Something’s still “phishy” about vacation rentals

If you think the words “vacation rental” and “phishing” are all but synonymous, you’re not alone. Just talk to Ann Schutte, who recently found a rental villa with a “million-dollar” view in Sedona, Ariz., through the rental Web site

A woman claiming to own the property quoted her a $645 rate for five nights if she wired her the money. “After a number of e-mails back and forth, I agreed to the rental,” says Schutte, a property manager from Phoenix. “I received a contract. Everything looked correct on the contract. It even had the rental property address and logo. I signed the agreement, and wired the money through Western Union to the U.K.”

For those of you following the vacation-rental phishing saga, you probably know what comes next: Schutte never heard back from the “owner,” so she called the phone number under the property listing.

And that’s when she discovered that she had no reservation. She’d been scammed. VRBO “explained that the owner of the property had her e-mail hijacked because she didn’t have the proper filters in place,” Schutte says. “And there is nothing anyone can do.”

Phishing schemes fraudulently extract personal information by e-mail — in this case, the e-mail login credentials of a property owner. The criminals then impersonate the owner, enticing customers to wire money. The vacation-rental industry has been hit hard by this type of scam since 2011, and there appears to be no hope for a quick remedy.

HomeAway, which owns VRBO and has a commanding market share among vacation-rental Web sites, reported 3,000 phishing cases as of last fall. It declined to provide an updated number because it’s a publicly traded company and was working on its latest quarterly earnings report at the time I requested the information.

“The unfortunate fact is that phishing continues to be a part of the landscape of the Internet,” says Carl Shepherd, co-founder of HomeAway. “For this reason, we continue to work to create systems that enable owners and travelers to talk to each other so that each has a great experience, while minimizing the opportunities for either party to be hijacked by a phisher.”

Last year, the company announced a product called HomeAway Secure Communicationthat would have offered a phish-proof way for homeowners and prospective renters to communicate. But it was “met with some trepidation,” according to the company, because it required both owners and travelers to be logged in to a secure HomeAway system to communicate. HomeAway backed away from that proposed solution and is working on an alternative, which it plans to introduce soon.

Guests are impatient with the phishing problem. Consider what happened to Amitav Chakravartty last year when he decided to rent a home for a family reunion in Southern California. He found a great deal on an oceanfront villa on Craigslist, the online classifieds site, with just one catch. You guessed it: He had to wire $900 to the “owner.”

The loss of this money inspired Chakravartty and Anirban Bardalaye to start a company called Zaranga, a more tightly controlled vacation rental marketplace that handles the financial transaction between both parties.

“We primarily work with reputable licensed property managers, which eliminates any kind of fraudulent activity,” says Bardalaye. “Funds are not distributed to them till a day after check-in. Even more, if hosts require security deposits, Zaranga mediates between hosts and travelers before they release any kind of charges against security deposits.”

So far, Zaranga is working with 600 rental properties, mostly in Northern California, and it claims a “100 percent” track record against any kind of scam, phishing or otherwise.

But short of building an entirely new site that acts as an intermediary between the buyer and the seller, a phishing scam fix has proved elusive. That’s because the criminals perpetrating this scheme are exploiting weaknesses down the entire transaction path.

For example, they’re taking advantage of the fact that some property owners still accept — and often insist on — wire transfers. Sending money by wire offers consumers no protection, and once the funds have been sent, there’s usually no way to get them back.

The phishing schemes also exploit vulnerabilities at the site level, say critics. Many victims claim that sites such as HomeAway and VRBO have been hacked, leading to the compromised e-mail accounts. HomeAway disputes that claim, insisting that the owners’ e-mail accounts were hacked. In any event, the company now covers such breaches through optional insurance that renters can buy.

To add to the confusion, there’s yet another player: the bank handling the wire transaction. A loosely organized group of vacation rental owners has tried to push authorities in the U.K. to track down phishing scammers through the banking system, but so far they’ve been unsuccessful. The complaints are referred to a civilian data collection agency, which in turn is supposed to report phishing incidents to the police.

