Booking.com users have spoken of their anger at the company's failure to stop them falling victim to cyber-criminals.
For at least a year, fraudsters have been able to infiltrate its app and trick users out of hundreds of pounds.
Dozens of people have contacted the BBC to say they have lost money, with one saying she had been "failed" by the travel firm.
Booking.com said it was implementing new safety features but there was "no silver bullet".
The company, which is one of the biggest hotel and holiday websites in the world, has not itself been hacked.
Instead, criminals have tricked their way into the administration portals of individual hotels that use the service.
This enables them to send messages from the official app and fool customers into paying them instead of the hotel.
Colleen Marples, 44, from the Derbyshire Dales, lost £147 when booking a holiday in Egypt for her husband's 50th birthday in March.
After exchanging messages with what she thought was the hotel in Cairo via the Booking.com app, she was sent a payment request. It had in fact come from scammers.
"I clicked on it not suspecting it was a scam, given it was in the same ongoing chat in the app," she told the BBC.
She has not been able to recover the money from the website or her bank.
"It's not a high amount of money for Booking.com but it's a significant amount of money in everyday life.
"Booking.com have a duty to their clients and they've failed in this case. I am still battling to get my money."
Another British customer, who wished to remain anonymous, told the BBC he lost £1,200 after being tricked through the app.
He is also fighting to get a refund and said he felt "extremely let down".
"I believe, as a customer that chooses to use the official platform set up by the company, you can expect a level of security and trust from within that system."
Meanwhile, Ian Robinson, 64, from Cumbria, described how hackers attempted to scam him twice for £122 and then £283 at two unrelated hotels in separate towns, as he booked a road trip in the UK.
"Luckily, I phoned the hotels directly and so avoided getting caught, but when I reported it to Booking.com, they weren't interested," he said.
A spokesman for Booking.com said that there was no "silver bullet to eradicate all fraud on the internet" but that the company's security team were always monitoring and stopping new threats.
"We are implementing new measures to assure the account security of both our customers and partners, including new security features to lock or block inactive partner admin accounts, which is where we have seen fraudulent activity take place once scammers get unauthorised access to the hotel's Booking account."
The company said it was also monitoring for suspicious activity on its app and disabling links being shared if the chats appear illegitimate.