Airbnb had its moment of viral reckoning last year when “EJ” eloquently wrote of how the San Francisco apartment she rented out got trashed beyond recognition.
Under admittedly different and less-dramatic circumstances, HomeAway is facing its own crisis of confidence, although the victims — renters and vacation rental property owners — have not attracted protracted media attention.
HomeAway, which owns such sites as HomeAway.com, VRBO, VacationRentals.com and 32 others around the world, has acknowledged that customers and vacation rental owners advertising on its sites have been targeted in a phishing scam since 2011 that may affect $1 million in transactions in 2012 alone.
In response, HomeAway has issued fraud alerts, established a Security Center, offered new insurance products to protect against Internet fraud, posted warnings on its sites about phishing and is working on creating a HomeAway Secure Communication system.
But, HomeAway regularly declines to compensate victims, arguing that it has no liability because HomeAway sites themselves have not been breached.
After all, HomeAway is merely “like the classified ad in the newspaper,” according to one VRBO email to a phishing victim:
 So please understand that the reason we are unable to accept liability in this situation is because the security of an individual’s email address is simply not within our control. Regarding your concern with contacting relevant authorities, please understand … that our site is merely a venue for advertisements much like the classified ad in the newspaper.
Instead, HomeAway argues, cybercriminals, sometimes posing as renters, compromised the email accounts of property owners, and therefore renters should contact the property owners about compensation and should contact local law enforcement authorities, as well.
But now the fraud victims — both renters and property owners — are getting more vocal and demanding that HomeAway take responsibility and provide compensation.
Some 32 renters and property owners are now members of a closed Facebook group, Victims of HomeAway/VRBO + gmail scam, and they are comparing notes and demanding that HomeAway take action.
Marina, a New York City resident who spearheaded the Facebook group, lost $1,700 when she wired the money in mid-November to a London bank account belonging to a scammer. (The phisher told her that the owner of the Florida property lives in the UK.)
A loyal VRBO customer who still uses the site today, despite being victimized last year, Marina had been trying to book a stay last December in the Florida Keys. She filled out the form to contact the property owner’s email through VRBO and got an email reply from a phisher who had apparently compromised the real owner’s email account.
“We had an email exchange for several days negotiating the date and the price,” Marino wrote to VRBO about the fraudster. “They even called me and discussed this rental property over the phone.”
Marina wired the $1,700 — unwittingly to the scammer — to the bank in the UK after receiving a rental agreement which included the Carefree Rental Guarantee by HomeAway logo.
About 11 days later, when she hadn’t heard anything from the property owner, Marina called the phone number displayed on the property owner’s VRBO listing.
“The person on the other side [of the phone converation] told me that he is the real owner and that he never heard about me and never signed any rental agreement with me,” Marina wrote.
Marina eventually took her vacation after the real property owner agreed to let her rent the vacation home at a discounted rate — but she had to pay $700 in addition to the $1,700 that went to the phisher.
As is their habit, VRBO sent Marina a sympathetic-sounding letter, expressing understanding of her frustration, but reminding her that VRBO believes it has no liability in the matter and that it is the property owners’ “responsibility to safeguard their own email address.”
Marina wrote to VRBO:
As a reputable public company, please take action and address the security loophole in your website workflow; put security alerts on your websites [HomeAway has subsequently done so]; change the email domain for renters’ inquiries; change the communication workflow between property owners and renters that would prevent creating automated filters for all inquiries… This scam can totally blow up and damage your reputation.
Speaking this week about the November incident, Marina recalls the pain.
“When it happens, you feel so abused,” Marina said.
Jen, a Connecticut resident, had a somewhat similar experience in March 2012 when she was trying to rent a vacation home in Martha’s Vineyard in Massachusetts. She concedes there may have been phishing warnings on HomeAway by then, but she was too busy to notice them.
Jen filled in the contact forms on HomeAway.com, sending inquiries to several properties. She received several phone call responses, but didn’t want to spend hours chatting on the phone to rent a property for a long-weekend getaway when she just had a few questions.