“They do not even grasp what is going on here,” says Nick Hyam, a British expatriate who manages several rental properties in Bali, Indonesia. “They have no direct contact with the police, have no system in place to update information, and as far as I can see have no system for collating information about the same case. Each report is dealt with as a one-off.”

Unfortunately, it’s either the traveler or the rental owner who usually pays. Rental owners complain that sites such as HomeAway and VRBO pressure them to offer either free or reduced-rate accommodations to victims or risk being de-listed. But more often, renters are simply told that their money is gone, and there’s no way to recover it.

That’s what VRBO told Schutte, even after I asked about her case.

(HomeAway has settled several cases like hers, but usually only when a guest threatens to sue, say victims. The company says that it has settled a few cases, but, a spokewoman added, “it depends on the facts.”)

Many of the online vacation rental sites see themselves as nothing more than listing services, not unlike a Craigslist for vacation rentals. And until that changes, it seems that these phishing incidents are likely to continue unchecked.

Preventing them is as easy as ever. “Use a credit card when paying for a vacation rental,” says Zaranga’s Bardalaye.

And never, ever, wire money. Especially when the deal is too good to be true.

Has VRBO done enough to stop phishing?

View Results

Loading ... Loading ...

Christopher Elliott

Christopher Elliott is an author, journalist and consumer advocate. You can read more about him on his personal website or contact him at Got a question or comment? You can post it on the new forum.

More Posts - Website - Twitter - Facebook - LinkedIn - Google Plus

  • Carver Clark Farrow

    I can’t comment on VRBO having never used its site. But I can state emphatically, NEVER EVER EVER wire money to someone that you don’t know. If it can’t be done via credit card or other safe means, pass on the rental.

  • PsyGuy

    You can never do enough to stop criminals and cons. No travel business is immune from criminals perpetrating fraud. A lot more can be done for what is accurately described as “Craig’s list” vacations whether on Craig’s lost or under another name.

    While there are still legitimate property owners who don’t take credit cards and wiring funds becomes the only realistic option, we as consumers need to put a stop to this, by refusing to wire money to anyone. If owners see their rental income drop and their bookings fall, because we as consumers say “sorry, I only pay with a credit card”, then we can force these Luddites to join everyone else in the modern age. If it becomes an issue of accept credit cards or fail, property owners will figure out one of the many ways available to them to accept credit cards. It really costs them nothing, since they can pass the costs on to the renters. Any business that says its too expensive to accept credit cards, is either in a micro transaction business, or has something to hide (taxes, no business license, business front).

  • AF

    With all due respect to Ms schutte how did the request to wire money to another country for a rental in Arizona not send up a red flag? I suppose you could be in the UK and have property in Arizona but in combination with the request to wire the money…”Danger Will Robinson! Danger!”

  • Cybrsk8r

    VRBO should REQUIRE, let me repeat that, REQUIRE owners to accept credit cards. If the owner doesn’t like it, TOUGH! The owner has the option of someplace like CraigsList. Until that happens, I will NEVER rent a property thru VRBO (or any similar site).

  • kmwcary

    Or they could use PayPal.

  • MeanMeosh

    I really hate to say this, because it’s going to sound a bit mean. People who keep falling for the wire transfer scam – never mind that it’s been thoroughly documented on pretty much every form of media out there multiple times over the past several years – are akin to the rabbits that keep hanging around my house, even with a cat patrolling the premises that has a well-documented liking for them. In both cases, they’re asking for it, and bad things are usually going to happen.

  • Cam

    Yeah it is up to the site to say that people listing their property can only accept payment via safe means.

  • alxstevens

    But if the scam is SO well known then why do sites like VRBO leave that option open (as other commenters have said)? Why are the warnings about not using wire transfers buried 6 clicks deep into their Best Practices? The fact that the listing is on VRBO gives it a sense of legitimacy in most users’ minds that overcomes a vague warning they might once have heard about wire transfer issues.

  • Raven_Altosk

    If someone insists on you wiring them money, they’re crooks.
    If they’re the 2% who are not crooks, then they need to find a more legit way to do business.

  • Tincanrider

    I understand the warnings, and, the problems that I learned in advance. However, my experience with VRBO was nothing but positive after I communicated with the owners via email, text message, and phone several times. The actual rental in San Diego County was nothing but the best also. I would do it again.

