If you think the words “vacation rental” and “phishing” are all but synonymous, you’re not alone. Just talk to Ann Schutte, who recently found a rental villa with a “million-dollar” view in Sedona, Ariz., through the rental Web site VRBO.com.
A woman claiming to own the property quoted her a $645 rate for five nights if she wired her the money. “After a number of e-mails back and forth, I agreed to the rental,” says Schutte, a property manager from Phoenix. “I received a contract. Everything looked correct on the contract. It even had the rental property address and logo. I signed the agreement, and wired the money through Western Union to the U.K.”
For those of you following the vacation-rental phishing saga, you probably know what comes next: Schutte never heard back from the “owner,” so she called the phone number under the property listing.
And that’s when she discovered that she had no reservation. She’d been scammed. VRBO “explained that the owner of the property had her e-mail hijacked because she didn’t have the proper filters in place,” Schutte says. “And there is nothing anyone can do.”
Phishing schemes fraudulently extract personal information by e-mail — in this case, the e-mail login credentials of a property owner. The criminals then impersonate the owner, enticing customers to wire money. The vacation-rental industry has been hit hard by this type of scam since 2011, and there appears to be no hope for a quick remedy.
HomeAway, which owns VRBO and has a commanding market share among vacation-rental Web sites, reported 3,000 phishing cases as of last fall. It declined to provide an updated number because it’s a publicly traded company and was working on its latest quarterly earnings report at the time I requested the information.
“The unfortunate fact is that phishing continues to be a part of the landscape of the Internet,” says Carl Shepherd, co-founder of HomeAway. “For this reason, we continue to work to create systems that enable owners and travelers to talk to each other so that each has a great experience, while minimizing the opportunities for either party to be hijacked by a phisher.”
Last year, the company announced a product called HomeAway Secure Communicationthat would have offered a phish-proof way for homeowners and prospective renters to communicate. But it was “met with some trepidation,” according to the company, because it required both owners and travelers to be logged in to a secure HomeAway system to communicate. HomeAway backed away from that proposed solution and is working on an alternative, which it plans to introduce soon.
Guests are impatient with the phishing problem. Consider what happened to Amitav Chakravartty last year when he decided to rent a home for a family reunion in Southern California. He found a great deal on an oceanfront villa on Craigslist, the online classifieds site, with just one catch. You guessed it: He had to wire $900 to the “owner.”
The loss of this money inspired Chakravartty and Anirban Bardalaye to start a company called Zaranga, a more tightly controlled vacation rental marketplace that handles the financial transaction between both parties.
“We primarily work with reputable licensed property managers, which eliminates any kind of fraudulent activity,” says Bardalaye. “Funds are not distributed to them till a day after check-in. Even more, if hosts require security deposits, Zaranga mediates between hosts and travelers before they release any kind of charges against security deposits.”
So far, Zaranga is working with 600 rental properties, mostly in Northern California, and it claims a “100 percent” track record against any kind of scam, phishing or otherwise.
But short of building an entirely new site that acts as an intermediary between the buyer and the seller, a phishing scam fix has proved elusive. That’s because the criminals perpetrating this scheme are exploiting weaknesses down the entire transaction path.
For example, they’re taking advantage of the fact that some property owners still accept — and often insist on — wire transfers. Sending money by wire offers consumers no protection, and once the funds have been sent, there’s usually no way to get them back.
The phishing schemes also exploit vulnerabilities at the site level, say critics. Many victims claim that sites such as HomeAway and VRBO have been hacked, leading to the compromised e-mail accounts. HomeAway disputes that claim, insisting that the owners’
e-mail accounts were hacked. In any event, the company now covers such breaches through optional insurance that renters can buy.
To add to the confusion, there’s yet another player: the bank handling the wire transaction. A loosely organized group of vacation rental owners has tried to push authorities in the U.K. to track down phishing scammers through the banking system, but so far they’ve been unsuccessful. The complaints are referred to a civilian data collection agency, which in turn is supposed to report phishing incidents to the police.
“They do not even grasp what is going on here,” says Nick Hyam, a British expatriate who manages several rental properties in Bali, Indonesia. “They have no direct contact with the police, have no system in place to update information, and as far as I can see have no system for collating information about the same case. Each report is dealt with as a one-off.”
Unfortunately, it’s either the traveler or the rental owner who usually pays. Rental owners complain that sites such as HomeAway and VRBO pressure them to offer either free or reduced-rate accommodations to victims or risk being de-listed. But more often, renters are simply told that their money is gone, and there’s no way to recover it.
That’s what VRBO told Schutte, even after I asked about her case.
(HomeAway has settled several cases like hers, but usually only when a guest threatens to sue, say victims. The company says that it has settled a few cases, but, a spokewoman added, “it depends on the facts.”)
Many of the online vacation rental sites see themselves as nothing more than listing services, not unlike a Craigslist for vacation rentals. And until that changes, it seems that these phishing incidents are likely to continue unchecked.
Preventing them is as easy as ever. “Use a credit card when paying for a vacation rental,” says Zaranga’s Bardalaye.
And never, ever, wire money. Especially when the deal is too good to be true.
E-mail Christopher Elliott at firstname.lastname@example.org.