For the property Jen eventually decided on, she received an email from the true owner and one from a scammer and “chose the wrong email to respond to,” she said.
The property she wanted to rent had great reviews, earning her trust, and Jen faxed a contract and wired $1,255 to the phisher. The bank account turned out to be outside the US, although there was nothing to indicate that in the instructions, she said.
When Jen called the real owner about instructions to enter the property, the owner had no idea who she was.
HomeAway removed the listing, sent a fraud alert and reinserted the listing within a few days, with the owner using a rental agency as the contact, Jen says.
Jen says she had some dialogue with HomeAway, but never received any compensation and was informed that her case was “closed.”
Carl Shepherd, HomeAway co-founder and chief strategy and development officer, says most homeowners and property managers still prefer to communicate with guests by direct email, but “while we’ve become very successful at preventing criminals from posting fake listings on our sites, the theft of the owner’s email password via phishing has become a problem in the past six months not only on HomeAway websites, but also on those of our competitors.”
With its acknowledgement of the phishing campaign, HomeAway finds itself in the position of constructing a new system to safeguard guest-homeowner communications while still arguing that it is not legally liable for guest and property owner losses due to phishing.
Incidentally, property owners can be phishing victims, too, in that their emails get taken over and bookings that would have come to them get hijacked.
In a blog post, here’s how HomeAway describes the new HomeAway Secure Communication system that it hopes to have in place by the second half of 2012:
This proposed system is similar to sites you may use, like Facebook, LinkedIn and others, where authentication is required by both parties before they can connect. On these sites, once two parties have decided to “trust” each other, they can converse via email. But until trust is established, they CAN still communicate keeping key elements of their identity protected.
HomeAway makes much of the fact that it estimates phishing incidents impacted just .1% of HomeAway’s transactions during the first three months of 2012.
Thus, if the victims’ losses are so tiny to a company that recorded $230 million in revenue in 2011, then why not compensate them? Shepherd answers:
This is not a question of the size of the amount. As you can appreciate, there are choices we make every day in order to balance the needs of customers against our fiduciary responsibility as public company.  However, even though we aren’t legally liable for any losses incurred by a traveler when the owner’s email account is phished, we choose to provide support in some cases when we believe doing so will help the two victims of phishing find a satisfactory resolution.
HomeAway’s standard response to phishing incidents is to advise property owners and guests to resolve their issues on their own, and HomeAway won’t say whether it has compensated any victims.
“We won’t comment on the specifics of any particular case, but the facts and circumstances of all cases vary, so the outcomes vary, as well,” Shepherd says.
Meanwhile, Marina says while there are only a few dozen verified victims who have been accepted into the Facebook group, many others have emailed her after she posted a comment online about her incident. She said some haven’t joined the group because they don’t speak English, don’t use Facebook or don’t know about the group.
The vacation rental phishing victims in the Facebook group point out that they are not aware of any recent court test of HomeAway’s contention that it  has no liability for the recent incidents, and there is some talk about starting litigation.
One member of the group argues that HomeAway won’t take responsibility “unless you come at them with a lawyer.”
Apart from that, Marina makes the moral argument, as well.
“If they are saying it was such a small percent, then why not compensate people,” Marina says. “These are your customers.”
Related posts:
I am the Jen mentioned in the article. I wanted to clarify one point. People need to understand the way Homeaway works to see how easy it is to get caught by this scam and how dependent Homeaway’s current business is on a model of communication that is fundamentally insecure.
The site allows you to fill in a form, with your specific questions ONCE and blast this same inquiry to as many properties as you may be interested in with a few clicks. For most renters, this is the last time they will go to the Homeaway site before booking. At the moment, warnings DO appear to renters about protecting themselves while booking (though dozens of people were victimized before those warnings appeared). The trouble is that these warnings appear NOT at the time of booking, they appear at the time of INQUIRY. At the moment of inquiry, a potential renter may be just checking for availability, or other information to see if this is a property that will work. They may be weeks away from booking. They may not have decided they want to rent anything at all. A renter might send out a dozen or more of these blast inquiries, depending on how wide they feel they need to cast a net to catch a property that fits their requirements. The “warnings” aren’t working well because they come at the wrong time and most users reasonably believe that the communication process they are using is secure.
