Host note: Keep guest messaging and payments inside Booking.com. Turn on two-factor authentication (2FA) for every user, verify any unusual request directly in the extranet, and avoid external links. Manage conversations centrally with Smoobu’s Guest Communication and connect your listings via the Channel Manager for Booking.com to reduce risk and response time.
Quick summary
- Keep all guest messaging and payments inside Booking.com.
- Enable 2FA on every extranet user account, and remove unused logins.
- Treat external payment links and urgent cancellation threats as suspicious.
- Verify claims in the Booking.com extranet before responding.
- Centralize replies with Smoobu’s Guest Communication, and connect via the Channel Manager for Booking.com.
Navigating Booking.com securely in a changing threat landscape
Booking.com is an indispensable tool for millions of hosts and guests, offering a vast selection of properties at their fingertips. However, its popularity and the trust users place in it also make it a lucrative target for sophisticated scammers. As travel resumes and online bookings become the norm, the threat of digital fraud looms larger than ever. Recent reports highlight a dramatic rise in scams specifically targeting users of this platform, often leveraging advanced technologies, such as generative AI tools, to create compelling fake communications. Falling victim to one of these scams can lead to financial loss, stressed guests, and damage to your brand and operations.
This guide is designed to be your comprehensive defense manual. It will equip hosts with the knowledge to navigate Booking.com securely, moving from awareness to action. You will learn how these scams operate, how to identify subtle red flags in communications and on the platform itself, and, most importantly, the proactive steps you can take to prevent fraud from ever happening. Should the worst occur, this guide also provides a clear, step-by-step recovery plan to help you mitigate damage and regain control. By following these instructions, you transition from a potential target to a vigilant host capable of protecting your guests, properties, and revenue.
Staying secure on Booking.com today
The landscape of online booking is evolving, and with it, the tactics of those who seek to exploit it. Securing your Booking.com operations requires more than a strong password. It demands awareness and a clear understanding of the threats you may face. Scammers now impersonate both Booking.com and legitimate properties, creating urgency to trick guests into compromising personal and financial information.
The threat is real and growing; in Australia alone, scams mentioning Booking.com surged by more than 580% in 2023. This guide is your essential resource for understanding and combating modern booking scams while keeping communication on-platform.
What this comprehensive guide covers: your roadmap to safety
Three-phase approach for hosts: identification, prevention, and recovery.
This guide offers a structured, three-phase approach to securing your Booking.com operations, encompassing identification, prevention, and recovery.
- Identification: We dissect the anatomy of common scams. Learn to recognize warning signs in phishing emails, suspicious messages in Booking.com chat, and fake payment pages designed to steal card details.
- Prevention: Knowledge is your first line of defense, but proactive measures are your armor. Enable 2FA, verify booking details in the extranet, centralize messaging, and adopt safe communication habits.
- Recovery: If you suspect you have been targeted, act fast. Contact your bank, report fraud to Booking.com, and engage national authorities such as Action Fraud where applicable.
The increasing prevalence of online booking fraud
The anatomy of a scam: why Booking.com and similar platforms are targeted
Booking.com and other online travel agencies (OTAs) are prime targets for cybercriminals. They handle names, contact information, travel dates, and payment details, which makes them high-value. The intermediary model connects millions of guests with hundreds of thousands of properties. Scammers exploit this by impersonating either party—posing as a property when contacting a guest, or as Booking.com itself.
The transactional nature of the platform also works in scammers’ favor. Guests expect messages about reservations, including payment and confirmation. This expectation lowers guard, making phishing that mimics legitimate correspondence more effective. Urgency is a powerful tool: fake “payment problems” or “verification requests” push users to fraudulent pages to harvest card info. The travel and leisure industry’s high rate of suspected digital fraud, 36% in 2023, underscores its vulnerability.
What this guide offers: your pathway to enhanced security
By engaging with this guide, you gain more than tips—you adopt a strategic framework for secure operations. You will learn to assess emails, messages, and payment requests from a host’s perspective. The outcome is a reduced risk profile and the confidence to adapt as fraud tactics evolve. Ultimately, the goal is peace of mind: plan confidently, protect your guests, and run your properties without distraction.
