Rental Car Scams: Fake Turo, Hertz, and Enterprise Sites Are Booking You Into Nothing

Rental Car Scams: Fake Turo, Hertz, and Enterprise Sites Are Booking You Into Nothing

The cheapest rental car deal you find on Google is probably not a rental car deal. It's a checkout page. The car doesn't exist. The "booking" goes to a Cloudflare-hosted domain that was registered three days ago in someone's bedroom.

This isn't a hypothetical. Pull any week of urlscan.io submissions and you'll find live phishing sites impersonating Turo, Hertz, and generic "rentacar" brands — most of them less than a week old, most fronted by Cloudflare, most still standing when you check them. Rental-car phishing is a smaller vertical than housing rental scams or vacation rental fraud, but it's real, it's active, and it has a measurable pattern.

This post is the field guide. Real fake URLs. Real kit signatures. Real defense.

The Scams That Actually Run

Brand impersonator domains

The simplest play: register a domain that looks like Turo or Hertz, slap a checkout page on it, buy a few Google ads, collect cards. We've pulled four confirmed phishing domains for this pattern from urlscan.io's public threat-intel:

• turo-rental.com — confirmed phishing, Cloudflare-fronted, tagged March 2025
• hertz-equity.com — confirmed phishing, registered the day before it was scanned (the classic short-fuse signature)
• carrental-devicienti.com — generic "carrental" lookalike, Cloudflare, phishing-tagged
• rentacar-support.com — uses the rental-brand bait to phish Microsoft 365 credentials instead

These are not theoretical. These are domains that resolved, served HTML, and got flagged by automated security crawlers. If you pasted any of them into Cautellus today, our scanner would flag them in under a second — domain age plus TLS issuer plus the lookalike-distance check is enough.

The "filocar" kit cluster

Some scammers are lazier than others. In November 2025, four domains popped up on urlscan in the same week — all .online TLD, all Cloudflare, all serving content at the same /tema/rentacar/ path:

• lifefilocar.online
• cryaracfilo.online
• centerfilocar.online
• crystalfilo.online

That's one actor. Same kit, same hosting pattern, same URL structure. They're rotating subdomains as security tools catch them, which means the next batch is already registered. If you ever see a rental-themed URL on a brand-new .online domain serving anything under /tema/rentacar/, the answer is no.

Compromised legitimate sites

A Bulgarian security site, gpsecurity.bg, got compromised and now serves a phishing kit at /rentacar/img/si/130/. The domain itself is real and trusted. The path is poison. This is harder to spot manually — the domain age is fine, the TLS is fine, the WHOIS is fine — but the URL structure is the signature. Cautellus checks URL paths against known kit signatures, not just domain reputation, which is why path-level rules matter.

The EdgeOne SEO scam farm

This one's the most creative. Tencent's EdgeOne Pages (edgeone.app, edgeone.dev) lets anyone spin up a disposable subdomain in seconds. A scam farm in Singapore has been using it to re-host the same fake rental article — titled "Audi is taking on Enterprise and Hertz with a rental service that delivers luxury cars to your door" — across dozens of throwaway subdomains, all flagged phishing by urlscan since November 2025. As fast as one gets caught, the next one ships.

Examples from the last six months:

• ttslbdsitustox-dpl00klhgfyf.edgeone.dev
• madamslowlifesitustox-dpmzpdur2j89.edgeone.dev
• jagatcloudworksramp-dp6a3mj23vk1.edgeone.app
• camperdirectoryweb-1maylf9i5u.edgeone.app
• fleetfosfosodahugo-dx5ss2s135.edgeone.app

If you ever see a .edgeone.dev or .edgeone.app subdomain in a rental-deal URL, treat it as guilty until proven otherwise. Legitimate rental brands don't host on disposable pages-services.

Why Rental Car Phishing Works So Well

Three reasons.

Search intent meets emotional urgency. People shopping for a rental car are usually shopping for one specific trip — a wedding, a funeral, a job interview, a vacation that's been booked for months. The window is closed. The clock is running. When Google shows them a result that's $40 cheaper than Hertz, they don't squint at the URL. They just click.

Branded ads run faster than ad review. Scam rental-car landing pages frequently arrive through Google Ads. The scammer pays, the ad goes live, the platform reviews it later — and by the time the ad is pulled, the campaign has already collected. The FBI's Internet Crime Complaint Center has been tracking branded-search-ad scams as a top-five vector for two consecutive years.

The "third-party booking site" mental model exists. Real third-party rental aggregators exist (Kayak, Priceline, Expedia). Their existence means a stranger-looking URL doesn't automatically read as suspicious. Scammers exploit the gap between "looks like an aggregator" and "is an aggregator."

