What went wrong with Booking.com?

It took less than 15 minutes to list a holiday home on Booking.com. 

We didn’t need to provide proof of who we were. And, unlike if you put your house on Expedia’s Vrbo – or on Airbnb the last time we tried – there was no request to see a driving licence or passport. This speed and convenience for owners might be part of the reason that Booking.com is now a global behemoth, not just for hotel bookings but for small holiday lets, too, with more than a billion reservations each year. 

Unfortunately, it might also be one of the reasons why so many people have been defrauded on the site. 

This article first appeared in Which? Travel magazine. We don't accept freebies from travel companies, airlines or hotels, so you can be sure our investigations, recommendations and reviews are completely honest.

Where to next?

Discover the best destinations and holiday providers, independently researched and recommended by us & save 30% only £34.30.

Join Which? Travel

Offer ends 16 Jun 25. Cancel anytime.

How we investigated Booking.com

In the summer of 2024 we searched Booking.com reviews for the word ‘scam’ and found hundreds of people from the past few months complaining that they’d paid for accommodation that didn’t exist. As part of that investigation, we sent 52 of these ‘scam’ listings to Booking.com. It removed most of them, but told us that most weren’t real scams – just owners who had neglected to switch off availability when accommodation had closed down or was temporarily shut. 

When we checked again, in November, we found exactly the same problem – 36 properties with hundreds of negative reviews pointing out that the accommodation was a scam. Angry guests we spoke to were incredulous at the idea that these weren’t really scams. They’d paid for accommodation, didn’t get to stay, and didn’t get their money back until we intervened. The idea that they hadn’t been ‘scammed’ seemed bizarre. 

This is exactly what happened to Peter Walsh. He and his wife booked an apartment for their cycling holiday in Normandy. However, when they turned up at the address, it ‘looked like a dentist’s surgery’ rather than a holiday home. There were two other angry and confused couples waiting outside. They were all left with a last-minute scramble for somewhere else to stay.

Peter had a second shock when, although Booking.com told him it was investigating, he didn’t receive a refund. He phoned Booking.com straight away, but it was only after we contacted it two months later that he got his money back. Booking.com said, again, that he hadn’t been scammed. It was just that the owners hadn’t kept their availability up to date. Why did it take so long to refund him? Because, the company says, that was the owner’s responsibility. 

If you contact Booking.com to complain you’ve been scammed, it will chase your money but it won’t necessarily refund you itself.

We warned in 2024 that Booking.com scams were among the most dangerously convincing we'd seen

Scam listings - live for months on Booking.com

To stop scammers, Booking.com told us that it restricts new hosts before they can accept payment bookings. It’s true that we weren’t able to accept prepayment for the listing we set up; we’d need to have some bookings and reviews first. But that’s not insurmountable for a scammer. 

Take a Glasgow let we found on Booking.com. The first two reviews are from people who stayed (they seem to have had a terrible time, as both rated it one star), but they’re the only people to have genuinely stayed there. For months afterwards, reviewer after reviewer complained that there was no one there to meet them or any way to access the property. It was a scam. One even posted a picture of a handwritten sign the exasperated neighbours had put on the door warning that ‘it seems to be operating as a scam’ and ‘people may struggle to get a refund’. By November 2024 it had 36 one-star reviews – almost all complaining that this was a scam and they hadn’t been refunded. Again, Booking.com removed the listing only after we contacted it.

Hiding bad reviews 

One obvious lesson is to always read the reviews, but Booking.com even made this much harder than it needs to be. Click on a holiday let in the centre of Podgorica, Montenegro, and you’d be reassured by the 6.4 rating, which Booking.com summarises as ‘pleasant’. The first two reviews you’re shown describe it as ‘superb’ (9/10) and ‘good’ (7/10). However, you’d need sharp eyes to notice that Booking.com is showing you reviews it has inexplicably decided are the ‘most relevant’. 

Switch your settings to look at ‘newest’ and you’ll see that 10 of the last 12 reviewers are furious. They describe it as a ‘con’, a ‘scam’ and ‘a nightmare’. (The other two, suspiciously, give it 10/10.) We highlighted the problem with ‘most relevant’ reviews in August, but Booking.com figuratively shrugged and said that people can always switch to ‘most recent’ if they want to. 

However, in December, following our pressure, it emailed its users to say that it was going to change its system to give recent reviews more prominence.

Dangerously convincing scams

Booking.com has tools that make life easier for anybody who wants to set up as a host. Unfortunately, they’ve also made life easier for scammers. If you’re a fraudster who wants to set up a listing on Booking.com, you don’t even need to speak English. Its algorithm will write a listing for you in terms, it says, that are ‘proven to attract guests’. It will then accurately translate it into 25 different languages. The fact that listings – both genuine and nefarious – could be written using the same Booking.com algorithms, rather than by owners personally, makes it hard to tell the difference between a genuine listing and a scam. It’s not the only way scammers have learnt to use Booking.com’s own tools against it.

