The consumer champion has called for the holiday booking platform to do more to prevent fraud on its site ahead of the Online Safety Act illegal harm codes coming into effect later this month.
According to Statista, in January 2025, Booking.com was the most visited travel and tourism website worldwide.
But a Which? investigation revealed an “easily hacked” messaging system, failure to remove ‘scam’ listings, and a lack of identity checks on property owners.
Researchers were able to list a holiday home on Booking.com in fewer than 15 minutes, but there was a lack of proper identity checks. Unlike rival accommodation sites Vrbo and Airbnb, Booking.com did not ask to see a driving licence or passport.
Scams and dodgy listings
Which? said this lack of proper identity checks has led to a deluge of dodgy listings on the platform. When Which? searched Booking.com reviews for the word ‘scam’ in summer 2024, the consumer champion found hundreds of reviews complaining that they had paid for accommodation that did not exist.
How life insurance can benefit your health and wellbeing over the decades
Sponsored by Post Office
As part of that investigation, Which? sent 52 of these listings to Booking.com. It removed most of them, but told researchers that most were not “real scams” – just owners who had neglected to switch off availability when accommodation had closed down or was temporarily shut.
But when Which? checked again in November, it found exactly the same problem – 36 properties with hundreds of negative reviews pointing out that the accommodation was a scam.
Which?’s investigation also found that Booking.com’s security systems are not strong enough to stop scammers from listing on the site or from hacking genuine listings. To stop scammers, Booking.com said it restricts new hosts from accepting prepayments until they have bookings and reviews – but Which? said this is not insurmountable for a fraudster.
Which? saw a Glasgow let on Booking.com that seemed to only have two reviews from people who actually stayed there. After this point, reviewer after reviewer complained that there was no one there to meet them or any way to access the property.
After several months, it had 36 one-star reviews – almost all complaining that this was a scam and they had not been refunded. But Booking.com only removed the listing only after contact from Which?.
Which?’s investigation also exposed loopholes in the booking system that could be exploited by fraudsters. The consumer champion spoke to several consumers who were sent external links through Booking.com messages, which are often used by fraudsters to move transactions away from the official platform.
Calls for change
From its investigation, Which? believes there are some basic changes Booking.com should make to reduce fraud on its site, including introducing identity checks for hosts before their listing can appear, making it mandatory for all users of the site to have two-factor authentication set up and banning the use of external links in Booking.com messages.
Which? also believes that Booking.com should also proactively investigate listings where there are multiple reviews claiming they are a scam and take action when it is alerted by users that a property does not exist, is not really open for business or is a scam.
Rocio Concha, Which?’s director of policy and advocacy, said: “It’s really worrying that so many scams are slipping through the net on Booking.com. The illegal harms codes coming into effect on 17 March will require platforms to do more to prevent user-generated fraud, but there are several simple changes that Booking.com could make now to tighten its security and close loopholes on its site [that] are being exploited by scammers.
“Ofcom should take note of these findings as the codes come into force. If these issues persist, Ofcom must make use of its new powers and not hesitate to take action against Booking.com and other platforms who are failing to prevent fraudsters from targeting and scamming their customers.”
A statement from Booking.com said: “We are deeply committed to protecting our customers against fraud and scams. Online fraud is unfortunately a battle many industries are facing, however thanks to the robust security measures we have in place and our continuous efforts to enhance them, we are able to detect and block the vast majority of fraudulent activity.
“We take the process of verifying accommodation listings seriously and have multiple controls and checks in place during sign-up, after submission and before listings become bookable. In the rare instance that a scammer finds a way to temporarily circumvent our controls, we seek to shut down the activity as quickly as possible and support any impacted customers quickly. In addition, we always recommend that customers read through our reviews and property rating scores before booking, to ensure they can see the views of others who have also stayed at the property.”
