Booking.com rip-off: Spike in stories over summer time as some lose THOUSANDS

Unlucky holidaymakers have seen their plans thrown into chaos this summer after they fell victim to a scam operating on Booking.com. 

The Booking.com scam has been going on for more than a year, but the number of customers reporting it to This is Money has spiked during the peak holiday season. 

It involves customers being tricked into making payments to scammers, supposedly to ‘confirm’ legitimate hotel reservations they have made via the app or website. 

In some cases we have uncovered, people have been tricked into handing over thousands of pounds. 

Holidaymakers beware: Mick Thomas, pictured left with his wife and friends on a previous trip, lost £1697.90 to the Booking.com scam after acting on a message from a fraudster

Mick Thomas, 77, from Evesham in Worcestershire was one of these victims. 

Mick, his wife and some friends regularly go on road trips around Europe with recent destinations including Krakow, Berlin, Brussels and Normandy. 

For their next adventure, Mick had booked a hotel in Amsterdam where they were set to travel in early September. He had agreed to pay shortly before arrival. 

But in July, he received a message in the Booking.com platform to say he needed to follow a link and pay €1,001 to confirm his booking (at the time that was £848.95). 

‘I received a message supposedly from the hotel, via Booking.com, asking for my card details, it said failure to do so meant that my booking may be annulled,’ he says. 

When he clicked the button to pay, it didn’t work – so he clicked again. It still didn’t work, so he checked his account and saw that the money had gone through and he had paid £1,697.90 in total.

Trick: The message Mick received which led him to pay the scammers

This is when he suspected it was a scam, and immediately contacted Booking.com and his bank, Monzo. It froze his card and began an investigation into the fraud. 

‘At the point that I let Monzo know about the issue and I froze my card, the payments were still pending,’ he says. ‘I thought by freezing the card it would stop them leaving my account, but the following morning on Sunday they were no longer pending.’

Monzo began an investigation which it said could take up to six weeks. After This is Money got in touch to enquire about progress, it refunded the entire £1,697.90. 

A Monzo spokesman said: ‘Falling victim to fraud is distressing and we’re sorry it happened to our customer. This was a sophisticated scam where the communication through a booking platform was compromised by fraudsters. 

‘Though this happened outside Monzo, we’ve reimbursed our customer so they aren’t left out of pocket.’ 

What is the Booking.com scam? 

Customers who have booked legitimate accommodation on the website are being targeted via scam messages that appear within its internal messaging system. 

In June, Booking.com’s chief information security officer, Marnie Wilking, said there had been an increase of between 500 and 900 per cent in scams carried out on the platform in the past 18 months. 

Most commonly, the messages say that an extra fee must be paid to secure their reservation or ‘confirm’ their booking, asking them to click a link to a third-party website to make the payment. 

Not wanting to see their holiday plans ruined, some customers will hand over the money, which is then funneled directly to the fraudsters. 

Some might have communicated with real hotel staff on the platform previously, making them more likely to believe the request is legitimate. 

As well as those who have sadly fallen for the scam, This is Money has received many more emails from people who have received the messages, but not acted on them.  

Warning: Customers of Booking.com are advised never to follow a link that takes them out of the secure messaging platform – as this is how scammers get them to part with their money

Why isn’t Booking.com stopping the scam?

As the messages are appearing within Booking.com’s messaging platform, it has faced calls to increase its security. 

But fraud experts say that the company’s website has not been compromised. Instead, criminals appear to be getting into accounts owned by hotels.

While major hotel chains advertise their rooms on Booking.com, there are also countless bed and breakfasts, Airbnb-style rentals and smaller, family-owned hotels. 

Without the security infrastructure of big companies, these operators have unfortunately become a target. 

Fake: Another one of the convincing messages This is Money has seen used in the Booking.com scam

This is Money spoke to scam expert Jake Moore of cybersecurity firm Eset, who says he believes these hotels are being tricked into installing malware, or malicious software, which allows the criminals access to their computers or other devices.

