Tania Rieben thought she’d scored a bargain on a one-bedroom condominium in Maui for spring break. She’d found the vacation rental through a popular Web site called VRBO.com and then negotiated directly with the owner.
But after she wired $4,300 for a six-week stay, the person claiming to represent the property stopped answering her e-mails, and she soon made a stunning discovery: The “owner” was actually a scam artist who had obtained the real owner’s e-mail password and assumed his identity.
“Now the money’s gone,” Rieben says. “And I don’t have a condo.”
Cases such as Rieben’s are crossing my desk with greater frequency. The crime against the Maui property owner is referred to as “phishing,” and it’s a large and growing problem. If you’ve ever received an e-mail from a friend who claims to have been robbed in London and needs a quick loan, then chances are you know someone who has been phished. There were 67,677 reported phishing attacks during the last half of 2010, up from 48,244 in the first half of the year, according to the latest Global Phishing Survey.
The crime against Rieben? Simple theft. Someone stole $4,300 from her. Worse, she claimed that initially, everyone else involved in the transaction, including VRBO and representatives of the property, tried to slowly back away from her problem.
“The real property manager informed me that any e-mails, bookings or payments go through the company, not the owner, for all properties they represent,” she told me. “And VRBO is of course saying that there’s nothing they can do and that the e-mail probably was compromised on the owner’s end, not theirs.”
Doesn’t VRBO bear some responsibility? I asked Carl Shepherd, the co-founder of HomeAway, which owns VRBO, about phishing in general and Rieben’s situation specifically. The company has had 352 secondary phishing incidents this year, only a fraction of which have directly affected its customers, he says. He added that customers who hold the site responsible for phishing attacks don’t understand how VRBO works.
“They’re not renting from VRBO,” he says. Instead, they are being connected to one of 625,000 property owners through the site. VRBO is simply the middleman in the transaction, and it can’t control how the owners do business. He said that the site encourages them to use a secure system called Reservation Manager, which ensures that the money goes to the right person, but that it can’t force them to do so.
Rieben’s case is complicated by the fact that she had communicated with the real property manager as well as the fake owner, according to VRBO. The property manager, who had advertised on VRBO, had raised some red flags when Rieben told her that she’d communicated with the “owner” and had been offered a $4,300 rate during high season, which is an excellent, if not unheard of, rate.
But VRBO also leaves its customers with the impression that they’re renting from a safe place. It offers an optional insurance policy called the “Carefree Rental Guarantee” that protects against misrepresentation, foreclosure or double-booking. Some customers also say that the site gives them an overall impression that they are more protected when they deal with VRBO as opposed to renting a vacation space found through an Internet search or an online classified site such as Craigslist.
I mention this because I recently tried to help another VRBO customer named Amy Hutt, who had booked a rental in Bali for this fall. At least that’s what she thought. Her story is almost identical to Rieben’s; she believed that she was dealing with the owner right up until she wired her $2,000. Then the “owner” disappeared, along with Hutt’s money.
Hutt says that she had misgivings about wiring money to Bali but that when she expressed them, the scammer had a ready answer. Wiring the money, the phisher asserted, was her only option because it was a last-minute reservation.
Even though Hutt had bought the “Care Free Guarantee,” a VRBO representative said that it didn’t cover phishing attacks. So the criminals got to keep her money. But after I asked about her case, VRBO contacted the property owner, who agreed to let Hutt stay at the property.
VRBO’s standard operating procedure in a phishing incident is to suspend the advertisers’ listings until they offer travelers restitution. As I write this, it is hammering out a deal between Rieben and the condo owner in Maui that would give her a $4,300 credit.
That would be a happy ending for Rieben, and I sincerely hope that they can work something out. But the best way to guarantee a great vacation would be to follow one simple rule: Never, ever wire money. Once you hit “send,” it’s as good as gone.
VRBO, for its part, hopes that despite the phishing attacks, people will still recognize it as one of the best places to find a rental home. “We are the safest vacation rental site,” asserts Shepherd, claiming that “99.9 percent of our rentals are free of fraud. And we are constantly looking for ways to improve.”
Elliott is National Geographic Traveler magazine’s reader advocate. E-mail him at email@example.com.