We didn’t need to provide proof of who we were. And, unlike if you put your house on Expedia’s Vrbo – or on Airbnb the last time we tried – there was no request to see a driving licence or passport. This speed and convenience for owners might be part of the reason that Booking.com is now a global behemoth, not just for hotel bookings but for small holiday lets, too, with more than a billion reservations each year.
Unfortunately, it might also be one of the reasons why so many people have been defrauded on the site.
How we investigated Booking.com
When we checked again, in November, we found exactly the same problem – 36 properties with hundreds of negative reviews pointing out that the accommodation was a scam. Angry guests we spoke to were incredulous at the idea that these weren’t really scams. They’d paid for accommodation, didn’t get to stay, and didn’t get their money back until we intervened. The idea that they hadn’t been ‘scammed’ seemed bizarre.
This is exactly what happened to Peter Walsh. He and his wife booked an apartment for their cycling holiday in Normandy. However, when they turned up at the address, it ‘looked like a dentist’s surgery’ rather than a holiday home. There were two other angry and confused couples waiting outside. They were all left with a last-minute scramble for somewhere else to stay.
Peter had a second shock when, although Booking.com told him it was investigating, he didn’t receive a refund. He phoned Booking.com straight away, but it was only after we contacted it two months later that he got his money back. Booking.com said, again, that he hadn’t been scammed. It was just that the owners hadn’t kept their availability up to date. Why did it take so long to refund him? Because, the company says, that was the owner’s responsibility.
If you contact Booking.com to complain you’ve been scammed, it will chase your money but it won’t necessarily refund you itself.
We warned in 2024 thatScam listings - live for months on Booking.com
To stop scammers, Booking.com told us that it restricts new hosts before they can accept payment bookings. It’s true that we weren’t able to accept prepayment for the listing we set up; we’d need to have some bookings and reviews first. But that’s not insurmountable for a scammer.
Take a Glasgow let we found on Booking.com. The first two reviews are from people who stayed (they seem to have had a terrible time, as both rated it one star), but they’re the only people to have genuinely stayed there. For months afterwards, reviewer after reviewer complained that there was no one there to meet them or any way to access the property. It was a scam. One even posted a picture of a handwritten sign the exasperated neighbours had put on the door warning that ‘it seems to be operating as a scam’ and ‘people may struggle to get a refund’. By November 2024 it had 36 one-star reviews – almost all complaining that this was a scam and they hadn’t been refunded. Again, Booking.com removed the listing only after we contacted it.
Hiding bad reviews
One obvious lesson is to always read the reviews, but Booking.com even made this much harder than it needs to be. Click on a holiday let in the centre of Podgorica, Montenegro, and you’d be reassured by the 6.4 rating, which Booking.com summarises as ‘pleasant’. The first two reviews you’re shown describe it as ‘superb’ (9/10) and ‘good’ (7/10). However, you’d need sharp eyes to notice that Booking.com is showing you reviews it has inexplicably decided are the ‘most relevant’.
Switch your settings to look at ‘newest’ and you’ll see that 10 of the last 12 reviewers are furious. They describe it as a ‘con’, a ‘scam’ and ‘a nightmare’. (The other two, suspiciously, give it 10/10.) We highlighted the problem with ‘most relevant’ reviews in August, but Booking.com figuratively shrugged and said that people can always switch to ‘most recent’ if they want to.
However, in December, following our pressure, it emailed its users to say that it was going to change its system to give recent reviews more prominence.
Dangerously convincing scams
Booking.com has tools that make life easier for anybody who wants to set up as a host. Unfortunately, they’ve also made life easier for scammers. If you’re a fraudster who wants to set up a listing on Booking.com, you don’t even need to speak English. Its algorithm will write a listing for you in terms, it says, that are ‘proven to attract guests’. It will then accurately translate it into 25 different languages. The fact that listings – both genuine and nefarious – could be written using the same Booking.com algorithms, rather than by owners personally, makes it hard to tell the difference between a genuine listing and a scam. It’s not the only way scammers have learnt to use Booking.com’s own tools against it.
When medic, Aisling, finally got to the end of a 15-hour shift at her hospital, she switched on her phone and saw she had an email. It was from the hotel she’d booked via Booking.com for a trip to Copenhagen, asking her to click on a link and confirm her reservation. ‘I had read about scams on Booking.com,’ she says, ‘so I didn’t click.’ However, when she logged into the Booking.com app she saw a similar message there, with a link to confirm her booking with a payment of €759, which, it said, wouldn’t be taken until she arrived.
Tired after a long day and nervous of her booking being cancelled, she paid. When the money disappeared, she replied on the same thread asking what had happened. The hotel said there’d been a ‘security incident’ and warned her, too late, not to click on any links. Its message was addressed to ‘Dear Guest’. Oddly, while the fraudsters had addressed her by name, the hotel didn’t. ‘Are you telling me my €759 is lost?’ she replied. It responded by asking her to contact Booking.com. She did just that, but it wasn’t until we emailed the platform on her behalf, a month later, that she got a refund.
We contacted Booking.com about six people who’d either been scammed or turned up to accommodation that didn’t exist. It refunded all of them – but only after we got involved.
When we investigated Airbnb frauds in 2017, we felt confident telling people they’d be safe as long as they only communicated inside Airbnb’s messaging systems. That isn’t the case with Booking.com. If its hotels and hosts have been hacked, it can be very difficult to know if the message you receive is genuinely from the hotel or a scammer.
Security issues
In September last year, Booking.com finally tightened security for hotels and hosts. They now need to use a two-stage process, known as two-factor authentication (2FA), to get access to their accounts and messages. As well as having a password, they’re also sent a code to an email or phone number before being able to use the site. It’s a barrier for fraudsters because it means that merely getting access to the Booking.com account shouldn’t be enough. You’d need to have access to the phone or separate email as well. Guests can also set up 2FA.
However, in November we were contacted by an expert in 2FA, who had reached out to Booking.com through social media to warn that the 2FA on his guest account didn’t work. Anyone who hacked his email would have been able to access his messages, without additional verification. Booking.com hasn’t fixed his issue, and we don’t know how many other people are affected.
Another problem is that some users we spoke to were sent external links through Booking.com messages. This is despite Booking.com confirming that it can block links entirely if it wants to. It only does this if it’s already seen signs of suspicious activity, but it would be better if it simply banned all external links unless it’s clear that they’re harmless.
The cost of these frauds is more than just the hundreds of pounds people lose. One person had booked flights to Kenya but was unable to afford new accommodation after losing £727 to a scam. It was only after we secured him a refund that he could rebook and travel.
Booking.com’s failure to block malicious links, remove ‘scam’ listings and – until recently – mandate 2FA for hosts suggests a carelessness towards users’ security. And its decision to show the supposedly ‘most relevant’ reviews instead of ‘most recent’ was bizarre. Booking.com told us that if it’s alerted to issues with listings, it investigates immediately, removing them if necessary. It said it’s using new technology to identify suspicious behaviour and block malicious links. There’s also a cybersecurity hub, with advice for hosts and guests. We accept that it’s safer than it was last year. But in our view it’s been too slow to spot how easily its tools have been adapted by scammers to steal money. When things do go wrong, it’s been far too slow to refund customers. It still needs to make it much harder for its platform to be abused.
What we think Booking.com needs to do
Trevor Baker, Which? Senior Researcher/Writer, says:For more investigations like this, unbiased advice and independent recommendations - subscribe tosource https://www.which.co.uk/news/article/what-went-wrong-with-booking.com-aYOyv4Q7Ua2D