  • mbods

    What about sending a check? Is that a no-no? Just curious..

  • LipglossandaBackpack

    Does anyone know how this “email hacking” works? I mean, I check my personal and work email accounts every day, and I have a separate email account for my blog which I check every two or three days. I feel like if I was operating a business like a vacation rental, that relied on customers initiating contact via email, I would be checking my email AT LEAST daily. I’d probably also have it going straight to my smart phone so that I could receive notice of interested renters immediately. I don’t understand how a business account could be used to send and receive multiple emails without the owner noticing.

  • Charles

    The key to all phishing scams is obtaining the password for your email account. To do this, the crooks send you email that looks like it is from someone authentic and which has an link in it to log in. I imagine for VRBO, the crooks send what looks like an official message from VRBO with a link to a page that looks exactly like a VRBO login page. When they log in, the fake site harvests the password and usually redirects them to the real site, so they never realize something has happened. Since 55% of all users use one password for everything, most of the time they now have your email password. This percentage goes up for users who are likely to fall for a phishing attack. They can also send you email that looks like it is from your email service with a like like “please log in to verify”. Crooks targeting VRBO will prefer the first method.

    Once they have your email password, they can do several things. Often they will change the password, so your programs that check it don’t work anymore. They will have a program that stays connected and waits for email. As soon as a message arrives, the program will read it and delete it from the email account, so you never see it even if you do log in later on. In many cases they will set up a forwarding on your email that sends it directly to them. As far as you are concerned, it just looks like you are not getting any email. A sophisticated hacker will return innocuous messages to your account so you don’t know something has happened.

    As for sending email, sent email is very easy to fake. As long as they have an SMTP server they can use, they can fake the return address and it never even goes near your mail server, but looks as if it came directly from you.

    A lot of this could be prevented if companies like VRBO would not put links into their email messages and instead instruct users to log into the server themselves, but that is not convenient, so users don’t like it very much and they don’t always remember when they get a fake email with a link in it, anyway. Some email clients watch for phishing, but often throw too many false alarms and people start ignoring them.

  • Charles

    First, if they get your check and cash it, they can then bolt with your money. They may have to wait a week or so for the check to clear, but they will be happy to string you along. “Yes, you are confirmed for…”.

    Also, if someone called you on the phone and asked for your bank account number and routing number, would you give it to them? Both are on your check. Checks are easy to forge, once they have your account information. Then can make fake ones and they have your signature to copy. Then can actually do direct transactions that just take money out of your account.

    To answer your question: checks are a no-no. They are even worse than using a debit card, another no-no. Both are not as bad as wiring money, but pretty darn close.

  • whateverak

    I own a vacation rental in Maui and use VRBO and just wanted to say that the phishing scams go both ways. I’m part of a large group of vacation rental owners and we communicate often. Many of us have received suspect inquiries. They’re usually from another country, offer too much information on why they want to be there, they want an exceptionally good deal, they don’t give a phone number and often don’t even say what dates they want. We take credit cards and personal checks, but not wire transfers. We usually have several e-mails and/or phone calls before the deal is sealed. So far, we haven’t had any problems, but there are some inquiries we have ignored because they were suspicious. We used craigslist when we first owned the property, but all that did was give us a lot of junk mail and several suspicious inquiries. With VRBO, I say “trust but verify” … with craigslist, I say “don’t trust”.

  • mbods

    Thank you Charles. One time we used a charge card, the other a check but the property was through a known rental agency. Still, from now on it’s a “no-no” for us if they won’t accept a major credit card!

  • Nikki

    All I feel like doing is screaming. Don’t people know by now NOT to wire money to someone they don’t know? If someone I don’t know is telling me I need to wire money to them for anything, that is automatically a red flag!

    (Pardon my grammatical laziness. It’s Sunday and I’m still sleepy. Shoot me. lol)

  • MeanMeosh

    Charles already covered a lot of the ways this occurs, but another method is where a user visits a compromised website of some kind, which then infects the user’s computer with a “trojan horse”. The trojan horse then monitors passwords and account information, when can then be used by the person or persons who planted it there in the first place.

