A lack of effective security measures is leaving Booking.com vulnerable to scammers, consumer champion Which? has warned.
Which? said the platform suffers from an easily hacked messaging system, failure to remove scam listings, and a lack of identity checks on property owners.
The watchdog’s findings, which come as the Online Safety Act‘s illegal codes are set to take effect later this month, found that Booking.com’s lax security policies make it easy for fraudsters to exploit travellers.
Booking.com was the most visited travel and tourism website globally in January 2025, according to Statista.
Flawed security methods
As part of its investigation, Which? was able to list a fake holiday home on the website in under 15 minutes.
Unlike rival platforms like AirBnb, Booking.com does not require any identity verification before allowing the listing to go live.
This lack of security checks has flooded the platform with fraudulent listings.
When Which? searched Booking.com reviews for the word ‘scam’ in the summer of 2024, and it found hundreds of complaints from customers who had paid for accommodation that did not exist.
The consumer watchdog reported 52 suspicious listings to Booking.com, which removed most of them.
Yet, the company dismissed many complaints, claiming that the properties were not scams but owners who had forgotten to update their availability accurately when closed or temporarily shut down.
Yet, when Which? checked again in November, it found the same recurring problem: 36 properties still had hundreds of negative reviews claiming they were scams.
The watchdog revealed numerous customer horror stories.
One man, after arriving at an address which “looked like a dentist’s surgery” rather than a holiday home, was later joined by two other angry couples victim to the same fraudulent listing.
The holiday booking platform then refused to refund him until Which? intervened two months later.
Booking.com insisted the customer had not been scammed, claiming instead that it was the owner’s responsibility to issue a refund.
Security loopholes and two factor authentication
The investigation also revealed that the website’s security systems were insufficient to prevent scammers from listing fake properties or hacking real ones.
The platform said it restricts new hosts from accepting prepayments until they receive bookings and reviews, but scammers seem to have found ways around this rule.
For example, a Glasgow property listing received 36 one-star reviews, nearly all of which described it as a scam and warned that the website had not issued refunds.
The platform only removed the listing following a request from Which?.
More recently, Booking.com introduced two factor authentication (2FA) for hosts and guests to prevent unauthorised account access.
However, a cyber security specialist contacted the watchdog with evidence that 2FA on Booking.com had serious flaws: his 2FA was not working properly on his guest account. This means that if a hacker accessed his email, they could easily log in and read all of his messages without additional verification.
Which? said that Booking.com has not yet fixed this issue.
Another serious concern was the use of external payment links, which fraudsters can send through Booking.com’s own messaging system.
Several Which? interviewees reported receiving messages containing links that redirected them away from the platform, a common tactic scammers used to bypass security protections.
Booking.com under scrutiny
On March 17, the Online Safety Act’s illegal harms codes will come into force, requiring platforms like Booking.com to do more to prevent fraud.
Under the Act, user-generated fraud will be explicitly covered.
This means fraudulent property listings on travel sites will fall under regulatory scrutiny.
Which? has outlined basic security changes that Booking.com must make to protect its users from fraud, like mandatory identity checks and enforced 2FA.
The watchdog is also urging Ofcom, the regulator behind the Act, to take decisive action.
Director of policy and advocacy, Rocio Concha, warned: “It’s really worrying that so many scams are slipping through the net.”
“Ofcom should take note of these findings as the codes come into force. If these issues persist, Ofcom must make use of its new powers and not hesitate to take action against Bookin.com and other platforms failing to prevent fraudsters from scamming their customers”, he added.
Booking.com has been approached for comment.