On a recent trip, I booked an airport hotel for a layover in Jakarta. I used Booking.com, selecting the option for an automatic card payment to be taken a few days before the stay.
A week before the trip, I received a WhatsApp message purporting to be from the Jakarta airport hotel. There was a profile image of what looked like a staff member, and the message included my full name, my booking reference and the dates of my stay.
The message explained that to keep my reservation “‘secure”’, I needed to verify some details. It told me to click on a link, where I would be asked to temporarily verify my payment method, but would not be charged.
The message warned me that if I didn’t complete this process within 24 hours, the system might automatically cancel my booking.
Recently, alerts have started appearing on the Booking.com site urging users to be aware of phishing and email spoofing.
Luckily, I had taken note of these warnings and knew the signs: requests to click on links and giving you a limited time to complete the process are textbook.
I followed Booking.com’s guidelines and reported the suspicious message, receiving a phone call the day after confirming it was not sent by the hotel and I should delete it.
While I was reassured about my upcoming stay, I was still unsettled by the amount of personal information the scammer had managed to glean about my booking.
Earlier this year, consumer watchdog Which? released a comprehensive report uncovering myriad scams and security issues on Booking.com. It seemed my phishing message was just the tip of a very nasty iceberg.
The rise of scam listings on Booking.com
Booking.com is an international behemoth with more than a billion reservations a year, vying with Airbnb to be the market leader in holiday accommodation booking sites.
Which?’s investigation found that part of its appeal is due to the ease with which companies and owners can list their properties.
The watchdog tried out the process and was able to list a holiday home in less than 15 minutes.
“We didn’t need to provide proof of who we were. And, unlike if you put your house on Expedia’s Vrbo – or on Airbnb the last time we tried – there was no request to see a driving licence or passport,” writes senior researcher Trevor Baker.
While this may fuel Booking.com’s success, it also facilitates fraud on the site.
A 2024 investigation by Which? found that hundreds of people in the space of a few months had reported losing money over scam listings.
Booking.com removed those flagged by Which?, and claimed these were just owners who had “neglected to switch off availability when accommodation had closed down or was temporarily shut”.
But when the investigators checked in a few months later, they found yet more properties with hundreds of negative reviews warning that the accommodation was a scam.
Travellers reported having turned up to properties only to find they didn’t exist, and having to scrabble to find alternative accommodation. Many then struggled to secure a refund from Booking.com.
Scam listings survive by hiding bad reviews
The accommodation site told Which? that it restricts new hosts before they can accept payment bookings in order to weed out fraudulent listings.
“It’s true that we weren’t able to accept prepayment for the listing we set up; we’d need to have some bookings and reviews first. But that’s not insurmountable for a scammer,” writes Baker.
If a scam listing manages to slip through undetected, it often manages to keep tricking guests because of Booking.com’s review system.
“Click on a holiday let in the centre of Podgorica, Montenegro, and you’d be reassured by the 6.4 rating, which Booking.com summarises as ‘pleasant’,” says Baker.
“The first two reviews you’re shown describe it as ‘superb’ (9/10) and ‘good’ (7/10). However, you’d need sharp eyes to notice that Booking.com is showing you reviews it has inexplicably decided are the ‘most relevant’.”
Instead, if you switch your settings to look at ‘newest’, you’ll see that for that property, 10 of the last 12 reviewers describe it as a ‘con’, a ‘scam’ and ‘a nightmare’.
Following pressure from Which? last year, the accommodation site said it was going to change its system to give recent reviews more prominence. But currently, reviews are still set as standard to ‘most relevant’.
Phishing messages asking to confirm reservations
Then there’s what happened to me. Other travellers have also reported receiving emails, WhatsApp messages or even messages on Booking.com’s own messaging service requesting confirmation of a reservation.
Some of these messages ask you to click on a link to ‘verify details’, while others outright ask for payments.
Most come with a time pressure, so that even if you contact Booking.com about the message, you may not hear back before the deadline and therefore feel obliged to pay up.
The fact that scammers have been able to use Booking.com’s official communication channels is particularly worrying.
“When we investigated Airbnb frauds in 2017, we felt confident telling people they’d be safe as long as they only communicated inside Airbnb’s messaging systems,” writes Baker.
“That isn’t the case with Booking.com. If its hotels and hosts have been hacked, it can be very difficult to know if the message you receive is genuinely from the hotel or a scammer.”
Booking.com is leveraging AI to beat scammers
During the investigation, Which? received reports from users who had lost hundreds of euros. For some, entire trips were ruined. Many only received refunds after Which? interceded on their behalf.
So how is Booking.com working to improve user security? It’s turning to AI.
“We continue to make significant investments and leverage the latest AI and machine-learning techniques to identify and block suspicious activity as quickly as possible,” a spokesperson tells Euronews Travel.
“This technology allows us to analyse traffic patterns, detect anomalies, and block suspicious activity before it ever reaches our customers.”
Some owners have also reported that the site tightened security for hotels and hosts last year.
They now need to use a two-stage process, known as two-factor authentication (2FA), to get access to their accounts and messages, meaning fraudsters should find hacking accounts much more difficult.
Guests can also set up 2FA, but users have reported issues with it.
According to Which?, though, there’s still a long way to go.
“Booking.com’s failure to block malicious links, remove ‘scam’ listings and – until recently – mandate 2FA for hosts suggests a carelessness towards users’ security,” the report says.
“And its decision to show the supposedly ‘most relevant’ reviews instead of ‘most recent’ was bizarre. We accept that it’s safer than it was last year. But in our view, it’s been too slow to spot how easily its tools have been adapted by scammers to steal money.”
Read the full article here