  • Dave


  • LipglossandaBackpack

    I guess I should clarify: I understand HOW phishing works, but I don’t understand how business operators who rely so heavily on email don’t realize they’ve been phished.

  • Rebecca

    To be fair, I don’t think it matters if the warnings about wire transfers are buried 6 clicks in or on the home page. Craig’s List has a warning right there near the top of the screen on pretty much every page, yet people still constantly fall for scams and wire money. I don’t think the warning makes much of.a difference.

  • AUSSIEtraveller

    use paypal or similar (they charge 3%).
    If they won’t take Paypal with you paying the 3% fees, walk as something is dodgy.

  • Extra mail

    I’m very disappointed with VRBO. We’ve used them at least a dozen times over the last several years and I’ve personally never had a problem either with the property or working with the owners. I’ve also never been asked to wire money and, given how many properties are now listed on the site, I would to decline to rent from someone who did demand I wire money. I’ve never understood why VRBO didn’t do more to protect both the owner and the seller. Given all the problems I’ve read about VRBO lately then I will definitely think twice before renting with them again in the future.

  • Extramail

    However, typically credit cards only allow a charge back within 60 days of the charge. If I rent using a credit card more than 60 days out, aren’t I out as well. As popular as VRBO has become it is absolutely mandatory from them to set up a payment system that guarantees the rights of the owners and the renters. Until it does, I will not use their service. And, yes, I have had nothing but good experiences with VRBO the dozen or so times I’ve rented through their service but there are just too many complaints to risk it right now.

  • polexia_rogue

    god bless Zaranga. they are essentially doing what every hotel site does. but it needs to be done (for houses and villas.) because people need to be protected from themselves.

  • Anna

    Really you wired money ? A fool and his money are soon parted….

  • sanibelsyl

    As a vacation rental owner on Sanibel Island and a user of VR’s the world over; I have known never to accept or wire funds for years. Doing so is like walking down a crime ridden street with money hanging out of your pockets. You will be taken advantage of. And, when pricing of a property —-whether on VRBO or another site—-is too low, there is definitely something bad going on. If it seems like it is too good to be true, then most likely it is not true

  • Life Lessons Military Wife

    This is why I have moved from VRBO to Airbnb where they handle all the funds. Yes you pay a booking fee to Airbnb but to me, it’s worth it. Plus the property owner AND the person renting the place BOTH get feedback…I like that.

  • Life Lessons Military Wife

    Let me add too that wiring money here in Europe is as normal a task as putting butter on your bread in the morning…here it’s very common to do this…even to the average citizen and paying your bills (even to the point of giving out your account #). I bet the more this phishing phenomenon moves to Europe, the more people over here will need to rethink that practice out of necessity!

  • Life Lessons Military Wife

    In Europe people have been wiring money for years, and it is second nature. Even your bills are paid this way….people don’t even think twice..they will have to now!

  • jpp42

    This may be the case in the US, but I live in Australia and it is quite common to “wire” money (more often called a “bank transfer”) as payment for casual business transactions between individuals and businesses small and large. However a reputable company will at least use their company name as their account name – if the “for benefit of” is an individual that would be a red flag. And most companies will offer credit cards as an option, but high fees are quite common, bank transfers are free. So yes, people should be aware of the increased risk but unfortunately in all jurisdictions it’s not necessarily an indication of a scam, in fact I just paid for a significant vacation this way through a small-business travel agent. Even the major airline, Qantas, accepts bank transfers to pay for tickets and it’s the only way to avoid credit card fees.

  • jpp42

    Because although wire transfer scams are clearly a big problem, wiring money is still seen as completely acceptable and normal in Europe, Australia, and many other places. These areas have higher credit card fees and many small businesses have a distrust of the credit card companies due to concern about chargeback processes.

  • naoma

    We have rented apartments in Paris for many years. Had a couple that were beyond awful — pictures on net were “deceiving” — like the one that had a sheet over the wall where water damage and mould was, the one that had one sheet which did not fit the bed, the one that the carpets were so ugly (removable) that we rolled them up, etc. But for the past several years we have rented a superb place with lovely modern
    furnishings, top floor and a huge terrace. All appliance are new, etc. Well, HOW? My husband met the owner and he asked to see the place. Do not go by “pictures” which are usually doctored. We rent places that do not allow animals or smoking. Our landlord has purchased another place in Florida and invited us to rent it also in the future.

