A lack of effective checks is leaving Booking.com – the most visited travel and tourism website in the world – “wide open” to fraudsters, according to Which?.
The consumer watchdog is calling for the platform to do more to prevent fraud on its site ahead of the Online Safety Act illegal harm codes coming into effect later this month.
A Which? investigation has found that an easily hacked messaging system, failure to remove ‘scam’ listings, and a lack of identity checks on property owners is leaving holidaymakers “unnecessarily exposed” on Booking.com.
The consumer champion was able to list a holiday home on Booking.com in less than 15 minutes and – unlike on Vrbo or Airbnb – Booking.com did not ask to see a driving licence or passport.
Which? said this lack of proper identity checks has led to a “deluge of dodgy listings” on the platform.
When Which? searched Booking.com reviews for the word ‘scam’ in summer 2024, the consumer champion found hundreds of reviews complaining that they had paid for accommodation that did not exist.
More: Booking.com highlights Connected Trips despite reducing Atol
Action Fraud issues Booking.com phishing alert
As part of that investigation, Which? sent 52 of these listings to Booking.com. It removed most of them but told the consumer champion that most were not real scams – just owners who had neglected to switch off availability when accommodation had closed down or was temporarily shut.
When Which? checked again in November, it found the same problem – 36 properties with hundreds of negative reviews pointing out that the accommodation was a scam.
Which?’s investigation also found that Booking.com’s security systems are not strong enough to stop scammers from listing on the site or from hacking genuine listings.
To stop scammers, Booking.com said that it restricts new hosts from accepting prepayments until they have bookings and reviews – but this is not insurmountable for a fraudster.
Which? saw a Glasgow let on Booking.com which seemed to only have two reviews from people who actually stayed there.
After this point, reviewer after reviewer complained that there was no one there to meet them or any way to access the property.
After several months, it had 36 one-star reviews – almost all complaining that this was a scam and they had not been refunded.
Again, Booking.com removed the listing only after contact from Which?.
Which?’s investigation also exposed loopholes in the booking system which could be exploited by fraudsters.
In September last year, Booking.com finally tightened security for hotels, hosts and guests to use a two-stage process, known as two-factor authentication (2FA), to get access to their accounts and messages.
However, in November 2024, Which? was contacted by an expert in 2FA, who had reached out to Booking.com through social media to warn that the 2FA on his guest account did not work.
The consumer champion also spoke to several consumers who were sent external links through Booking.com messages, which are often used by fraudsters to move transactions away from the official platform.
On March 17, the illegal harms codes of practice under the Online Safety Act will come into effect.
This will require platforms to do more to prevent user-generated fraud – among other kinds of illegal content – on their sites by running risk assessments and having effective complaints procedures in place.
From its investigation, Which? believes there are some basic changes Booking.com should make to reduce fraud on its site, including introducing identity checks for hosts before their listing can appear, making it mandatory for all users of the site to have two-factor authentication set up and banning the use of external links in Booking.com messages.
Which? also believes that Booking.com should also proactively investigate listings where there are multiple reviews claiming they are a scam and take action when it is alerted by users that a property does not exist, is not really open for business or is a scam.
Rocio Concha, Which? director of policy and advocacy, said: “It’s really worrying that so many scams are slipping through the net on Booking.com.
“The illegal harms codes coming into effect on March 17 will require platforms to do more to prevent user-generated fraud but there are several simple changes that Booking.com could make now to tighten its security and close loopholes on its site which are being exploited by scammers.
“Ofcom should take note of these findings as the codes come into force. If these issues persist, Ofcom must make use of its new powers and not hesitate to take action against Booking.com and other platforms who are failing to prevent fraudsters from targeting and scamming their customers.”
In response, Booking.com said: “We are deeply committed to protecting our customers against fraud and scams.
“Online fraud is unfortunately a battle many industries are facing. However, thanks to the robust security measures we have in place and our continuous efforts to enhance them, we are able to detect and block the vast majority of fraudulent activity.
“We take the process of verifying accommodation listings seriously and have multiple controls and checks in place during sign-up, after submission and before listings become bookable.
“In the rare instance that a scammer finds a way to temporarily circumvent our controls, we seek to shut down the activity as quickly as possible and support any impacted customers quickly.
“In addition, we always recommend that customers read through our reviews and property rating scores before booking, to ensure they can see the views of others who have also stayed at the property.
“Two-factor authentication, a measure used by many organisations, is just one of the methods we deploy for additional security.
“If a customer suspects that their email account has also been compromised, we recommend that they reach out to their email provider and also to our 24/7 customer service team.”
Picture credit: mariakray/Shutterstock.com