Users attempting to rent vacation properties on the VRBO.com/HomeAway.com websites are becoming frequent victims of internet scams based on email phishing attacks described in the article below from consumer advocate website elliot.com. VRBO listing 156539 is one of the property listings on the site which apparently has fallen victim to this attack.
Shauna Kattler thought shed found the
ideal rental home in Playa del Carmen, Mexico, for her Christmas
vacation: a two-bedroom penthouse condominium with a hot tub and an
impossibly perfect view of the Caribbean.
And she was getting it for the impossibly low peak-season rate of
$450 a night through HomeAway.com, a popular vacation rental Web site.
Impossibly being the operative word.
Shortly after Kattler, a relocation specialist from Kirkland, Wash.,
wired the money to Mexico, she discovered that shed paid the wrong
person. Her vacation dollars didnt go to the property owner, but to
someone who had stolen the owners e-mail password and assumed his
identity through a crime called phishing.
Sound familiar? It should.
This past fall, I reported about new phishing problems on HomeAway
and another site it owns, VRBO.com. I introduced you to Tania Rieben,
who lost $4,300 at the slippery fingers of a scam artist posing as a
vacation rental owner in Maui.
Since then, Ive heard from many more phishing victims who wired
money to shady characters pretending to hold the keys to a HomeAway
vacation rental. And Ive heard from HomeAway, which says its taking
steps to prevent future phishing attacks and help the customers who have
lost money. More on its efforts in a second.
Lets get back to Kattler. She tried calling the property, but the
person who answered hung up on her repeatedly. Finally, she contacted
HomeAway, which reviewed her e-mail correspondence and confirmed her
suspicions: Shed been scammed.
This is not a case of fraudulent activity on the HomeAway.com site,
but is a case of the owners e-mail account being compromised, the
company added. HomeAway.com takes all fraudulent activities seriously,
but our responsibility cannot extend to actions on private e-mail
Kattler is understandably frustrated. She says HomeAway should refund
the $4,500 she spent for 10 nights that shell never use. After all,
the crime happened because of one of its listings. All they can say is
Im sorry,? she says. HomeAway is not taking any responsibility for
the lack of security on their Web site.
Actually, HomeAway is doing more than apologizing, but it isnt
taking full responsibility for the incidents, either. Thats because the
company insists that the crimes arent being committed through its Web
site. In response to cases such as Kattlers, it recently expanded its
optional Carefree Rental Guarantee to cover phishing losses.
Its also working with its current phishing victims there are 18,
it says to negotiate a resolution between the property owner and the
HomeAway suspends a rentals listing after a phishing incident until
the security breach is plugged, which means that the property owner gets
a new e-mail address. In most of the cases, we do come up with a
solution that makes everyone happy, says Carl Shepherd, the co-founder
Last month, HomeAway also warned the 625,000 property owners and
managers with listings on the site about the phishing threat and offered
them advice on how to protect themselves. Its encouraging its owners
to use an optional new system called Reservation Manager that offers
bank-level security for bookings made online.
Shepherd says customers could easily prevent phishing incidents by
calling the property to verify that theyre e-mailing the correct
person. Criminals havent figured out a way of spoofing a phone number
at least not yet.
To that advice, I would add the following: Never wire money. Every
phishing incident Ive tried to mediate every last one starts with
someone reluctantly sending money to a stranger. Once its gone, theres
no getting it back. With a credit card, at least youre protected and
can dispute a bogus charge.
The phishing problem isnt unique to HomeAway. Other vacation rental
customers have also recently been targeted. But HomeAways guests seem
to be the most vocal. Many of them contacted me to ask for help after
the first column I wrote about phishing. The company reports that some
of these disputes have already been resolved.
But not all of them. Kattlers grievance is still under
investigation. She flew to Mexico as scheduled and paid another $2,000
And Riebens case may never be solved. The real property manager in
Maui says that he warned Rieben that he was the only point of contact
for the rental but that Rieben tried to find the owner and then stumbled
into a trap, according to HomeAway.
Although the property has offered her alternative dates for a stay in Maui, no agreement has been reached.
We feel horrible for her, Shepherd says.
So do I.