How scammers successfully targeted guests of the world’s favourite place to book a hotel.
by Trevor Baker of Which
It took less than 15 minutes to list a holiday home on Booking.com.
We didn’t need to provide proof of who we were. And, unlike if you put your house on Expedia’s Vrbo – or on Airbnb the last time we tried – there was no request to see a driving licence or passport. This speed and convenience for owners might be part of the reason that Booking.com is now a global behemoth, not just for hotel bookings but for small holiday lets, too, with more than a billion reservations each year.
Unfortunately, it might also be one of the reasons why so many people have been defrauded on the site.
In the summer of 2024 we searched Booking.com reviews for the word ‘scam’ and found hundreds of people from the past few months complaining that they’d paid for accommodation that didn’t exist. As part of that investigation, we sent 52 of these ‘scam’ listings to Booking.com. It removed most of them, but told us that most weren’t real scams – just owners who had neglected to switch off availability when accommodation had closed down or was temporarily shut.
When we checked again, in November, we found exactly the same problem – 36 properties with hundreds of negative reviews pointing out that the accommodation was a scam. Angry guests we spoke to were incredulous at the idea that these weren’t really scams. They’d paid for accommodation, didn’t get to stay, and didn’t get their money back until we intervened. The idea that they hadn’t been ‘scammed’ seemed bizarre.
If you contact Booking.com to complain you’ve been scammed, it will chase your money but it won’t necessarily refund you itself.
We warned in 2024 that Booking.com scams were among the most dangerously convincing we’d seen
Scam listings – live for months on Booking.com
To stop scammers, Booking.com told us that it restricts new hosts before they can accept payment bookings. It’s true that we weren’t able to accept prepayment for the listing we set up; we’d need to have some bookings and reviews first. But that’s not insurmountable for a scammer.
Hiding bad reviews
One obvious lesson is to always read the reviews, but Booking.com even made this much harder than it needs to be. Click on a holiday let in the centre of Podgorica, Montenegro, and you’d be reassured by the 6.4 rating, which Booking.com summarises as ‘pleasant’. The first two reviews you’re shown describe it as ‘superb’ (9/10) and ‘good’ (7/10). However, you’d need sharp eyes to notice that Booking.com is showing you reviews it has inexplicably decided are the ‘most relevant’.
Switch your settings to look at ‘newest’ and you’ll see that 10 of the last 12 reviewers are furious. They describe it as a ‘con’, a ‘scam’ and ‘a nightmare’. (The other two, suspiciously, give it 10/10.) We highlighted the problem with ‘most relevant’ reviews in August, but Booking.com figuratively shrugged and said that people can always switch to ‘most recent’ if they want to.
However, in December, following our pressure, it emailed its users to say that it was going to change its system to give recent reviews more prominence.
Dangerously convincing scams
Booking.com has tools that make life easier for anybody who wants to set up as a host. Unfortunately, they’ve also made life easier for scammers. If you’re a fraudster who wants to set up a listing on Booking.com, you don’t even need to speak English. Its algorithm will write a listing for you in terms, it says, that are ‘proven to attract guests’. It will then accurately translate it into 25 different languages. The fact that listings – both genuine and nefarious – could be written using the same Booking.com algorithms, rather than by owners personally, makes it hard to tell the difference between a genuine listing and a scam. It’s not the only way scammers have learnt to use Booking.com’s own tools against it.
When we investigated Airbnb frauds in 2017, we felt confident telling people they’d be safe as long as they only communicated inside Airbnb’s messaging systems. That isn’t the case with Booking.com. If its hotels and hosts have been hacked, it can be very difficult to know if the message you receive is genuinely from the hotel or a scammer.
Another problem is that some users we spoke to were sent external links through Booking.com messages. This is despite Booking.com confirming that it can block links entirely if it wants to. It only does this if it’s already seen signs of suspicious activity, but it would be better if it simply banned all external links unless it’s clear that they’re harmless.
Booking.com’s failure to block malicious links, remove ‘scam’ listings and – until recently – mandate two-factor authentication for hosts suggests a carelessness towards users’ security. And its decision to show the supposedly ‘most relevant’ reviews instead of ‘most recent’ was bizarre. Booking.com told us that if it’s alerted to issues with listings, it investigates immediately, removing them if necessary. It said it’s using new technology to identify suspicious behaviour and block malicious links. There’s also a cybersecurity hub, with advice for hosts and guests. We accept that it’s safer than it was last year. But in our view it’s been too slow to spot how easily its tools have been adapted by scammers to steal money. When things do go wrong, it’s been far too slow to refund customers. It still needs to make it much harder for its platform to be abused.