More than nine million households have had at least one member who has fallen victim to a phishing attempt, according to technology security company, McAfee. Scammers often target email addresses, and they are also going after users of rental websites, such as Vacation Rental By Owner (VRBO.com) and parent site, HomeAway.com. They make up one of the largest online vacation rental companies in the nation, with more than half a million current listings; 2,000 of which are in the Bay Area.
Helen is one of the victims. She spoke with NBC Bay Area’s Investigative Unit at her home in the Oakland hills. She asked that only her first name be published because she is concerned that her Pebble Beach property is vacant much of the year. When it is not vacant, Helen has renters from VRBO at the house.
She is able make a modest income from renting it out, and has had positive experiences with renters staying in her home; but that all changed in December.
Helen happened to look down at her phone when an email came in from a prospective renter. The renter wanted to confirm dates, but the dates were not available. Helen received a scathing phone call from the man, who reminded her that she had just confirmed via email that the home was in fact, available.
Helen realized that a scammer was intercepting her communication with potential renters and contacted VRBO to report the incident.
“They showed me all the people that had contacted me in the last week,” Helen said. “I had not seen any of these emails; they all had been responded to by someone else.”
Security experts warn scammers “hijack” inquires that come in from VRBO or HomeAway and then offer prospective renters “too good to be true” deals in exchange for members sending an instant money wire.
The discount is what drew in Kathryn Bowden, an artist from Sorrento, Florida. She lost $3,800 on a vacation rental in nearby Kissimmee. She contacted who she thought was the owner, who told her details about the home.
“He answered questions about the rental as to how many people could sit at the dining room table, whether the outdoor kitchen was finished, and several other questions,” Bowden said. “He seemed to have all the right answers.”
The view from Helen's vacation rental property.
After Bowden wired the money, she checked HomeAway’s website to ensure the rental property’s calendar reflected the dates she had reserved. It didn’t. She tracked down the real owner who told Bowden she was one of several people that were targeted over just one weekend. She contacted HomeAway with the news.
“The response was that the vacation rental owner’s email had been hacked and that it had nothing to do with HomeAway and they had no way to help us,” she said.
Shortly after the ordeal, Bowden started a Facebook group to connect with other VRBO and Homeaway users who had been victims of phishing or email scams. She also received this email from HomeAway warning of a security concern with the listing she liked. It came a week after she wired money to the fraudster as the real property owner. HomeAway says it is protocol to notify potential renters of security vulnerabilities when clients bring concerns, such as email breaches or phishing attempts, to the company's attention.
The company denies that HomeAway and VRBO’s websites have been hacked. Victor Wang, HomeAway’s public relations manager, insists that phishing attempts are not a result of a breach of the HomeAway’s system. Instead, the company says that common phishing scams begin when scammers trick a property owner into revealing personal email login credentials.
Wang said that the company “cannot prevent phishing” because “phishers target a property owner’s or vacation rental manager’s email account”—not the actual websites. He also said that the instances of phishing that result in traveler loss occur less than .02 percent of the time, although the company would not provide exact numbers.
Homeaway sent this written statement.
The company’s various rental guarantees do provide insurance against items such as foreclosure, double-bookings, misrepresentation and phishing.
Although HomeAway would not provide exact numbers on reimbursements, the company’s latest SEC filing shows that payouts to consumers who have claimed harm such as Internet fraud have quadrupled in nearly two years—from $247,000 in December 2011 to more than $1 million in September 2013.
Wang said the rise is only because of the growth of the company and the increase in travelers purchasing the rental guarantees.
Gary Davis, vice president of global consumer marketing at Santa Clara-based tech security company McAfee, says phishing is on the rise.
“They’re becoming increasingly more sophisticated,” Davis said of phishers. “And they’re learning like everybody else who evolves in the cyber market.”
McAfee reports that phishing is increasing again after dropping in 2012. The company’s research also indicates that the United States now hosts the most phishing URLs in the world.
Davis says vacation rentals are “a great market to go after just because you’re dealing with the high transaction volume and high transaction cost” and that people are enticed by “large sums of money” associated with luxury homes.
Helen argues that VRBO and HomeAway should create a system where all correspondence between renters and owners is transacted through the site. The other victims agree this might resolve potential future scamming opportunities.
HomeAway launched HomeAway Secure Communications, a private messaging system in December, to aid in securing their customers’ communication channel.
Security experts urge users to protect themselves by communicating by phone and not only by email and to pay by credit card—not with a direct wire transfer. They also warn that if a deal looks too good to be true, it probably is.
If you have a tip for the Investigative Unit email firstname.lastname@example.org or call 888-996-TIPS.