Spot red flags before and during bookings
Understanding Booking.com fraud: common tactics and how they work
The most prevalent threat is phishing—fraudulent attempts to obtain sensitive information by impersonating a trusted source. On Booking.com, this unfolds in two common ways.
Direct phishing email. A fake email looks almost identical to an official one. It may claim there’s a payment issue and prompt a link to “verify details,” leading to a counterfeit site that steals information. Compromised extranet account. Attackers gain access to a property’s Booking.com account and use the official messaging system to contact confirmed guests, often including an external payment link for supposed “verification.” Because these come from within the app or website, they appear highly legitimate.
During the booking process: recognizing warning signs on Booking.com
Be wary of listings with few but overwhelmingly positive reviews or photos that look like stock images. Cross-check the location on a separate map. After a reservation is made, treat any high-pressure message with caution, even inside Booking.com chat. Phrases like “Your booking is at risk of cancellation” or “Verify within 24 hours” are classic fraud tactics. A legitimate property or Booking.com will not ask for card details over WhatsApp or email, or send you to an unfamiliar third-party payment site. Keep actions within the Booking.com app or website.
Why large platforms are vulnerable, and how hosts can respond
The platform connects guests and properties that are unfamiliar with each other, creating a trust gap. Vulnerabilities often lie at the partner level: smaller operations may have weaker security, making extranet accounts susceptible to takeover. Once scammers control a legitimate account, they gain a trusted channel to message guests, using real booking details for credibility. The scale of transactions makes manual vetting a challenging task. Increasing sophistication, often aided by AI-driven tactics, compounds detection challenges.
How to avoid scams on Booking.com
Primary fraud categories requiring your attention
To prevent fraud, understand the primary categories of attacks:
- Payment redirection fraud: Scammers claim payment failed, a deposit is required, or verification is needed, and push a third-party link to capture card details.
- Credential theft: Fake login pages harvest your Booking.com credentials, enabling account takeovers.
- Fake listings and fake bookings: Entirely fabricated listings use stock images and low prices, then request direct transfers. Favor properties with a solid history of genuine reviews.
Safe communication practices on the platform
Your communication habits are a critical layer of defense. Follow these rules:
- Keep all communication within Booking.com. Do not move to email, WhatsApp, or other apps. The platform’s messaging creates a record that the support team can review.
- Never click links in unsolicited messages. If a message includes a link, navigate directly to Booking.com in a new tab and check the reservation there.
- Verify urgent requests independently. If a message claims payment issues, verify in the extranet before replying. Use official contact methods and the reservation number.
Detection within prevention: identifying warning signs pre- and post-booking
Adopt a mindset of healthy skepticism and apply these checks:
- Analyze the sender. Check the real email address, not just the display name.
- Watch for generic greetings and subtle errors. Many scams still contain wording inconsistencies.
- Scrutinize URLs. Hover to preview the destination. If it is not an official Booking.com domain, avoid it.
General vigilance and practical hosting smarts
Know standard payment policies for your properties. Unexpected, immediate payment requests long before check-in are suspicious. Review Booking.com cancellation policies to set guest expectations. Enable 2FA on your Booking.com account. Even if a password is stolen, the second factor blocks access. Trust your instincts: if something feels off, verify in the extranet before acting. The fact that 28% of people surveyed in 2024 admitted to falling for a travel scam highlights the need for ongoing vigilance.
Pre-booking verification: confirming property authenticity
Immediate actions to halt loss and mitigate damage
If you realize you or your guest may have been scammed, act swiftly. Contact the bank or card issuer via the 24/7 fraud line to block the card and dispute charges. Request a chargeback if appropriate. Change your Booking.com password immediately, and update any reused credentials. In Smoobu, alert your team, document what happened, and use templates to notify affected guests within Booking.com messages. See our guide to automated guest communication for setting up safe message templates in advance.
During the reservation process: recognizing indicators in the Booking.com interface
Verify all claims against the booking page in the official app or website. If a message claims “payment failed,” the reservation should reflect it. If the booking is confirmed and paid, the message is likely fraudulent. Be cautious of messages offering alternative phone numbers or emails; use only official Booking.com communication channels, such as those in the extranet.
