Published: Saturday, February 18, 2012
Be careful of web phishing scams on travel, rental sites
Shauna Kattler thought she'd found the ideal rental home in Playa del Carmen, Mexico, for her Christmas vacation: a two-bedroom penthouse condominium with a hot tub and an impossibly perfect view of the Caribbean.
And she was getting it for the impossibly low peak-season rate of $450 a night through HomeAway.com, a popular vacation rental website. "Impossibly" being the operative word.
Shortly after Kattler, a relocation specialist from Kirkland, wired the money to Mexico, she discovered that she'd paid the wrong person. Her vacation dollars didn't go to the property owner, but to someone who had stolen the owner's email password and assumed his identity through a crime called phishing.
Sound familiar? It should.
This past fall, I reported about new phishing problems on HomeAway and another site it owns, VRBO.com. I introduced you to Tania Rieben, who lost $4,300 at the slippery fingers of a scam artist posing as a vacation rental owner in Maui.
Since then, I've heard from many more phishing victims who wired money to shady characters pretending to hold the keys to a HomeAway vacation rental. And I've heard from HomeAway, which says it's taking steps to prevent future phishing attacks and help the customers who have lost money.
Let's get back to Kattler. She tried calling the property, but the person who answered hung up on her repeatedly. Finally, she contacted HomeAway, which reviewed her email correspondence and confirmed it was a scam.
"This is not a case of fraudulent activity on the HomeAway.com site, but is a case of the owner's email account being compromised," the company added. "HomeAway.com takes all fraudulent activities seriously, but our responsibility cannot extend to actions on private email accounts."
Kattler is understandably frustrated. She says HomeAway should refund the $4,500. "All they can say is 'I'm sorry,'" she says. "HomeAway is not taking any responsibility for the lack of security on their website."
Actually, HomeAway is doing more than apologizing, but it isn't taking full responsibility, either. That's because the company insists that the crimes aren't being committed through its website. It recently expanded its optional Carefree Rental Guarantee to cover phishing losses.
It's also working with its current phishing victims to negotiate a resolution between the property owner and the guest.
HomeAway suspends a rental's listing after a phishing incident until the security breach is plugged. "In most of the cases, we do come up with a solution that makes everyone happy," says Carl Shepherd, the co-founder of HomeAway.
Last month, HomeAway also warned the 625,000 property owners and managers with listings on the site about the phishing threat and offered them advice on how to protect themselves. It's encouraging its owners to use an optional new system called Reservation Manager that offers "bank-level" security.
Shepherd says customers could easily prevent phishing incidents by calling the property to verify that they're emailing the correct person.
To that advice, I would add the following: Never wire money. Every phishing incident I've tried to mediate starts with someone reluctantly sending money to a stranger. Once it's gone, there's no getting it back. With a credit card, at least you're protected.
HomeAway reports that some of these disputes have already been resolved.
Kattler's grievance is still under investigation. She flew to Mexico as scheduled and paid another $2,000 for accommodations.
And Rieben's case may never be solved. The real property manager in Maui says that he warned Rieben that he was the only point of contact, but that Rieben tried to find the owner and then stumbled into a trap, according to HomeAway.
Christopher Elliott is the ombudsman for National Geographic Traveler magazine. He's also the author of "Scammed: How to Save Your Money and Find Better Service in a World of Schemes, Swindles, and Shady Deals." You can read more travel tips on his blog, www.elliott.org or email him at celliott@ngs.org.
© 2012 Christopher Elliott/ Tribune Media Services, Inc.
And she was getting it for the impossibly low peak-season rate of $450 a night through HomeAway.com, a popular vacation rental website. "Impossibly" being the operative word.
Shortly after Kattler, a relocation specialist from Kirkland, wired the money to Mexico, she discovered that she'd paid the wrong person. Her vacation dollars didn't go to the property owner, but to someone who had stolen the owner's email password and assumed his identity through a crime called phishing.
Sound familiar? It should.
This past fall, I reported about new phishing problems on HomeAway and another site it owns, VRBO.com. I introduced you to Tania Rieben, who lost $4,300 at the slippery fingers of a scam artist posing as a vacation rental owner in Maui.
Since then, I've heard from many more phishing victims who wired money to shady characters pretending to hold the keys to a HomeAway vacation rental. And I've heard from HomeAway, which says it's taking steps to prevent future phishing attacks and help the customers who have lost money.
Let's get back to Kattler. She tried calling the property, but the person who answered hung up on her repeatedly. Finally, she contacted HomeAway, which reviewed her email correspondence and confirmed it was a scam.
"This is not a case of fraudulent activity on the HomeAway.com site, but is a case of the owner's email account being compromised," the company added. "HomeAway.com takes all fraudulent activities seriously, but our responsibility cannot extend to actions on private email accounts."
Kattler is understandably frustrated. She says HomeAway should refund the $4,500. "All they can say is 'I'm sorry,'" she says. "HomeAway is not taking any responsibility for the lack of security on their website."
Actually, HomeAway is doing more than apologizing, but it isn't taking full responsibility, either. That's because the company insists that the crimes aren't being committed through its website. It recently expanded its optional Carefree Rental Guarantee to cover phishing losses.
It's also working with its current phishing victims to negotiate a resolution between the property owner and the guest.
HomeAway suspends a rental's listing after a phishing incident until the security breach is plugged. "In most of the cases, we do come up with a solution that makes everyone happy," says Carl Shepherd, the co-founder of HomeAway.
Last month, HomeAway also warned the 625,000 property owners and managers with listings on the site about the phishing threat and offered them advice on how to protect themselves. It's encouraging its owners to use an optional new system called Reservation Manager that offers "bank-level" security.
Shepherd says customers could easily prevent phishing incidents by calling the property to verify that they're emailing the correct person.
To that advice, I would add the following: Never wire money. Every phishing incident I've tried to mediate starts with someone reluctantly sending money to a stranger. Once it's gone, there's no getting it back. With a credit card, at least you're protected.
HomeAway reports that some of these disputes have already been resolved.
Kattler's grievance is still under investigation. She flew to Mexico as scheduled and paid another $2,000 for accommodations.
And Rieben's case may never be solved. The real property manager in Maui says that he warned Rieben that he was the only point of contact, but that Rieben tried to find the owner and then stumbled into a trap, according to HomeAway.
Christopher Elliott is the ombudsman for National Geographic Traveler magazine. He's also the author of "Scammed: How to Save Your Money and Find Better Service in a World of Schemes, Swindles, and Shady Deals." You can read more travel tips on his blog, www.elliott.org or email him at celliott@ngs.org.
© 2012 Christopher Elliott/ Tribune Media Services, Inc.
Comments
(
