Shauna Kattler thought she’d found the ideal rental home in Playa del Carmen, Mexico, for her Christmas vacation: a two-bedroom penthouse condominium with a hot tub and an impossibly perfect view of the Caribbean.
And she was getting it for the impossibly low peak-season rate of $450 a night through HomeAway.com, a popular vacation rental Web site. “Impossibly” being the operative word.
Shortly after Kattler, a relocation specialist from Kirkland, Wash., wired the money to Mexico, she discovered that she’d paid the wrong person. Her vacation dollars didn’t go to the property owner, but to someone who had stolen the owner’s e-mail password and assumed his identity through a crime called phishing.
Sound familiar? It should.
This past fall, I reported about new phishing problems on HomeAway and another site it owns, VRBO.com. I introduced you to Tania Rieben, who lost $4,300 at the slippery fingers of a scam artist posing as a vacation rental owner in Maui.
Since then, I’ve heard from many more phishing victims who wired money to shady characters pretending to hold the keys to a HomeAway vacation rental. And I’ve heard from HomeAway, which says it’s taking steps to prevent future phishing attacks and help the customers who have lost money. More on its efforts in a second.
Let’s get back to Kattler. She tried calling the property, but the person who answered hung up on her repeatedly. Finally, she contacted HomeAway, which reviewed her e-mail correspondence and confirmed her suspicions: She’d been scammed.
“This is not a case of fraudulent activity on the HomeAway.com site, but is a case of the owner’s e-mail account being compromised,” the company added. “HomeAway.com takes all fraudulent activities seriously, but our responsibility cannot extend to actions on private e-mail accounts.”
Kattler is understandably frustrated. She says HomeAway should refund the $4,500 she spent for 10 nights that she’ll never use. After all, the crime happened because of one of its listings. “All they can say is ‘I’m sorry,’ ” she says. “HomeAway is not taking any responsibility for the lack of security on their Web site.”
Actually, HomeAway is doing more than apologizing, but it isn’t taking full responsibility for the incidents, either. That’s because the company insists that the crimes aren’t being committed through its Web site. In response to cases such as Kattler’s, it recently expanded its optional Carefree Rental Guarantee to cover phishing losses.
It’s also working with its current phishing victims — there are 18, it says — to negotiate a resolution between the property owner and the guest.
HomeAway suspends a rental’s listing after a phishing incident until the security breach is plugged, which means that the property owner gets a new e-mail address. “In most of the cases, we do come up with a solution that makes everyone happy,” says Carl Shepherd, the co-founder of HomeAway.
Last month, HomeAway also warned the 625,000 property owners and managers with listings on the site about the phishing threat and offered them advice on how to protect themselves. It’s encouraging its owners to use an optional new system called Reservation Manager that offers “bank-level” security for bookings made online.
Shepherd says customers could easily prevent phishing incidents by calling the property to verify that they’re e-mailing the correct person. Criminals haven’t figured out a way of spoofing a phone number — at least not yet.
To that advice, I would add the following: Never wire money. Every phishing incident I’ve tried to mediate — every last one — starts with someone reluctantly sending money to a stranger. Once it’s gone, there’s no getting it back. With a credit card, at least you’re protected and can dispute a bogus charge.
The phishing problem isn’t unique to HomeAway. Other vacation rental customers have also recently been targeted. But HomeAway’s guests seem to be the most vocal. Many of them contacted me to ask for help after the first column I wrote about phishing. The company reports that some of these disputes have already been resolved.
But not all of them. Kattler’s grievance is still under investigation. She flew to Mexico as scheduled and paid another $2,000 for accommodations.
And Rieben’s case may never be solved. The real property manager in Maui says that he warned Rieben that he was the only point of contact for the rental but that Rieben tried to find the owner and then stumbled into a trap, according to HomeAway.
Although the property has offered her alternative dates for a stay in Maui, no agreement has been reached.
“We feel horrible for her,” Shepherd says.
So do I.