Booking.com Scams: Are Travelers Actually Being Defrauded Through the Platform?

Online travel booking has made planning a trip faster and more accessible than it has ever been. You search, you compare, you click, you confirm. The platform handles the rest. For most people, most of the time, that process works exactly as advertised. But a growing body of reports from travelers across multiple countries suggests that something else is also happening inside that process, and that some people are losing significant amounts of money despite doing everything they were supposed to do right.

The platform that appears most frequently in these reports is Booking.com. So what is actually going on? Who is behind it? How do the tactics work? And is there any realistic way to avoid becoming a victim?

It is worth starting with the numbers, because the scale of what has been reported is easy to underestimate from individual stories alone. Between June 2023 and September 2024, the UK's national fraud reporting body received over 500 reports from travelers who lost money through a specific pattern of Booking.com‑related fraud, with combined losses running into the hundreds of thousands of pounds. That figure covers one country's official reporting channel over a fifteen‑month window. It does not include cases that were never reported, cases reported to other agencies, or losses absorbed quietly by victims who did not know where to turn.

Booking.com processed over a billion room nights in 2024 and reported revenue of $23.7 billion for the year. At that volume, even a small percentage of problematic transactions represents a large number of real people with real losses. The fraud is not a myth constructed from a handful of bad reviews. It is documented, recurring, and international in scope.

This is perhaps the most important thing to understand before anything else: the fraud being reported through Booking.com is not being carried out by Booking.com. The platform is the environment in which the fraud operates. The fraudsters are external criminal groups who have found ways to exploit the platform's infrastructure for their own ends. Understanding that distinction matters for everything else, including how the tactics work, why they are so effective, and what a traveler can realistically do to protect themselves.

The most sophisticated and hardest‑to‑detect variant of this fraud begins not with the traveler at all, but with the hotels and property owners who are Booking.com's partners. Fraudsters send convincing phishing emails to hotel staff. When someone clicks a link inside one of those emails, credential‑stealing malware installs silently on their device and harvests the hotel's Booking.com login credentials. The hotel staff member may not know anything has happened. The property's Booking.com account now belongs, functionally, to the attacker.

From inside that compromised account, the attacker can see the hotel's real upcoming reservation list, complete with guest names, contact details, stay dates, and booking references. They can send messages to those guests through Booking.com's own messaging infrastructure. This is where the fraud becomes genuinely difficult to detect. The message reaches the traveler through an official platform channel, references real booking details, and instructs them to make an urgent payment or confirm card details, warning that their reservation will be cancelled if they don't act quickly. Everything about the communication looks legitimate because technically, it is coming from a legitimate account.

The traveler has no obvious way of knowing that the person on the other end of that account is not the hotel.

When the goal is to extract money rather than card details, the payment method of choice in many of these cases is a wire transfer or international bank payment to an IBAN number. The reason is simple. Credit card transactions carry chargeback rights, meaning a defrauded cardholder can dispute the transaction through their bank and often recover the funds. Wire transfers work differently. Once the transfer clears and the funds are withdrawn at the receiving end, recovery is close to impossible through normal banking channels.

The geographic details attached to these payment requests are sometimes inconsistent in ways that seem obvious in hindsight. A payment being directed to a personal‑name bank account registered in a country different from where the property is located is one example of an irregular combination that, under normal circumstances, would raise questions.

It is worth noting that Booking.com's own policy states the platform does not facilitate wire transfers or direct bank payments as booking payment methods. Any message requesting payment outside the platform's official checkout system falls outside what Booking.com actually authorizes.

A separate pattern operates at the listing level rather than through compromised accounts. In documented cases, fraudulent accounts have been created on Booking.com posing as legitimate property owners, sometimes using photographs taken from other listing platforms to give the listings surface credibility. Guests are directed toward payment outside the official platform, and the property either does not exist or is not available to them.

Travelers in some cases have arrived at listed addresses to find no accommodation waiting for them, with no immediate recourse and the pressure of finding somewhere else to stay on arrival. This approach relies on a different version of the same underlying trust: the assumption that a listing appearing on a major global platform has been verified before it was shown to a prospective guest.

The fraud is not sitting still. Security researchers tracking these operations have documented the development of a technique called ClickFix, in which hotel staff are shown a convincing fake error message or prompt that instructs them to run a command to resolve a technical issue. Running that command installs the malware that compromises their credentials. The approach is designed to exploit the natural instinct to fix a problem quickly rather than scrutinize the process.

Operations using this approach have been tracked running continuously for extended periods, with the same underlying technical infrastructure adapted to target partner accounts on other major booking platforms. The mechanics are not specific to one platform. They follow booking infrastructure wherever it exists and wherever partner account security can be exploited.

The natural question at this point is: why is the vulnerability still there? The mechanism behind the most damaging variant of this fraud is compromised partner credentials. A stolen hotel password grants access to guest data and messaging capabilities, and the fraud flows from there. The most direct technical countermeasure against that specific pathway is mandatory two‑factor authentication for partner logins, which would make a stolen password significantly less useful to an attacker on its own.

Security researchers and consumer advocacy groups have raised this point repeatedly. As of the most recent reporting, two‑factor authentication for platform partners has not been made mandatory. Booking.com has stated publicly that it has invested in cybersecurity measures and cited internal metrics showing a reduction in certain fraud activity between 2023 and 2024 as evidence of progress. Whether that progress fully addresses the underlying partner account vulnerability is a separate question, and not one that has been answered with full transparency in public disclosures.

The platform‑level dynamics described above are largely outside any individual traveler's control. What is within their control is a small set of decisions that make a meaningful difference to their exposure.

Payment method is the most important variable. Credit cards preserve the ability to dispute a transaction and recover funds. Wire transfers, direct bank deposits, and IBAN payments generally do not. Any request to pay outside a platform's official checkout, regardless of which channel it arrives through or what explanation accompanies it, is worth treating as a firm pause point before any money moves.

The consistency of payment details is worth checking. A payment request directing funds to an account registered in a different country from the property's listed location, especially to a personal rather than business name, is an irregular pattern. Urgency is a consistent feature of fraudulent messages in this category. Legitimate booking processes on major platforms do not typically operate on short countdown pressure with cancellation threats. When that framing appears, taking time to verify rather than respond to the pressure is the appropriate move.

If a message arrives through a booking platform and something about it feels off, navigate to the booking independently through the official app rather than clicking any link in the message itself. For listings that appear significantly cheaper than comparable options in the same area, searching the physical address independently before committing can surface problems that the listing itself does not show.

Booking.com is a legitimate platform that handles an enormous volume of transactions. Over a billion room nights were facilitated through the platform in 2024. The overwhelming majority of those bookings completed without incident. That context matters.

What also matters is that the fraud which does occur through the platform is not random or opportunistic. It is methodical, well‑resourced, and specifically designed to neutralize the signals that travelers have been taught to watch for. Victims in many documented cases were not careless. They were targeted through channels they had every reasonable basis to trust.

The practical takeaway is less about distrust of any specific platform and more about the mechanics of payment. The one protection a traveler retains regardless of how sophisticated the surrounding fraud is, is the choice of how to pay. That choice, more than any other single variable, determines whether a loss is recoverable or permanent. Wire transfer, regardless of what the request says and who appears to be asking, is always the wrong answer.

For an investigation into another seemingly seamless system where the surface story differs from the internal mechanics, see our deep dive into Shoprite Specials: How the System Works.