Lack of proper checks is leaving Booking.com wide open to scammers, Which? warns
According to Statista, in January 2025, Booking.com was the most visited travel and tourism website worldwide. A Which? investigation has found that an easily hacked messaging system, failure to remove 'scam' listings, and a lack of identity checks on property owners is leaving holidaymakers unnecessarily exposed on Booking.com.
The consumer champion was able to list a holiday home on Booking.com in less than 15 minutes and - unlike on Vrbo or Airbnb - Booking.com did not ask to see a driving licence or passport.
This lack of proper identity checks has led to a deluge of dodgy listings on the platform. When Which? searched Booking.com reviews for the word ‘scam’ in summer 2024, the consumer champion found hundreds of reviews complaining that they had paid for accommodation that did not exist.
As part of that investigation, Which? sent 52 of these listings to Booking.com. It removed most of them, but told the consumer champion that most were not real scams – just owners who had neglected to switch off availability when accommodation had closed down or was temporarily shut.
When Which? checked again in November, it found exactly the same problem – 36 properties with hundreds of negative reviews pointing out that the accommodation was a scam.
Peter Walsh and his wife booked an apartment for their cycling holiday in Normandy in August 2024. However, when they turned up at the address, it ‘looked like a dentist’s surgery’ rather than a holiday home. There were two other angry and confused couples waiting outside. They were all left with a last-minute scramble for somewhere else to stay. Peter had a second shock when, although Booking.com told him it was investigating, he didn’t receive a refund. He phoned Booking.com straight away, but it was only after Which? contacted Booking.com two months later that he got his money back. Booking.com said that he had not been scammed, it was just that the owners had not kept their availability up to date and it was the owner’s responsibility to refund him.
Peter said: “Booking.com completely abandoned any notion of customer care and we felt as though we were treated with disdain and contempt by the company.”
Which?’s investigation also found that Booking.com’s security systems are not strong enough to stop scammers from listing on the site or from hacking genuine listings. To stop scammers, Booking.com said that it restricts new hosts from accepting prepayments until they have bookings and reviews - but this is not insurmountable for a fraudster.
Which? saw a Glasgow let on Booking.com which seemed to only have two reviews from people who actually stayed there. After this point, reviewer after reviewer complained that there was no one there to meet them or any way to access the property.
After several months, it had 36 one-star reviews – almost all complaining that this was a scam and they had not been refunded. Again, Booking.com removed the listing only after contact from Which?.
Which?’s investigation also exposed loopholes in the booking system which could be exploited by fraudsters.
In November 2024, Which? was contacted by an expert in 2FA, who had reached out to Booking.com through social media to warn that the 2FA on his guest account did not work. Anyone who hacked his email would have been able to access his messages, without additional verification. Booking.com has not fixed this issue, which could also affect other users.
The consumer champion also spoke to several consumers who were sent external links through Booking.com messages, which are often used by fraudsters to move transactions away from the official platform.
The cost of these frauds is more than just the hundreds of pounds people lose. One person Which? spoke to had booked flights to Kenya but was unable to afford new accommodation after losing £727 to a scam in September 2024. It was only after Which? secured him a refund that he could rebook and finally take his trip to Kenya.
On 17th March, the illegal harms codes of practice under the Online Safety Act will come into effect. This will require platforms to do more to prevent user-generated fraud (amongst other kinds of illegal content) on their sites by running risk assessments and having effective complaints procedures in place. In addition, large platforms - those with seven million monthly active users in the UK - at medium or high risk of fraud will be required to have a dedicated channel to report any scams which slip through the net. User-generated fraud in scope of the Online Safety Act can cover posts such as listing items for sale on second-hand marketplaces or properties for rent on travel websites.
From its investigation, Which? believes there are some basic changes Booking.com should make to reduce fraud on its site, including introducing identity checks for hosts before their listing can appear, making it mandatory for all users of the site to have two-factor authentication set up and banning the use of external links in Booking.com messages.
Which? also believes that Booking.com should also proactively investigate listings where there are multiple reviews claiming they are a scam and take action when it is alerted by users that a property does not exist, is not really open for business or is a scam.
Ofcom should take note of Which?’s findings. It is absolutely key that the regulator takes strong, decisive action against firms found not to be complying with the Online Safety Act's codes of practice to set a clear precedent that online platforms must do more to protect their users from scammers.
Rocio Concha, Which? Director of Policy and Advocacy, said:
“It’s really worrying that so many scams are slipping through the net on Booking.com.
“The illegal harms codes coming into effect on 17 March will require platforms to do more to prevent user-generated fraud but there are several simple changes that Booking.com could make now to tighten its security and close loopholes on its site which are being exploited by scammers.
“Ofcom should take note of these findings as the codes come into force. If these issues persist, Ofcom must make use of its new powers and not hesitate to take action against Booking.com and other platforms who are failing to prevent fraudsters from targeting and scamming their customers.”
-ENDS-
Notes to editors
Booking.com scams featured in Which?’s list of the five most convincing scams of 2024
Right of reply
Booking.com said: We are deeply committed to protecting our customers against fraud and scams. Online fraud is unfortunately a battle many industries are facing, however thanks to the robust security measures we have in place and our continuous efforts to enhance them, we are able to detect and block the vast majority of fraudulent activity.
We take the process of verifying accommodation listings seriously and have multiple controls and checks in place during sign-up, after submission and before listings become bookable. In the rare instance that a scammer finds a way to temporarily circumvent our controls, we seek to shut down the activity as quickly as possible and support any impacted customers quickly. In addition, we always recommend that customers read through our reviews and property rating scores before booking, to ensure they can see the views of others who have also stayed at the property.
Two-factor authentication, a measure used by many organisations, is just one of the methods we deploy for additional security. If a customer suspects that their email account has also been compromised, we recommend that they reach out to their email provider and also to our 24/7 customer service team.
About Which?
Which? is the UK’s consumer champion, here to make life simpler, fairer and safer for everyone. Our research gets to the heart of consumer issues, our advice is impartial, and our rigorous product tests lead to expert recommendations. We’re the independent consumer voice that influences politicians and lawmakers, investigates, holds businesses to account and makes change happen. As an organisation we’re not for profit and all for making consumers more powerful.
The information in this press release is for editorial use by journalists and media outlets only. Any business seeking to reproduce information in this release should contact the Which? Endorsement Scheme team at endorsementscheme@which.co.uk.