In their approach to the hotels, the criminals might pose as members of the public with a question about their booking, as a way to trick the staff into opening an attachment or clicking a link. 

This is how the malware is installed on their device. 

In one example, Moore says a hotel received an email from someone saying they had stayed in the hotel and left their medication behind. 

They attached a document to the email which they said contained details of the medicines, but instead it installed malware. 

‘They are targeting small hotels and B&Bs that don’t have security in place, and they are managing to remotely access their computers,’ Moore explains. 

While Booking.com does have security measures such as two-factor authentication – where a code is sent in a text message or email – hotel staff who use Booking.com regularly can stay logged in on their device and don’t need to go through that every single time.  

‘If they are able to get in to the account of an authorised account holder they don’t need to log in every time, which allows them to bypass that layer of security,’ says Moore.  

His advice to customers is simple: if you are asked to leave the Booking.com messaging portal, don’t do it. ‘Don’t be pressured into leaving the platform and paying money – that is where these problems occur’. 

‘Remind yourself of when you should be paying for this hotel, whether you have already paid upfront or you will need to pay on arrival.’

Booking.com now has a message within its portal which advises customers to ‘Avoid suspicious activity – do not click on or respond to unusual links or messages’. 

This is Money secures thousands in refunds 

This is Money has investigated several more cases where holidaymakers have lost money to the Booking.com scam. 

As well as Mick’s £1,697.90 refund from Monzo (above) we have helped in the following cases. 

In June 2024, Kelly (name changed) was browsing the Booking.com app to find a villa in Mallorca for a holiday with her extended family. 

Dream holiday: Kelly* was planning a trip to Majorca, but a fraudster threw a spanner in the works after persuading her to leave Booking.com and book a fake apartment

She requested booking dates within the app, then received an email shortly after, not through the Booking.com portal but directly to her email address.

It said that villa wasn’t available, but there was an alternative, and to book via a link they provided.

She clicked this link and was taken to what she now realises was a fake Booking.com website, paying £3,138 via bank transfer.

A day later she realised that on her Booking.com app there was no bookings. She emailed the host to ask why, but the email was undeliverable.

Kelly tried to speak to Booking.com several times over an eight week period, but says she could not get anywhere without a booking reference. 

This is Money contacted Booking.com on her behalf, and she has now been reimbursed the full £3,138. She was also offered a £100 goodwill gesture. 

Rachel Bolton, 79, who lives in Spain, is planning to go on a Greek Islands cruise with her husband and friends this September. 

The voyage starts in Civitavecchia, Italy, where Rachel booked a hotel through Booking.com to stay in the night before the cruise. 

Soon after, she had a message from the hotel asking for her to update her credit card details in the portal. She had recently received a new credit card, so assumed the request was legitimate.

After she did, though, €336 (about £285) was taken from her card, despite having already paid for the reservation. 

She then got a message from the hotel to say that some of their customers’ credit card details were stolen and hers was one of them. 

A few days later, the scammers attempted to take another €336 but she had blocked her card so it didn’t go through.

After This is Money contacted Booking.com about Rachel’s case, she was reimbursed the €366. 

‘I always book hotels through Booking.com and the scam really upset me – I was afraid to visit some websites,’ Rachel said. ‘They must acknowledge that their records are not safe.’

Sorry: Booking.com has apologised for the experiences of This is Money’s readers

Booking.com’s response 

A spokesnab for Booking.com said: ‘Phishing attacks by professional criminals pose a significant challenge for travel and many other industries. While not unique to Booking.com, we continue to invest significantly to limit the impact of scams, using the latest technology and innovations. 

‘We are also committed to proactively helping our accommodation partners and customers to stay protected. 

‘A lot of this is via education, informing our partners of the types of scams we are seeing – through regular and as-needed communications, face-to-face workshops, and a dedicated cyber-security advice hub – while arming our customers with practical advice that they can apply as they search for their holiday.

‘We are sorry to hear about the experiences of the customers you have brought to our attention and we are reaching out to each to ensure they are not left out of pocket.’