How to Check a Rental Car URL in 10 Seconds

There's no manual checklist that beats just running the URL through a scanner — that's the whole reason Cautellus exists. But here's the manual version:

1. Type the brand name into a clean browser tab. Don't click the link in the email or ad. Go to turo.com or hertz.com or enterprise.com directly and search for the booking there. If your "deal" doesn't appear in the official app, the deal doesn't exist.
2. Check the domain registration date. Use a WHOIS lookup (or paste into Cautellus, which does it automatically). Real Hertz has been registered since 1994. If the domain claiming to be Hertz is one week old, it isn't Hertz.
3. Look at the TLS issuer. Real corporate rental brands use enterprise certs from DigiCert, Sectigo, or GlobalSign. A free Let's Encrypt cert on a domain claiming to be a Fortune-500 rental company is a tell — not proof, but a tell.
4. Cross-check the URL against urlscan.io's public search. Free, anonymous, works in the browser. If the domain has been submitted as phishing in the last 90 days, you'll see it.
5. Use the scanner above on this page. Faster than steps 1–4, and it does all of them.

What to Do If You Already Paid

Move fast. Each hour cuts your recovery odds in half.

Card payments (Visa, Mastercard, Amex). Call the number on the back of the card and dispute the charge as "services not rendered" or "merchant fraud." Cite that the booking went through a domain you can no longer access. Most banks will reverse a recent charge with minimal pushback if you report within 60 days.

Zelle, Venmo, Cash App, wire transfer, or gift cards. Recovery is much harder but not zero. File reports at:

• FBI IC3 — ic3.gov. Every report feeds into the database law enforcement uses to seize assets. Operation Blackout (the 2026 FBI scam compound takedown) recovered $8–15 billion in crypto using exactly this data.
• FTC ReportFraud — reportfraud.ftc.gov. Same logic.
• Your state attorney general — most states have a consumer fraud division.

Whatever you do, don't pay a "recovery service" upfront. People who promise to recover scammed funds for a fee are running the second-act scam. Real law enforcement doesn't charge you.

Report the phishing URL. Submit it to PhishTank (phishtank.com) and the brand's official fraud team (Hertz: fraud@hertz.com; Turo: in-app trust & safety). The brand will move to shut it down, which protects the next person.

Related Cautellus Reading

If you got hooked by a rental-car scam, the same playbook is running across other verticals. Worth reading:

• Vacation Rental Scams: How to Book Safely — Airbnb and Vrbo phishing patterns
• Long-Term Rental Listing Scams — Facebook Marketplace fake landlord patterns
• What to Do If You Clicked a Scam Link — emergency-response checklist
• How to Spot AI-Generated Phishing — why grammar-checking your scam emails stopped working in 2024

Frequently Asked Questions

How do I know if a rental car website is fake?

Check the domain against the brand's official URL — real Turo lives at turo.com, real Hertz at hertz.com. Scam sites use lookalikes like turo-rental.com and hertz-equity.com. Run the URL through Cautellus before you enter a card. Cautellus checks domain age, TLS issuer patterns, and known phishing-kit signatures.

What are common fake rental car URL patterns?

Brand-plus-keyword lookalikes (turo-rental.com, hertz-equity.com), generic "rentacar" or "carrental" prefixes, .online TLD domains serving content at /tema/rentacar/ paths, and disposable subdomains on Tencent EdgeOne re-hosting fake rental articles. All confirmed phishing on urlscan.io.

I paid for a Turo rental and the host disappeared — what do I do?

Check whether the booking was made inside the official Turo app — if not, Turo cannot help. Then call your card issuer and request a chargeback citing "service not rendered." File at ic3.gov and reportfraud.ftc.gov. Never pay a "recovery service" upfront.

Are rental car phishing sites common?

Smaller in volume than housing-rental scams, but real and growing. Active phishing infrastructure for Turo, Hertz, and "carrental" themes is documented monthly on urlscan.io, OpenPhish, and PhishTank.

How do I check a Turo, Hertz, or Enterprise URL before booking?

Type the brand name into a clean browser instead of clicking the link. Paste the URL into Cautellus. Verify the booking exists in the brand's official app before traveling. Most scams collapse at one of these three checks.

What's the difference between a Turo scam and a fake Turo website?

A "Turo scam" usually means a host scam inside the real platform — a fraudulent host listing a vehicle they don't own. A "fake Turo website" is a phishing site impersonating the real Turo domain to steal payment info. Both happen. Inside-platform scams are handled by Turo support and your card issuer; impersonator sites are handled by reporting the URL to PhishTank and getting a chargeback.

---

Sources: urlscan.io public threat-intel feed (Mar 2025 – Jun 2026), FBI Internet Crime Complaint Center (IC3) annual reports, FTC Consumer Sentinel Network, Better Business Bureau Scam Tracker. Confirmed phishing URLs cited above are pulled from publicly available urlscan submissions tagged "phishing" or "malicious" at scan time.