In addition, when warnings about fraud appear at the point of inquiry, most laypeople will understand this to mean that the listing itself could be falsified, NOT that the information they are sharing through a secure form on Homeaway’s site could be obtained by a criminal. That knowledge is WAY oo technical for your average consumer. When a renter sees that a listing has high ratings and has been listed for a long time, why worry? What reason would they have to believe that a information they shared through Homeaway’s secure site could have fallen into the hands of a phisher?
I’m sorry to say this but I simply cannot understand why anyone would EVER wire money for any reason. Wiring money has got to be the biggest RED FLAG for scams ever.
Homeaway is correct in not accepting liabilities with respect to these phishing schemes, as the company is merely and advertising portal. However, this is an innate weakness in the company’s operations, and if they don’t address this glaring problem (0.1%) soon, airbnb will surely eat their cake.
Craigslist is an advertising portal. Homeaway is different in one critical way. They provide a secure form that you fill out once to send inquiries to many listings as you want. They don’t just say “contact the owner, here’s his or her phone number”. They provide an electronic MEANS to do so, and there is nothing on the inquiry page that would give any reasonable consumer an inkling that their inquiry could seamlessly, and invisibly, fall into the hands of a scammer. The consumer uses a secure form on a listing that looks well established and highly rated, and they get a response back from a phisher. And Homeaway doesn’t think they have any legal or customer service obligation to offer compensation to victims when this happens? Even when THE SAME SCAM happens dozens of times over the course of many months?
Dennis- I am so glad I got a hold of you! This article is great beginning and hopefully more will follow on Homeaway/VRBO as the fight marches on… [Edited]
On the issue that they are just like a newspaper, with property ads, it makes me believe that they are no better that Craig’s List. They say they hold no responsibility because it is just an “Ad” and owners are basically using our “newspaper/portal” to show the public they have property to rent. So if that is true, then why is Homeaway worth so much money and have stockholders, if it just a “CLASSIFIED AD in a newspaper” per the quote from the above article that apparently has been in the emails to victims from VRBO. Hey, Craig’s List doesn’t charge owners to advertise on their site and has no stockholders. And the risk of using VRBO’s website is just as risky as using Craig’s List, correct? This just does not make sense!!
We rent our home on MV and have listed it on HomeAway and VRBO for the past 5 yrs. In the past two weeks we as owners and listers have been phished once on each account. I received an email from an person appearing to be inquiring about our house for a period of time in July (the same time on both phishes) It didn’t look like the usual query so I checked the listings directly to see if anyone with that name had submitted an query in the past hour. There were no inquiries listed. So I emailed the sites and say I suspected a phishing incident. And within 24 hrs I got a call from their HQ in Texas. They took my listing down while I changed the email on the listing. Then I was instructed to call them back when I had completed the task with the case number. They then put my listing back up. The procedure was the same
the second time a week later.
I assume as an owner they were looking for my bank account info, etc..
HomeAway needs to provide owners with free insurance to cover losses that aren’t covered by others.
I would even pay for such insurance if it was offered.
Owners have always been the most vulnerable in this business. After all we are renting our houses often valued to the millions to complete strangers. The potential for having onces house trashed, wrecked, etc. is very possible. Rule of thumb. Stick to families! Even families with 2 dogs and little kids are better than 8 college aged buddies who are going to drink a lot and have have a good time in your house.
Kristin,
IF this is the same phisher (and I don’t know if it is), they are not looking for your bank account info, they are trying to hack your email account.
