Booking.com labelled 'haven for scammers' due to 'serious' security flaws

Consumer champion Which? has issued a warning that Booking.com's inadequate security measures are leaving it exposed to fraudsters.

The platform's vulnerabilities include an easily compromised messaging system, failure to eliminate scam listings, and absence of identity verification for property owners, as reported by City AM.

These findings come ahead of the Online Safety Act's illegal codes coming into force later this month, highlighting how Booking.com's lax security protocols make it a prime target for scammers looking to exploit travellers.

Booking.com was the most frequented travel and tourism website worldwide in January 2025, as per Statista data. However, Which?'s investigation revealed significant flaws in its security methods. The company says it is "deeply committed" to protecting customers and that it blocks "the vast majority of fraudulent activity".

The consumer watchdog managed to list a bogus holiday home on the site in less than 15 minutes, with no requirement for identity verification before the listing went live—unlike competitor platforms such as Airbnb.

This lack of security checks has resulted in a surge of fraudulent listings on the platform. A search by Which? for the term 'scam' in Booking.com reviews from summer 2024 yielded hundreds of complaints from customers who had paid for non-existent accommodation.

The consumer watchdog flagged 52 suspicious listings to Booking.com, which subsequently removed most of them. However, the company dismissed many complaints, attributing the issues to property owners failing to update their availability accurately when closed or temporarily shut down.

However, when Which? conducted a follow-up investigation in November, it encountered the same persistent issue: 36 properties were still plagued by numerous negative reviews alleging scams.

The consumer watchdog shared several distressing accounts from customers.

One individual recounted how he arrived at a location that "looked like a dentist's surgery" instead of the expected holiday rental, only to meet two other disgruntled couples who had been duped by the same fake listing.

It wasn't until Which?stepped in, two months later, that the holiday booking platform agreed to process his refund.

Booking.com maintained that the customer hadn't fallen for a scam, arguing that the onus was on the property owner to provide a refund.

Further investigation highlighted that the website's security measures were inadequate in stopping fraudsters from posting bogus listings or hijacking legitimate ones.

The company stated that it limits new hosts from taking prepayments until they have secured bookings and positive feedback; however, scammers appear to have circumvented this safeguard.

For instance, a Glasgow property with 36 one-star reviews, almost all branding it a scam and criticising the site for not offering refunds, remained listed until Which? requested its removal.

In a move to bolster security, Booking.com has recently implemented two-factor authentication (2FA) for both hosts and guests to thwart unauthorised account access.

A cyber security expert has raised the alarm over vulnerabilities in Booking.com's two-factor authentication (2FA), revealing to consumer watchdog Which? that his 2FA was not functioning correctly on his guest account. This flaw could potentially allow a hacker with access to his email to log in and read all messages without needing further verification.

Which? has confirmed that Booking.com has yet to address this security lapse.

The issue is compounded by another alarming practice: the use of external payment links sent through Booking.com's messaging system, which scammers exploit to evade security measures.

Numerous individuals interviewed by Which? have reported receiving such deceptive messages, steering them off the platform—a favoured technique among fraudsters to sidestep security protocols.

Booking.com now faces increased scrutiny as the Online Safety Act's illegal harms codes are set to take effect on March 17, compelling platforms like Booking.com to intensify efforts against fraud, including user-generated scams.

Fraudulent property listings on travel sites will come under regulatory oversight due to the Act.

Which? has proposed essential security enhancements for Booking.com to implement, such as compulsory identity verification and strict enforcement of 2FA, to safeguard its users from fraudulent activities.

The watchdog is also calling on Ofcom, the regulator responsible for the Act, to act decisively.

Rocio Concha, Director of policy and advocacy at Which? expressed concern: "It's really worrying that so many scams are slipping through the net.

"Ofcom should take note of these findings as the codes come into force. If these issues persist, Ofcom must make use of its new powers and not hesitate to take action against Booking.com and other platforms failing to prevent fraudsters from scamming their customers", he added.

In a statement reported on MailOnline, Booking.com said: 'We are deeply committed to protecting our customers against fraud and scams. Online fraud is unfortunately a battle many industries are facing, however thanks to the robust security measures we have in place and our continuous efforts to enhance them, we are able to detect and block the vast majority of fraudulent activity.

'We take the process of verifying accommodation listings seriously and have multiple controls and checks in place during sign-up, after submission and before listings become bookable. In the rare instance that a scammer finds a way to temporarily circumvent our controls, we seek to shut down the activity as quickly as possible and support any impacted customers quickly. In addition, we always recommend that customers read through our reviews and property rating scores before booking, to ensure they can see the views of others who have also stayed at the property.