How Booking.com is combating fraud on its platform

United we stand, divided we fall…and by fall, we mean succumb to the advanced cyber-schemes lobbed at the travel industry.

The hospitality sector may not be the industry hardest-hit by cybercriminals (that would be the manufacturing industry, as per IBM’s 2026 X-Force Threat Intelligence Index report), but Booking.com CSO Marnie Wilking told IT Brew that it has drawn more malicious attention in recent years, making it essential for everyone in the industry to work together and stay up-to-date with the threats.

“It’s definitely become more targeted over the last several years, especially post-Covid, when travel really picked back up again, and has really gone crazy since then,” Wilking said. “So, there’s clearly quite a bit of money to be made there.”

What are threat actors up to these days? Unsurprisingly, Wilking said AI is making phishing emails more polished, and helping malicious actors create convincing fake property listings on Booking.com and other marketplace websites.

“Again, it gets easier, in particular with generative AI, because it’s so easy to generate beautiful-looking images, really well-written and great grammar emails in any language,” Wilking said. She added that the retail and hospitality industry as a whole has seen an increase in account takeovers and credential stuffing attacks, a tactic that capitalizes on a user reusing a password.

Brand abuse is also a problem for the industry. In January, IT Brew reported on how malicious actors were leveraging the Booking.com brand name in a malware campaign unearthed by Securonix threat researchers.

Offense and defense. Prevention is a key part of Booking.com’s security strategy. On the user side, Wilking said the company implemented a one-time password to help combat credential stuffing. It has also prioritized getting to know its partners (such as property owners), she added, using monitoring applications to identify and track behaviors that may seem suspicious.

“Do we know where they normally log in from? Do we know when they normally log in?” Wilking said. “Gathering all of that information and being able to put some risk-based authentication in place right away to say, ‘Do we really think that this person is who we think they are?’”

Prevention in itself isn’t enough to combat malicious activity, according to Wilking, who added that Booking.com also focuses heavily on detecting and responding to malicious activity. She said the company leverages AI and language models to detect when a message appears suspicious.

“The ability to use AI to detect malicious messages, to detect potentially malicious logins, has really put us in a better place, and we have a high level of confidence when somebody logs in that it is who we think it is, and that they’re doing the things that we expect them to do,” Wilking said.

In 2023, Booking.com detected and blocked around 1.5 million phishing-related fake reservations. New controls brought that number down to 250,000 fake reservations in 2024.

Class is in session. User education is another key focus area, especially during peak travel seasons, according to Wilking.

“We’ve added banners on the site explaining what some of the scams are,” Wilking said. Booking.com also works to keep partners up-to-date on the latest threats.

Wilking said the company maintains a tight-knit relationship with the Retail and Hospitality ISAC, of which many Booking.com partners are members, and provides best practices on its online Trust and Safety Resource Center: “We give [partners] as much information as we can and update [our Trust and Safety section] as frequently as we can when there are new attacks, new scam coming out.”