Seeking financial and legal recourse
Gather evidence: screenshots of messages, emails, payment confirmations from the fraudulent site, and your official booking confirmation. Report the incident to Booking.com customer service. Persistence helps—prepare a clear timeline. Also, report the crime to national authorities. In the UK, report to Action Fraud. Between June 2023 and September 2024, Action Fraud received 532 reports of Booking.com scams. Understanding your consumer rights matters: card providers often offer protection against fraudulent transactions. Monitor performance and chargebacks in Smoobu’s statistics dashboard to identify unusual trends.
During a guest’s stay: on-site and post-reservation indicators
Remain vigilant on arrival and after the stay. If a property claims there is no record of a reservation and pressures payment again, contact Booking.com support from the property before paying. Post-stay, beware of phishing emails about “final payment issues” or “refunds.” Verify by logging in directly, not via links. Reduce confusion and avoid double-charges by syncing your Airbnb & Booking.com calendars to keep reservations aligned.
How to report Booking.com scams
Follow these steps to report suspected fraud and protect guests, revenue, and accounts:
- Stop contact with the suspected scammer and keep all messaging in Booking.com.
- Collect evidence (screenshots of Booking.com chat, email headers, links, payment attempts, booking IDs).
- Report in Booking.com using the report option in Messages and open a case with Partner Support.
- Use the Resolution Center for payment/refund/deposit disputes and attach documentation.
- Notify your bank to block cards and request a chargeback if payment data may be exposed.
- File a national report (e.g., Action Fraud in the UK) with a clear timeline and evidence.
Copy-and-paste replies you can use with guests
Payment link request
“Thanks for your message. For your security, all payments and verifications happen only within Booking.com. We will not ask you to use external links. Please open your booking in Booking.com to review any actions.”
Urgent cancellation threat
“Your reservation remains confirmed unless the Booking.com status shows otherwise. We will never cancel based on external emails or links. Please check the booking page in the Booking.com app or website. For official cancellation terms, see Booking.com cancellation policies.”
Off-platform communication
“To keep you protected, we will continue here in Booking.com messages. This ensures your details remain secure.”
If a guest reports a suspected scam
- Check the reservation status in the extranet.
- Reply in Booking.com chat, and direct the guest to ignore external links.
- Report the message to Booking.com support, and note the timeline.
- If payment data may be exposed, advise the guest to contact their bank and monitor charges.
If your Booking.com extranet account may be compromised
- Reset passwords, revoke unknown sessions, and enforce 2FA for all users.
- Review recent actions (messages, rates, policies), and undo suspicious changes.
- Contact Booking.com Partner Support, and follow their security steps.
- Notify affected guests in-app, and ask them to ignore external links and pay only in Booking.com. You can also automate these responses with guest communication templates.
Staying informed and empowered for safe operations
Mitigation through proactive habits
Security improves through consistent habits: keep communications and payments inside Booking.com, enable 2FA for every user, and verify unusual requests in the extranet. Treat booking details with the same care as online banking credentials. Independent verification before action is your most vigorous defense. To further improve your setup, review Smoobu’s guide on improving Booking.com visibility.
Your role in protecting the community
Your responsibility does not end with your own operations. Each time you identify and report a scam, you help protect the wider community. Report phishing to email providers, flag suspicious messages to Booking.com, and file reports with national authorities. In an era where holidaymakers lost a combined £11,183,957 to fraud in 2024, shared vigilance is essential. You can also build trust with diverse guests by applying for Travel Proud certification.
What’s next?
You have completed a tour of threats, preventative measures, and recovery actions associated with Booking.com scams. You are equipped to identify phishing attempts, secure accounts, and act quickly if targeted.
Your immediate next steps should be to conduct a quick security audit of your Booking.com setup and team workflows.
- Review extranet access: Use a strong, unique password for every user, and enable 2FA.
- Check current reservations: Review payment policies and messages. Apply the principles above to spot red flags.
- Bookmark key resources: Save your bank’s fraud number and Action Fraud (or your country’s equivalent), and document your internal response steps.
By integrating these practices into your daily workflow, you can host with confidence. Keep conversations on-platform, respond fast, and protect your guests and properties. To continue optimising your business, explore the Genius programme for partners or check out why Smoobu is a 2025 Booking.com Premier Connectivity Partner.
Helpful Smoobu tools: Manage Booking.com safely with our Channel Manager for Booking.com, and centralize replies with Guest Communication.