Phishing and vacation rental scams – the new challenge for our industry

Hi Everyone,

I would like to write today about one of the biggest challenges that we face as an industry. This is one that threatens the core of the vacation rental business model – travelers trusting owners and choosing to deal with them instead of big hotel chains.

Firstly let me try and share how these scamsters operate. My feeling is there are three kinds of scams:

1. Scams targeting high profile vacation renting websites. Here the scamsters would send their database emails pretending to be from one of the big websites and asking for them to login into their account on account of administrative need – e.g a generic sounding request to check your account for some important task. They would then embed a link within the email to a website that looks like the genuine website but which is actually on their own servers and collect the username and password the home owner enters and then just force shut down the window or redirect to the actual website’s login page. Now that they have the credentials they will login into the vacation rental website (homeaway or vrbo) and change the password, meaning the owner can no longer access his account. They would then change the email address linked to the account and communicate with the existing and new base of travelers ask them to wire money into their own account. Since they have changed the email address, the owner would not get any notifications and so would be unaware for a few days until he starts wondering as to why he is not getting any new enquiries and decides to login and is unable to.

2. Where scamsters send out millions of emails to gmail accounts or yahoo accounts and use a similar tactic to gain access to the email account which they then realize post logging into, belongs to a vacation rental owner. He then has the presence of mind to realize what is happening and decides to ask the customer to wire money into his own account.

3. There could be a third option where a determined scammer pays the listing fee and creates a listing for a property that does not exist and thus dupes travelers.

I personally feel that vacation rental websites are being targeted and so it is option 1 that we really have to guard against and not option 2. Option 3 is something the website needs to worry about and police for. Having an email address at a different provider is not really going to make any difference here.

What do these scamsters do once they correspond with our potential customers? They then offer them a very sweet deal and ask them to immediately pay them using Western Union or a cash transfer. This money then disappears in the banking system and the traveler only realizes later that he has been defrauded. We then have to deal as the genuine owners with cleaning up the mess and the industry suffers with a new customer who tells all his friends and family to be very careful when booking a holiday home.

What can we do?

First, we have to be very very careful with our email passwords. We have to remember that this is like our passport on the online world and we must guard it with the same degree of care that we keep our passport safe and secure.

Secondly, we must immediately contact our service provider if we notice that our email address has been compromised. This would mean alerting Tripvillas or Homeaway or VRBO in case our property is listed there and asking them to monitor for any suspicious activity.

I think in the long term it will end up being the responsibility of the platform to provide a fail proof trusted environment for travelers to make payments. We will have to emphasize with travelers the benefits of staying within the environment and while it may be ok to transfer money directly to a property owner who has a larger number of reviews and stuff that cannot be faked so easily, for a fresh property i.e one which has no reviews, no brand name etc. or has just started, that the traveler is safer transacting within the trusted environment. We as Tripvillas will also try and do our part in  communicating to the traveler that he should use the in-built money transfer facility which then protects him and his interests in case of any untoward incident.

Most importantly, if the scamsters realize we are vigilant and it is difficult for them to profit, they will hopefully find other better things to do.