I think that when owners open these emails there is some kind of a virus planted in your email that diverts inquiries with the Homeaway/VRBO title to the phisher. In other words, any listing using that email would have inquiries diverted to the phisher’s email and you would be completely unaware of it until you got a call some day that someone has “booked” your property and sent money to the phisher. That’s why you needed to change the email account you use. Had someone booked with the phisher, Homeaway would call you and tell you that you are 100% responsible for the loss, because its your responsibility to keep your email secure.
Which illustrates my point exactly: Homeaway’s effort to “educate” people is a drop in the bucket. The email communication model on which Homeaway is built, and upon which it profits, exposes users to dangers that the overwhelming majority can’t possibly understand. Even if insurance products are offered, how are people to understand what they are insuring against? Only Homeaway has the technical details of this particular scam, and I am not aware of any public place where they have shared those details.
Investors and users of Homeaway and VRBO should also be aware of the *possibility* that this scam is executed by obtaining the owners’ Homeaway login information via a phishing email and the site then changed (invisibly) to redirect emails to the phisher:
http://www.phishtank.com/user_submissions.php?username=RG5e3DtTULEqH7NuZ46A
Note that these reports go as far back as January 2011 and we are STILL getting new victims every day.
Homeaway intentionally does not post owners’ email addresses. Homeaway protects that information and takes responsibility for the safe delivery of a potential renters communication to the owners’ email account. But the process is NOT safe. When the site itself invisibly diverts electronic communications from a secure form to a phisher, in a way that is invisible to the potential renter, how is Homeaway “not liable”? If they had just posted the owners’ email address and told renters to contact directly, this scam would not be as easy. If a phisher changes the contact information on the listing, an owner is more likely to notice it pretty quickly. Instead, they are left with a hidden, ticking time bomb as inquiry after inquiry gets sent to the phisher.
Have they implemented the kind of standard authentication systems you now see with banks? Given the scale of the problem, should they have by now?
The weakness here in the policy of the companies – so it’s useless to try and resolve this issue with insurance and safety centers. The weakness is built into the business model in that a company like home away cannot and will not be involved in someone’s rental to the degree that would make a scam like this impossible.
On any site where a renter is being put in touch with an owner, with no one to facilitate the transaction or arbitrate problems, there is room to be ripped off. The scalability of this “classified ad” model is what makes it attractive to the companies. But the business model doesn’t leave much in terms of service or responsibility for the renter or owner, and the sooner consumers accept that fact and search for a company that actually does more than act as a classified ad, we’ll see better experiences from consumers.
There are many alternatives – small agencies that have seen the places they rent (so there are no fake listings) and have payment systems that are more secure than wiring money. Because sites like this are small and focused, and usually require more human interaction, they aren’t as large and thus not as well known.
But they exist, and as the owner of one, I find it sad to read about scams costing consumers $1mil unnecessarily.
The classified, “I’m not responsible” model sucks. Makes a lot of money for those who run it. But it’s not the best way to find a place to stay.
Disclaimer – I’m one of the frustrated little guys who reads this stuff and bangs my head against the wall wondering why anyone on earth would wire money to someone they found on VRBO.
Never wire money to pay for a rental. When you are advised that wiring money is required move on to considering a rental that offers other forms of payment. Wired money is not retrievable; it’s cash. Don’t be lured into wiring money to receive a discount. Don’t rush, take your time researching the ownership, management, and representation of the property. If it’s too good to be true . . . .
Owners are victims in these schemes as well. Owners are stepping up, in the absence of any other support for the renter (hello homeaway?), to make amends when they are victims themselves. The only one coming out in one piece on these scams are the scammers.
Consider the following: for a property that rents for $5,000 per week, a scammer offers a renter the discounted price of $3,500. Wow! The money is wired. The renter loses their $3,500 and then the owner is encouraged to makes amends and offers the property for a reduced price to offset the loss that the renter has already incurred. The renter pays another $1,500 for a total of $5,000. The scammer has $3,500. The owner has a week that could be rented at $5,000 being rented for $1,500.
