Case Study: How Booking.com Fights Fake Properties and Payment Fraud by Verifying Partner Ownership
Cybercriminals are hijacking accommodation partner accounts and creating fake listings. Booking.com is verifying who actually owns the properties on its platform.
The Challenge
Booking.com’s platform connects guests with hundreds of thousands of accommodation partners in over 200 countries. That scale is its strength — and its vulnerability. Cybercriminals have discovered that compromising a single partner account gives them a trusted channel to message guests, send fraudulent payment links, and steal financial data using Booking.com’s own messaging system.
The attack pattern is now well-documented. Criminals use InfoStealer malware to harvest partner login credentials. Once inside, they send guests urgent messages — “Your booking is at risk of cancellation — verify your payment within 24 hours” — that link to phishing pages mimicking Booking.com’s payment portal. The messages use real booking details, making them nearly impossible for guests to distinguish from legitimate communications.
But the problem goes deeper than account takeovers. Fraudulent actors also create entirely fake property listings, register shell companies as accommodation partners, and use nominee arrangements to obscure their identity. Booking.com needed a way to verify not just that a partner account is secure, but that the business behind the listing is real and that the people controlling it are who they claim to be.
The Solution
Booking.com integrated Zavia.ai into its partner verification process to add ownership-level due diligence to its trust and safety infrastructure.
How Zavia.ai works differently for Booking.com:
- Partner authenticity verification: Before a new property goes live on the platform, Zavia.ai checks whether the registering business entity actually exists in the local government registry, whether it is actively trading, and who its directors and owners are. Fake companies with no registry footprint are caught before they ever receive a guest booking.
- Ownership change detection for account takeover prevention: When a partner property changes ownership — a common trigger for account takeover fraud — Zavia.ai detects the change and flags the account for re-verification. This closes the window where criminals exploit the transition period between an old owner and a new one.
- Shell property detection: Zavia.ai’s AI identifies partners registered under entities that exhibit shell company characteristics: recently formed, no employees on record, corporate service provider addresses, or the same individual appearing as a director across multiple unrelated accommodation businesses. These patterns distinguish legitimate hotel operators from fraud infrastructure.
- High-risk jurisdiction screening: For partners registering properties in markets with weak corporate transparency, Zavia.ai applies lower ownership thresholds and flags entities with opaque structures. A property operator in a FATF grey-listed jurisdiction with untraceable ownership triggers enhanced review before listing.
The Results
| Metric | Before Zavia.ai | After Zavia.ai |
| Partner registration verification | Self-declared business details | Registry-verified entity with ownership chain confirmed |
| Fake listing prevention | Detected reactively after guest complaints | Caught at registration — no-registry entities blocked proactively |
| Account takeover risk | 2FA + manual security reviews | Ownership change alerts add a structural layer to account security |
| Shell company detection | Not part of partner onboarding | AI-flagged at registration based on entity characteristics |
Why It Matters
Booking.com’s phishing problem is fundamentally an identity problem. Criminals succeed because they can impersonate legitimate partners. The technical defenses — 2FA, DMARC, disabled payment links — are necessary but insufficient. They protect the communication channel. They do not verify who is on the other end.
By verifying partner ownership at the entity level, Zavia.ai addresses the root cause: ensuring that every accommodation partner on the platform is a real business, controlled by identifiable people, registered with the relevant government authority. That is the trust layer that technical security measures cannot provide alone.
Bottom line:
Zavia.ai enables Booking.com to verify the corporate identity and ownership of every accommodation partner, catching fake listings, shell company registrations, and ownership changes that signal account takeover risk — adding entity-level trust to the platform’s security infrastructure.
