'I'm a travel expert but Booking.com host scam nearly caught me out'

As my thumb hovered over the link, the BBC's Rogue Traders researcher, who was helpfully sitting next to me, said: 'I'm pretty sure that's a scam. Block the number and don't click the link."

I did as advised and felt a sense of relief at a bullet dodged, followed by a tinge of embarrassment at having almost fallen for a travel scam. That would be a bad look, given my job title and the fact I was at a travel event surrounded by colleagues when the message came through.

In my defence, it was pretty convincing. The WhatsApp message arrived with a name and photo attached just after a bit of back-and-forth with the actual host on the Booking.com site. The 'guest relations manager' mentioned where and when I was going, and when I made the reservation. All would be well with the booking, they assured me, so long as I could confirm that my card details were not stolen - something the Booking.com system had flagged to them as a possibility.

Have you been impacted by a travel scam? We'd love to hear from you if so. Email [email protected]

A quick click of the link to confirm my details and I'd be off on holiday as planned, no problem, they promised.

I screenshotted the messages and blocked the account, repeating the process for the 'head administrator of the apartments' who later followed up on her colleague's behalf.

In this instance, a scam avoided, but plenty of questions remained. How had they got my details? How much would they've stolen if I had clicked the link? How many others are being targeted this way?

The answer to the first question came several days after I explained what had happened to Booking.com. A customer service representative apologised before blaming the security breach on the host, saying that they must have had their own website infected with malware, giving the hackers access to my information.

This is an issue for websites such as Booking.com which send customers to third-party websites. These are often run by B&B owners or holiday let landlords with one property, who are unlikely to have the same security resources as a major travel firm.

Potentially adding to the security issues is the fact that it takes less than 15 minutes to set up a Booking.com host page, with no requirement to show a passport or official ID.

In terms of the second and third questions, the amounts stolen and the number of victims are significant. The scam has been bubbling along for years, with the UK's Action Fraud having received 532 reports from individuals, with a total of £370,000 lost between June 2023 and September 2024.

Between them, they are more than £370,000 out of pocket. They may also have been victims of a breach of their data rights. Several years ago Booking.com was slapped with a €475K fine for failing to take action following a GDPR breach.

If anything, the problem seems to be getting worse. Last June, Booking.com admitted that there had been an increase of between 500 and 900 per cent in scams carried out on the platform in the previous 18 months.

In 2023 Dr Leigh Jones, a University of Oxford academic, told the Mirror how she had lost more than £1,000 at the hands of scammers after she booked multiple hotel rooms for her family ahead of her wedding day in Vietnam.

"It was a really impressive phishing scam. After this, I will be done with Booking.com. Why is there no warning on their website? I'd advise people to switch to another way to booking holidays," she told the Mirror at the time.

Earlier this year Which? found that some Booking.com customers had been contacted by scammers through the company's official app, making it much harder to distinguish it from a genuine message from a host.

Not only are customers losing money, the scammers are causing accommodation operators major headaches.

Balaram Thapa runs a hotel in Kathmandu, Nepal. Recently, one of his customers fell victim to a phishing scam.

"One of our guests booked a room at our hotel through Booking.com, received a confirmation, and then later got a message that appeared to come from us, asking them to reconfirm their payment via a third-party link. It looked completely legitimate, with our hotel name and reservation details included," the hotelier explained.

The guest paid through the fake link and only realised it was a scam when they arrived.

"It was a frustrating situation for both the guest and our team. Not only did they lose money, but it damaged their trust in the booking process—and in us, even though we had no role in the scam. It’s become clear to me that travellers need to be especially cautious about messages they receive, even if they appear to be from official booking platforms."

Balaram contacted Booking.com and was told that the hotel's account may have been compromised. Their advice was to change the password. "They didn’t offer any further assistance or compensation," the hospitality manager added. To help the distraught customer, Balaram offered a 50% discount on their stay. "It was a loss on both sides, but we did our best to make it right," he said.

Sean Malloy is an American lawyer who has represented phishing scam victims in court and offered some advice for those fearful of being caught out.

"I have dealt with numerous instances of phishing scams that resulted in financial or emotional losses. When platforms like Booking.com are impersonated, consumers are often caught off-guard, especially since the communication can appear so legitimate," he told the Mirror.

"To protect themselves, travellers should NEVER CLICK any payment links sent in email or text, and always verify bookings and requests by using the app or site itself. Turn on two-factor authentication when you can, and review your accounts periodically for evidence of hacking."

A spokesperson for Booking.com told the Mirror: "While we can confirm that Booking.com's systems have not been breached, we are aware that some of our accommodation partners and customers have been impacted by phishing attacks sent by professional criminals. Online fraud is unfortunately a battle many industries are facing, and at Booking.com we are committed to tackling this issue head on.

"We have a number of robust security measures in place and continually invest in advanced technologies, including AI and machine-learning, to detect and block the vast majority of threats before they can have an impact. Once a concern has been raised, our security teams will investigate immediately and work with partners to secure their accounts as quickly as possible."

The spokesperson advised that customers concerned about payment messages should "carefully check the payment policy details on their booking confirmation to be sure that the message is legitimate. When in doubt, it’s always best to contact our customer service team or click on ‘report an issue’ which is included in the chat function. It is important to note that we would never ask a customer to share payment information via email, chat messages, text messages or phone. If the customer has any concerns relating to credit card payments, they should contact their bank for further assistance.

"Like many businesses operating in the e-commerce space, we and our partners can be attractive targets for cybercriminals. However, thanks to our robust measures, considering our global scope and the millions of bookings we facilitate weekly, actual incidents are rare. We continually invest in advanced technologies, including AI and machine-learning, to detect and block the vast majority of threats before they can have any impact. In the event of a confirmed partner account takeover scenario, we inform guests via email providing a warning about the potential of receiving phishing messages.

"We take the process of verifying accommodation listings seriously. While partners can register in less than 15 minutes, they are then exposed to multiple controls and checks during sign-up, after submission and before their listings become bookable."