One way to conbat the problem: don’t wire money. Other ways to combat the problem include researching ownership of the property, the owner, and the listing carefully. Talk to the owner, asking specific questions about the house that only an owner or closely involved manager would be able to answer. If the answers don’t add up, move on to another property. The majority of properties will have a foot print on the internet with multiple sources of information. Consider all to be certain the property and individual you are interacting with are legitimatae, and . . . don’t wire money.
I’m a property owner with over twenty years of experience renting my vacation home. I list on homeaway, vrbo, flipkey, airbnb, and craigslist. I also rent homes when my family travels. Due diligence is required by owners and renters to be certain each is who they claim to be. I have received inquiries that are attempts to harvest my log in information to enable a scam on my property. I imagine it is becoming more common as the rewards for the scammer can quickly mount on a property that rents for several thousand dollars per week.
Let’s all educate ourselves about the problem. Homeaway could certainly be doing much more to educate owners and renters about the signs and dangers of phishing scams.
Homeaway and other rental portals are likely attempting to figure out how to raise the alarm without ruining their own businesses. It’s not an enviable position.
Wishing everyone the best in staying out of trouble.
Spot on. The property owners must also warn the inquirers and I like you keep a high Facebook profile and can be googled easily and then Skyped to confirm I am the legitimate owner.
Why would anyone wire money? I hear this comment often. I can tell you why – when time is of the essence! Have you ever booked a hotel at the last minute? I have used Homeaway on several occasions for rentals on fairly short notice. I had one instance where I was talking on the phone with a real homeowner and we were trying to figure out how to get the money to her in time so that she would have it, and the contract, in hand in time to secure her cleaning staff. The house was closed at that point and needed to be opened and cleaned for the beginning of the rental season and I was the first renter in that year. With only a few days notice, she said to me “Well, I guess you would have to wire it.” From my perspective, this was a totally legitimate request given the time constraints.
Wiring money to a stranger from Zimbabwe who emails you randomly is one thing. Wiring money to get a reservation quickly from someone who YOU initiated contact with via Homeaway is not so strange, especially when the site indicates the listing has been up for many years and there are several stellar reviews about the property. Homeaway could disclose to people that they should not wire money because there is a scammer out there intercepting emails and there is NO GUARANTEE that the person who responds to you is the homeowner. But they don’t. That storyline – the storyline that would help consumers really understand the risk – would hurt their bottom line too much.
In reply to Jen-
I know of a victim who DID CALL THE OWNER and exchanged conversation numerous times. She thought she was speaking with the owner but she actually was speaking to the scammer the whole time!. They also have all her personal info in their hands as well which is scary in itself. Apparently the property she thought she had rented was a fake as well. VRBO/HomeAway is no better than a Craigs List ad. My son has travelled several times with only emailing the said OWNER and wiring money. And YES, if the time to rent is in a short time then wiring is really the only safe way to get that money to the owner. Most are not even equipped to take credit cards for payment. I don’t think PayPal would guarantee such large anounts of money like they do in guaranteeing normal purchases. I could be wrong on that. Anyhow, my son has never had a propblem but then again he had never used HomeAway/VRBO until this particular time. The fact is that the company needs to do the proper screening to a new and ALL properties before posting the listing goes live. If they would take those steps maybe this would not be such a HUGE issue, After all, isn’t VRBO/HomeAway getting paid to place listings on their website? Shouldn’t they work for that money they are being paid? Also, VRBO is placing the blame on the homeowner themselves and expecting that they compensate the victim. Their reason is that the owner did not protect their email address. Many owners say they have NEVER received an email to reset their passwords and this is supposedly the way the scammer acquires the owner’s personal info.
Pure and simple, the innocent consumer is looking for a beautiful and relaxing place to spend their vacation, worry free, in a home like setting and the second they INQUIRE about the property they have selected to possibly rent they are hooked in to the bad guys. How did they know this would happen to them at this point in the transaction? Money has not even been exchanged yet!
