Policy article

OPINION: We found other couples at our holiday home in a booking.com scam - what can we do?

3 min read
Rocio ConchaDirector of Policy and Advocacy, and Chief Economist

Originally published in The i Paper 13 March 2025. Permission to publish all opinion pieces authored by Rocio Concha, sought and granted on 3 July 2025.

When Peter Walsh and his wife booked accommodation for a cycling holiday in Normandy last August, they anticipated passing through rolling hills, by hedgerows and wetlands, before relaxing in an apartment. What they didn’t bargain for was that on arrival there would be two other couples waiting outside a building that resembled a dentist’s surgery rather than the holiday home they (all) thought they’d booked. Cue a rush for all six holidaymakers to find alternative accommodation. 

As new research from Which? lays bare, this is not an isolated incident on Booking.com. We’ve found that a lack of effective checks is leaving the site, which in January was ranked one of the most visited travel and tourism websites in the world by market research company Statista, wide open to unscrupulous actors. 

When our researchers looked in more detail at the site, it was alarmingly easy to bypass identity checks, such as providing a driving licence or passport. The messaging system was straightforward to hack, as Booking.com gives its accommodation partners access to it. This means that fraudsters have simply hacked hotels or other accommodation providers - and then used Booking.com's own messaging system to contact and defraud guests. Booking.com told Which? it was ‘deeply committed to protecting our customers against fraud and scams’, noting that it had ‘multiple controls and checks in place during sign-up, after submission and before listings become bookable’ and ‘seeks to shut down the activity as quickly as possible and support any impacted customers quickly.’

This isn’t an isolated incident. The reality is that fraudsters are relentless in their pursuit of our personal information and ultimately money - and they are constantly hoping to exploit weaknesses in consumer protections online. 

The rapid rise of artificial intelligence is likely to make the task of spotting what’s real and what’s a scam even more difficult for consumers. Fraudsters are particularly fond of using well-known celebrities, such as Taylor Swift, Elon Musk or Richard Branson in material about investment schemes because they are popular and trusted voices. These are bogus endorsements, but deepfake videos making use of cloned voices can give the impression that people said things they never have. At other times, real footage of somebody can be manipulated and edited - often with scarily real results. 

Clearly, consumers need help to ward off the fraudsters. On Monday, the Illegal Harms Codes of Practice, which are legally enforceable duties under the Online Safety Act (OSA), come into force. The OSA is a flagship piece of legislation aimed at keeping consumers safe online, and from Monday Ofcom can enforce against those who do not comply. Under the codes, platforms must take a range of actions to prevent user-generated fraud from appearing on their sites in the first place, and must swiftly take down any such frauds as soon as they become aware of them. Ofcom was due to consult on another set of codes to prevent paid for fraudulent advertising on the largest platforms this year, but it has pushed the consultation timeline back to 2026.

To be clear, this shouldn’t replace the action that individual sites can take to make simple changes that will protect their customers. Booking.com, for instance, should be tightening its security and closing loopholes, like the ease of identity checks, without any regulatory prodding, as well as carrying out illegal content risk assessments for fraud and other offences under its duties in the OSA.

In the meantime, Ofcom should take note of these and the many other examples of online scams and take decisive action against firms found not to be complying with the Online Safety Act's codes of practice to set a clear precedent that online platforms must do more to protect their users from scammers. It should also reverse its decision to delay the implementation of codes of practice covering paid-for fraudulent advertising, a delay which means that consumers will continue to face threats from many forms of fraudulent advertising into 2027.