Fake Airbnb host payout-hold lure — "payout held due to guest complaint / KYC re-verification / policy review, verify within 24 hours or listing delisted" targeting 5M+ Airbnb hosts; host credentials + 2FA + bank routing harvest enables payout redirect, listing hijack (attacker relists under trusted-reputation account), reservation-fee extraction, past-guest PII exfil

Fake "your Airbnb payout has been placed on hold due to a guest complaint / KYC re-verification / policy review — verify within 24 hours or the payout will be canceled and your listing will be delisted" email targeting Airbnb's 5M+ host base. Harvests host credentials, 2FA, and bank routing. Post-compromise attackers: (1) redirect the Airbnb payout to attacker-controlled bank accounts; (2) delist the real listing and relist attacker-controlled ones under the same trusted-reputation host account, gaining the review history of a legitimate operator; (3) exfil message history with past guests (guest PII for credential-stuffing downstream); (4) hijack upcoming reservations to extract guest cancellation fees or scam upcoming arrivals. The lure converts because Airbnb genuinely DOES place payouts on hold for real compliance and dispute reasons — chargebacks, guest disputes, KYC re-verification. Hosts are primed because payout holds are common and lost payout equals lost cash flow. Airbnb's own security advisory plus travel outlets (The Points Guy, Skift) documented sustained 2024-2025 campaigns. Fires when body references Airbnb / Airbnb host / Airbnb listing / Superhost / host payout / Airbnb reservation AND contains payout-hold / guest-complaint / listing-delist / KYC-re-verification / verify urgency. Excludes airbnb.com (+.co.uk, .de, .fr, .it, .es, .com.au, .se) and airbnbmail.com. Auto-classified as danger via the `-lure` suffix.