Under admittedly different and less-dramatic circumstances, HomeAwayÂ is facing its own crisis of confidence, although the victims — renters and vacation rental property owners — have not attracted protracted media attention.
HomeAway, which owns such sites as HomeAway.com,Â VRBO,Â VacationRentals.comÂ and 32 others around the world, has acknowledged that customers and vacation rental owners advertising on its sites have been targeted in a phishing scam since 2011 that may affect $1 million in transactions in 2012 alone.
In response, HomeAway has issued fraud alerts, established a Security Center, offered new insurance products to protect against Internet fraud, posted warnings on its sites about phishing and is working on creating a HomeAway Secure Communication system.
But, HomeAway regularly declines to compensate victims, arguing that it has no liability because HomeAway sites themselves have not been breached.
After all, HomeAway is merely “like the classified ad in the newspaper,” according to one VRBO email to a phishing victim:
Â So please understand that the reason we are unable to accept liability in this situation is because the security of an individual’s email address is simply not within our control. Regarding your concern with contacting relevant authorities, please understand … that our site is merely a venue for advertisements much like the classified ad in the newspaper.
Instead, HomeAway argues, cybercriminals, sometimes posing as renters, compromised the email accounts of property owners, and therefore renters should contact the property owners about compensation and should contact local law enforcement authorities, as well.
But now the fraud victims — both renters and property owners — are getting more vocal and demanding that HomeAway take responsibility and provide compensation.
Some 32 renters and property owners are now members of a closed Facebook group, Victims of HomeAway/VRBO + gmail scam, and they are comparing notes and demanding that HomeAway take action.
Marina, a New York City resident who spearheaded the Facebook group, lost $1,700 when she wired the money in mid-November to a London bank account belonging to a scammer. (The phisher told her that the owner of the Florida property lives in the UK.)
A loyal VRBO customer who still uses the site today, despite being victimized last year, Marina had been trying to book a stay last December in the Florida Keys. She filled out the form to contact the property owner’s email through VRBO and got an email reply from a phisher who had apparently compromised the real owner’s email account.
“We had an email exchange for several days negotiating the date and the price,” Marino wrote to VRBO about the fraudster. “They even called me and discussed this rental property over the phone.”
Marina wired the $1,700 — unwittingly to the scammer — to the bank in the UK after receiving a rental agreement which included the Carefree Rental Guarantee by HomeAway logo.
About 11 days later, when she hadn’t heard anything from the property owner, Marina called the phone number displayed on the property owner’s VRBO listing.
“The person on the other side [of the phone converation] told me that he is the real owner and that he never heard about me and never signed any rental agreement with me,” Marina wrote.
Marina eventually took her vacation after the real property owner agreed to let her rent the vacation home at a discounted rate — but she had to pay $700 in addition to the $1,700 that went to the phisher.
As is their habit, VRBO sent Marina a sympathetic-sounding letter, expressing understanding of her frustration, but reminding her that VRBO believes it has no liability in the matter and that it is the property owners’ “responsibility to safeguard their own email address.”
Marina wrote to VRBO:
As a reputable public company, please take action and address the security loophole in your website workflow; put security alerts on your websites [HomeAway has subsequently done so]; change the email domain for renters’ inquiries; change the communication workflow between property owners and renters that would prevent creating automated filters for all inquiries… This scam can totally blow up and damage your reputation.
Speaking this week about the November incident, Marina recalls the pain.
“When it happens, you feel so abused,” Marina said.
Jen, a Connecticut resident, had a somewhat similar experience in March 2012 when she was trying to rent a vacation home in Martha’s Vineyard in Massachusetts. She concedes there may have been phishing warnings on HomeAway by then, but she was too busy to notice them.
Jen filled in the contact forms on HomeAway.com, sending inquiries to several properties. She received several phone call responses, but didn’t want to spend hours chatting on the phone to rent a property for a long-weekend getaway when she just had a few questions.
For the property Jen eventually decided on, she received an email from the true owner and one from a scammer and “chose the wrong email to respond to,” she said.
The property she wanted to rent had great reviews, earning her trust, and Jen faxed a contract and wired $1,255 to the phisher. The bank account turned out to be outside the US, although there was nothing to indicate that in the instructions, she said.
When Jen called the real owner about instructions to enter the property, the owner had no idea who she was.
HomeAway removed the listing, sent a fraud alert and reinserted the listing within a few days, with the owner using a rental agency as the contact, Jen says.
Jen says she had some dialogue with HomeAway, but never received any compensation and was informed that her case was “closed.”
Carl Shepherd, HomeAway co-founder and chief strategy and development officer, says most homeowners and property managers still prefer to communicate with guests by direct email, but “while we’ve become very successfulÂ at preventing criminals from posting fake listings on our sites, the theft of the ownerâ€™s email password via phishing has become a problem in the past six months not only on HomeAway websites, but also on those of our competitors.”
With its acknowledgement of the phishing campaign, HomeAway finds itself in the position of constructing a new system to safeguard guest-homeowner communications while still arguing that it is not legally liable for guest and property owner losses due to phishing.
Incidentally, property owners can be phishing victims, too, in that their emails get taken over and bookings that would have come to them get hijacked.
In a blog post, here’s how HomeAway describes the new HomeAway Secure Communication system that it hopes to have in place by the second half of 2012:
This proposed system is similar to sites you may use, like Facebook, LinkedIn and others, where authentication is required by both parties before they can connect. On these sites, once two parties have decided to â€śtrustâ€ť each other, they can converse via email. But until trust is established, they CAN still communicate keeping key elements of their identity protected.
HomeAway makes much of the fact that it estimates phishing incidents impacted just .1% of HomeAway’s transactions during the first three months of 2012.
Thus, if the victims’ losses are so tiny to a company that recorded $230 million in revenue in 2011, then why not compensate them? Shepherd answers:
This is not a question of the size of the amount. As you can appreciate, there are choices we make every day in order to balance the needs of customers against our fiduciary responsibility as public company. Â However, even though we arenâ€™t legally liable for any losses incurred by a traveler when the ownerâ€™s email account is phished, we choose to provide support in some cases when we believe doing so will help the two victims of phishing find a satisfactory resolution.
HomeAway’s standard response to phishing incidents is to advise property owners and guests to resolve their issues on their own, and HomeAway won’t say whether it has compensated any victims.
“We won’t comment on the specifics of any particular case, but the facts and circumstances of all cases vary, so the outcomes vary, as well,” Shepherd says.
Meanwhile, Marina says while there are only a few dozen verified victims who have been accepted into the Facebook group, many others have emailed her after she posted a comment online about her incident. She said some haven’t joined the group because they don’t speak English, don’t use Facebook or don’t know about the group.
The vacation rental phishing victims in the Facebook group point out that they are not aware of any recent court test of HomeAway’s contention that it Â has no liability for the recent incidents, and there is some talk about starting litigation.
One member of the group argues that HomeAway won’t take responsibility “unless you come at them with a lawyer.”
Apart from that, Marina makes the moral argument, as well.
“If they are saying it was such a small percent, then why not compensate people,” Marina says. “These are your customers.”