Scam alert: why you can’t trust that ‘Booking.com’ message

Booking.com users should remain on high alert for fake messages from fraudsters posing as their accommodation providers, says Which?. 

The slickest examples we've seen appear within the platform’s own messaging system, making them extremely difficult to spot. 

In 2024, we named Booking.com scams as one of the most convincing we’d come across. The travel company has tightened security expectations of the hotels and hostels it works with, and says it uses technology to identify suspicious behaviour and block malicious links. Despite that, we’ve continued to receive a steady stream of scam reports from customers. 

More than 40 people used the Which? Scam Sharer tool to tell us they'd been hit by scammers impersonating Booking.com or its partners in the first six months of this year, with individual losses ranging from £45 to £4,380. 

Read on to find out more about Booking.com scams and how to spot them.

How does the Booking.com scam work?

Scammers, posing as your accommodation provider, will ask you to verify your payment details or share sensitive data to ‘confirm your identity’ or ‘secure your booking’ to avoid your stay being cancelled. 

They may contact you by email, text, phone or a messaging platform such as WhatsApp, though the most convincing appear as messages when you log in to the Booking.com platform. 

One such message led Laura, 37, an architect living in Paris, to send €500 to scammers claiming to be from the Dublin hostel she had booked for a trip to Ireland in April 2025. In the weeks leading up to her visit, she started receiving messages within the Booking.com app asking her to confirm the reservation, stating that she needed to 'secure her spot'.  

Laura says: ‘I found it weird and didn't react at first, but I received more messages and decided to call the hostel to make sure this was normal. The person on the phone asked me to send an email sharing the message, which I did, and received no answer. Instead, I got a separate email that appeared to be from the hostel via its legitimate Booking.com account stating that the hostel took full responsibility for the message.’

Naturally taking this as confirmation that the original requests were legitimate, she duly made the payment. When she later discovered she had been tricked, the hostel claimed that Booking.com’s systems had been hacked so she should request a refund from Booking.com. 

Laura says it was ‘impossible’ to have a steady contact with Booking.com about the scam and, despite sending several messages via the Chat feature, she received no answer so came to Which? for help. 

How do Booking.com scammers send these messages?

Booking.com has always maintained that cyberattackers find holes in their accommodation partner’s online security systems, not its own. It’s perhaps easier to believe that independent hotels and hostels are more vulnerable to phishing or malware attacks by scammers looking to hijack their accounts than a titan such as Booking.com. Yet when we spoke to the Dublin hostel about Laura’s fraud complaint, it was certain that its own systems weren't breached. 

The group manager for the hostel explained that there were no signs of unauthorised access or unusual activity and it had ‘been made aware of a security breach within Booking.com’ instead. Which? was also told that the hostel uses 2FA (two-factor authentication) to protect its online accounts and found no evidence that someone else had triggered this security check.

When we put these claims to Booking.com, it insisted that neither its backend systems nor its infrastructure were breached, telling us that the rise of AI means cybercriminals can create increasingly sophisticated scams.

Booking.com said: ‘We are committed to proactively supporting both our accommodation partners and customers in staying protected. This includes ongoing education - keeping our partners informed about emerging scam tactics and equipping our customers with practical advice to help them stay safe while searching for and managing their bookings.’

Accommodation partners can choose to use specialised 'Connectivity' providers (arranged through Booking.com) to manage photos, reviews and guest messages directly – opening up another potential doorway to scammers – though there was no such arrangement in this case.

• Find out more: what happened when we paid for Booking.com accommodation that didn't exist

Fighting to be refunded

Laura’s refund was eventually processed, after Which? intervened on her behalf and Booking.com received a dispute letter from her bank.

Innocent Booking.com customers shouldn't have to battle to be refunded, which can be stressful and time-consuming, when Booking.com or its accommodation partners have been infiltrated. If you lose money to a scam like this, raise a dispute with your card provider using Section 75 (legal protection for credit card payments over £100) or chargeback (for disputed debit and credit card payments of any value). 

Although Booking.com is a leading travel accommodation site, its users appear to be disproportionately affected by this particular scam. We put it to Booking.com that it should be doing more to protect customers, explaining that we’ve been warning about this exact scam since June 2023. 

It told us that ‘phishing attacks by criminal organisations pose a significant threat to many industries, and we continue to make significant investments to limit the impact of such scams on our customers and accommodation partners.’

• Take action: use our free tool to request a refund from your card provider