The consumer trusts this, VRBO/HomeAway, company because they are listed in numerous magazines in vacation articles as being the safest way to rent property instead of going the hotel route for their once in a lifetime, in many cases, dream vacation. Not to mention the vacation segments on national morning TV shows where experts in the travel industry suggest to use HomeAway/VRBO when planning a trip for a great place to find property to rent. It is almost like false advertising to me.
Personally, I would use this way of traveling myself but NO WAY now. This issue even ruins it for their competitors as people will think this kind of criminal activity is the norm for all vacation rental listing sites.
If we are all wrong in how WE think this scam is carried out then why hasn’t HomeAway/VRBO furnished us proof of the way THEY are saying it is being done with the email scenerio when placing blame on the owner? Not too much to ask is it?
As an advertiser I include a Postscript warning the inquirer to call my number after verifying it on the HomeAway, VRBO or Flipkey ad. I also include a list of known fraudulent email headers and addresses. Most of my inquirers are really grateful for the warning and in fact it has increased my rentals and resulted in may referrals. As responsible property renters we also have an obligation to notify our inquirers. Unfortunately however many do not heed the warning and many property advertisers have never received an inquiry. The fraudster can send a link to ANY property on the advertising website.
Wouldn’t paypal be just as easy and immediate but with more recourse should it be someone who’s intercepted the owner’s email? There are so many other options out there – I don’t see how the risk of wiring money is worth it.
If you receive amounts over $1000 Paypal freezes the funds as they think you are laundering money!!!! and you have no idea how difficult it is to get PAYPAL to respond or release funds… unbelievable!!!
Liability is something that needs to be sorted out down the track. First we must try to stop the process and advertizers and POLICE need to work WITH the rental websites all of whom have been affected. Flipkey, VRBO Homeaway etc. These rental websites need also to work WITH the advertizers. In just this last week I [an advertizer] have sent Homeaway full headers of phishing emails and according to Homeaway they have had the fraudulent sites blocked or shut down. I have also sent the information on to Flipkey who are experiencing the same problem.
What happens is that the fraudsters send all the listed email addresses on these rental websites an authentic email from Homeaway or Flipkey, asking for the advertiser to verify their security questions for access to their Homeaway or Flipkey. Some homeowners foolishly click the link in the email and answer this thus allowing access to their account and all enquiries. The fraudsters then get the inquirers information and needs and then send them a response which includes a link to the Homeaway ad of… not necessarily the owner/advertiser of the account that was compromised… but of ANY advertiser where the accommodation suits the needs of the customer inquiring. Because customers multiple inquire they don’t notice. The fraudsters include a hefty discount and the correspondence is personal and authentic sounding and they use the name of the property owner in that correspondence as it is listed in the ad on Homeaway or Flipkey. The unsuspecting travel then books accommodation at the property and the homeawner who advertized the property often has never had any enquiries from the traveler or any communication at all. The traveler arrives in an often foreign country with a fraudulent booking and a non existant phone number to call. They then go to the Homeaway site and get the number of the owner of the property off the site and call. Often the owner cannot help because their property has been booked by another party. The bank that the fraudsters use use is Barclays Bank in London using multiple accounts at different branches, often in Wembly. Barclays Bank has a responsibility too. They are not screening their Bank account holders. This has been happening for 2 years that I know of…and… the Police do nothing. British Police say contact the Police in your own country, or the country of destination [often a country with a foreign language. ] Victims file a report as instructed and then do nothing… all to hard. No-one seems to want to deal with this in a co-ordinated way and the POLICE whose salaries are paid for by our tax dollars but it in the “too hard” basket. The British Police where the funds arrive just pass the buck and it is unacceptable that they do this. Because the homeowners and the travellers are often in a different country to the UK the British Met Police just tell you to dial [from overseas mind you] 101 and follow the prompts… try it… impossible to do…. each POLICE group just passes the buck and you get nowhere. The UK fraud squad tell you it is to “small” for their interest. [I suspect we are talking millions of $ with this scam]. I suggest that all victims write to : “Darren.White@met.police.uk” . Sorry Darren but you are the one…. Someone needs to take this seriously.