When medic, Aisling, finally got to the end of a 15-hour shift at her hospital, she switched on her phone and saw she had an email. It was from the hotel she’d booked via Booking.com for a trip to Copenhagen, asking her to click on a link and confirm her reservation. ‘I had read about scams on Booking.com,’ she says, ‘so I didn’t click.’ However, when she logged into the Booking.com app she saw a similar message there, with a link to confirm her booking with a payment of €759, which, it said, wouldn’t be taken until she arrived. 

Tired after a long day and nervous of her booking being cancelled, she paid. When the money disappeared, she replied on the same thread asking what had happened. The hotel said there’d been a ‘security incident’ and warned her, too late, not to click on any links. Its message was addressed to ‘Dear Guest’. Oddly, while the fraudsters had addressed her by name, the hotel didn’t. ‘Are you telling me my €759 is lost?’ she replied. It responded by asking her to contact Booking.com. She did just that, but it wasn’t until we emailed the platform on her behalf, a month later, that she got a refund. 

We contacted Booking.com about six people who’d either been scammed or turned up to accommodation that didn’t exist. It refunded all of them – but only after we got involved. 

When we investigated Airbnb frauds in 2017, we felt confident telling people they’d be safe as long as they only communicated inside Airbnb’s messaging systems. That isn’t the case with Booking.com. If its hotels and hosts have been hacked, it can be very difficult to know if the message you receive is genuinely from the hotel or a scammer. 

Get more unbiased advice on the best deals and best destinations with our free Travel newsletter

Security issues

Some hotels reported that Booking.com finally tightened security for hotels and hosts last year. They now need to use a two-stage process, known as two-factor authentication (2FA), to get access to their accounts and messages. As well as having a password, they’re also sent a code to an email or phone number before being able to use the site. It’s a barrier for fraudsters because it means that merely getting access to the Booking.com account shouldn’t be enough. You’d need to have access to the phone or separate email as well. Guests can also set up 2FA. Booking.com told us that it has had an 'intelligent, risk based 2FA' for hosts since 2015 - which is mandatory.

However, in November we were contacted by an expert in 2FA, who had reached out to Booking.com through social media to warn that the 2FA on his guest account didn’t work. Anyone who hacked his email would have been able to access his messages, without additional verification. Booking.com hasn’t fixed his issue, and we don’t know how many other people are affected. 

Another problem is that some users we spoke to were sent external links through Booking.com messages. This is despite Booking.com confirming that it can block links entirely if it wants to. It only does this if it’s already seen signs of suspicious activity, but it would be better if it simply banned all external links unless it’s clear that they’re harmless. 

The cost of these frauds is more than just the hundreds of pounds people lose. One person had booked flights to Kenya but was unable to afford new accommodation after losing £727 to a scam. It was only after we secured him a refund that he could rebook and travel. 

Booking.com’s failure to block malicious links, remove ‘scam’ listings and – until recently – mandate 2FA for hosts suggests a carelessness towards users’ security. And its decision to show the supposedly ‘most relevant’ reviews instead of ‘most recent’ was bizarre. Booking.com told us that if it’s alerted to issues with listings, it investigates immediately, removing them if necessary. It said it’s using new technology to identify suspicious behaviour and block malicious links. There’s also a cybersecurity hub, with advice for hosts and guests. We accept that it’s safer than it was last year. But in our view it’s been too slow to spot how easily its tools have been adapted by scammers to steal money. When things do go wrong, it’s been far too slow to refund customers. It still needs to make it much harder for its platform to be abused.

What we think Booking.com needs to do

Trevor Baker, Which? Senior Researcher/Writer, says: ‘There are some basic things Booking.com must do to reduce fraud. Introduce identity checks for hosts before their listing can appear. Actively monitor and investigate listings with multiple reviewers complaining that they’ve been scammed. Make it mandatory for all users of the site to have two-factor authentication set up. While Booking.com told us that criminals can bypass this, it does make it harder for them. Block all malicious links. Improve the training that it says it already provides for hotels and other hosts. As it stands, the security of Booking.com’s messaging system is only as strong as that of its weakest links. Every time you book with Booking. com, it skims off around 15% for itself. That money – billions of dollars – should surely be enough to make it a much safer site.’

For more investigations like this, unbiased advice and independent recommendations - subscribe to Which? Travel

Where to next?

Discover the best destinations and holiday providers, independently researched and recommended by us & save 30% only £34.30.

Join Which? Travel

Offer ends 16 Jun 25. Cancel anytime.