Episode 14 – AI Spoofs, Scams & Scares, what Tourism Operators need to do now to protect themselves

Find us on your favourite podcast provider:

It looked like my email. It sounded like my voice. But it wasn’t me.Welcome to the age of AI-powered scams.

Cybersecurity isn’t just an IT problem anymore—it’s a marketing, operations, and brand reputation issue. In this episode of the Untangling Tourism Tech podcast, Fabienne and Liz share jaw-dropping stories of modern AI-powered scams and break down simple but powerful steps that every tourism business should take to protect their brand, money, and customers.

Cybersecurity on AI steroids: what’s happening now?

In 2025, scams have become faster, smarter, and eerily personal, all thanks to AI. Tourism operators and industry organisations are increasingly being targeted in ways that feel completely legitimate. One client had three separate scam attempts in a fortnight: emails that appeared to come from their CEO, referencing real projects and targeting trusted contacts. Another time, Fab received a call where the scammer pretended to have her voice on file.

AI can now to all the below, so imagine the insights it has to impersonate YOU either via email, text message but also voice…

• Use natural, conversational tone to convince even savvy professionals to act fast on fake requests.
• Mimic voices using just a few online clips.
• Scan your website or About Us page to understand relationships and organisational structure.

Email spoofing: The open door most tourism businesses don’t know is unlocked

What Is email spoofing?

Spoofing is when someone sends an email that looks like it’s from you but it’s not. To the recipient, it might say fabienne@tourismtribe.com, but behind the scenes, it’s coming from a different source.

Real tourism example

A scammer posed as a tourism CEO and tricked a committee member into transferring money. They even used the correct first name, tone of voice, and referenced a real project, all gleaned from the organisation’s own website.

Why it works:

• People trust known names and email addresses.
• Basic email inboxes and hosting (e.g., via your website host) often lacks modern security checks.
• AI speeds up targeting by scanning public data and composing realistic messages instantly.

How to protect your email and domain from spoofing

Most tourism businesses don’t realise that email security starts with their domain.

Action Steps:

1. Use a Professional Email Platform: switch to Google Workspace or Microsoft 365 or similar and avoid using email tied to your website hosting. Google Workspace and Microsoft 365 offer far stronger protection against spam and spoofing than standard web hosting email. They use AI and threat intelligence to scan billions of emails daily, blocking over 99.9% of spam and phishing attempts before they reach your inbox. Unlike basic email systems, they also fully support and enforce SPF, DKIM, and DMARC authentication, making it much harder for scammers to impersonate your email address or domain.
2. Add the “Big 3” DNS Records to your domain
   These are essential for email protection:
   • SPF (Sender Policy Framework)
   • DKIM (DomainKeys Identified Mail)
   • DMARC (Domain-based Message Authentication, Reporting and Conformance)
3. Run a free email security test
   You can check your email health here: https://mxtoolbox.com/emailhealth/ – If something fails, you’re at risk. Contact us on help@tourismtribe.com to help you sort it out if you don’t feel confidentdoing it yourself.
4. Ensure admin access to your domain name
   If you don’t control your domain, you can’t protect your brand. Fight for admin access if needed, your future cyber-safety depends on it.
5. Finally, review all your credentials and make sure you have admin access to all the tools that you may need access to in case of a cyber attack: start here and learn how to get your digital ducks in a row.

AI voice spoofing: the next frontier of fraud

What if a scammer could call your staff or clients sounding exactly like you?

It’s not hypothetical anymore. With voice cloning tech, all they need is:

• A few clips from a podcast or voicemail.
• Public details from your website.
• An AI-powered bot to mimic your tone, script, and intent.

Real example:

Fab clicked on a legitimate-looking email. Two weeks later, she received a call from a spoofed number using a voice that sounded like her—complete with stern tone and a believable script about a financial issue.

How to defend against voice spoofing

• Hang up and call back. But don’t use the number they give you.
• Use Google Business Profile listings to find official phone numbers.
• Educate your team to follow this protocol every time.
• Don’t rely on website numbers, they can be faked too especially if you don’t have security on your website (read more here)

AI makes scammers faster, smarter, and more personal

Fab and Liz also dicusss how AI allows scammers to:

• Write perfect emails using your tone.
• Reference specific relationships or projects.
• Mimic your voice and personality in seconds.
• Tailor scam messages based on social media, About Us pages, and past communications.

So while you’re working hard on AI search visibility and SEO, remember: scammers are scraping the same data to impersonate you.

Practical security tips for tourism businesses

Share this with your team

Use this podcast episode as a conversation starter at your next team meeting. Cybersecurity is no longer optional, especially when AI is involved.