the slowest lever, so I rarely lead with it, but for repeat offenders it is the one that makes the problem stay solved.
Realistic timeline: ad complaints can resolve in days, host suspensions in days to a couple of weeks, and a UDRP in roughly two to three months. Anyone promising an instant, permanent fix is selling you something. The goal is to make the operation unprofitable fast, then close the door for good.
Step four: own your name so this stops being possible
Here is the part most “takedown guides” skip, and it is the part that actually matters long term. Takedowns are whack-a-mole. The permanent fix is making your real presence so dominant that a fake never gets oxygen.
When a traveler searches your name and the top of the page is unmistakably you — your site, your verified profile, your sitelinks, your real phone — and the AI assistants all cite your official site, a scammer’s ad looks obviously wrong. Brand confusion is the scammer’s entire business model, so eliminate the confusion.
Concretely, the same work that wins you direct bookings is the work that armors you against impersonation:
- Lock down branded search. Run your own brand-term ad as a cheap insurance policy and make your organic branded result airtight. This is core hotel SEO work and it doubles as defense.
- Own the AI answers. Make sure the engines have a clean, consistent source of truth for your name, URL, and number. That is exactly what AEO and GEO is for, and “aeo” alone gets 27,100 US searches a month — these engines are where travelers increasingly start.
- Nail your local profile and consistency. Consistent name, address, and phone across the web through solid local SEO and Google Business Profile work makes the fake’s mismatched details stand out.
- Give people a clean reason to book direct. A fast, trustworthy book-direct experience means fewer guests wandering off to whatever “reservations” link they stumble on.
And do the boring prevention while you are at it: register the obvious typo and “-reservations” variants of your domain yourself (they cost about as much as a room-service sandwich), and trademark your name if you have not. A registered mark is the single biggest accelerator for every takedown lever above.
The honest bottom line
I will not pretend you can permanently eliminate every impostor on the internet, any more than I would promise you can fully escape the OTAs — both are about reducing exposure and clawing back control, not winning some final battle. New fakes can pop up; the same forces that push you below the OTAs (which I break down in how OTAs steal your search traffic) also create gaps a scammer can exploit. What you absolutely can do is detect them fast, shut them down efficiently, and build a branded presence strong enough that the next scammer goes and clones an easier target.
The hotels that get hit hardest are the ones that never owned their own name in search and AI to begin with. Fix that, and you solve two problems at once: more direct bookings and far fewer chances for someone to impersonate you.
If you think you have a clone or a rogue call center running right now, do not wait for the next angry guest. Book a free intro call and I will walk your name through every engine with you, build the evidence pack, and map the fastest takedown path for your specific situation. If you would rather start with the prevention layer, the AI visibility (AEO/GEO) service is where I would begin armoring your brand.