  • Carver Clark Farrow

    Out of curiosity, is it an actual wire, or EFT that is used to pay bills.

  • LeeAnneClark

    You are confusing bank transfers with wire transfers. Two different things. Bank transfers are bank-to-bank transactions, in which there is a bank account at the each end, and presumably some method of IDing the owner of the destination account. Wire transfers are anonymous dumps of money through services such as Western Union or Moneygram, with nothing at the other end but a person who can walk into any WU office with a fake ID and an MTCN number, pick up the cash and disappear into the wind.

    While bank transfers are common forms of payment, wire transfers are NOT. Anyone who asks you to send money via WU or Moneygram is a scammer. Plain and simple.

    Neither method of transferring money is safe, however. Even bank transfers can be used by scammers. It is easy to open a bank account in a foreign country, accept a few transfers from gullible victims, then withdraw the money, close the account, and disappear into the wind. But that is harder to do then to walk into a WU office, pick up the money and disappear.

    I have used bank transfers to send money to known entities (hotels I’ve stayed at before, tour companies that have a well-known presence in the market). I have saved money by doing that, as the merchant reduced their price since they could avoid credit card fees.

    I would NEVER wire money to anyone who didn’t have the same last name me. Period. Anyone who does is a scam victim.

  • MarkKelling

    Wire transfer and Bank transfer are interchangeable terms that mean the same thing.

    The type of wire transfer that WU does allows for the fraud to be more easily perpetrated since the money is just going into the hands of WU and then given to someone who claims it at the other end. Banks are not involved in the process so technically it is not actually a wire transfer. WU now likes to call what they do simply “money transfers”.

    If you walk into your nearest US based bank and ask to do a “bank transfer” they will most likely give you a blank stare and ask you what you mean while if you say “wire transfer” they will give you a form to fill out which requires the bank account information of the person or company you are sending money to.

    And wire transfers are a very common thing. The company I work for moves billions a day through wire transfers.

  • LeeAnneClark

    Okay, potato potahto…you’re talking terms here. Bottom line is that you seem to agree with me about the relative security of transferring money. While any kind of money transfer is less safe than paying by credit card, WU or MG money transfers are basically just tools for scammers. Bank to bank transfers, while still prone to fraud, are higher up the safe scale, and can be safely used if you know for SURE the identity of the destination account. WU & MG are utterly unsafe, akin to dumping money over a bridge, unless the person receiving it is a family member.

  • Charles

    Visa and Mastercard appear to both be 120 days, not 60 days. American Express is 180 days. So, you have more time than that. I would hope you would find out about something like this within 120 days. Another reason to keep in touch with the renter.

    But, I completely agree that the companies need to set up a reasonable payment system. I’ve not used the service at all, partially because I’m nervous that it would work for me.

  • Charles

    Actually, lots of ways if the hacker is pretty good. In most cases they change the password or they intercept the email, so you can tell. But, a good hacker will set up a monitoring program (likely on a hacked machine) that will watch your email. If a message arrives that meets some criteria, they will intercept it. They get it and you don’t. Technically, they just forward it to themselves and delete it from your email account before you ever see it. Then, they can reply. Other mail gets through just fine and they can put anything back into your email account that they want so you also see it. If you are connected at the time, you might see a notice of new mail, but not see any actual new mail. They can easily send email that looks like it is from you. So, they could carry on a complete transaction using your email account and you would never know it.

    In general, they don’t usually go to this extreme. Usually they just change the password and use the account. Most users, and likely most VRBO users, check email like once a day. I know a resort I go with 96 rooms that only checks email once a day. And, suppose you try to log in and your password does not work? Mostly people will mess around for a day or so thinking it’s a problem with their machine before they finally try to contact the email service and figure out what is going on.

  • jpp42

    Yes, I agree that we agree, just disputes over terminology. To me a “wire transfer” is definitely a SWIFT telegraphic transfer, to use the more precise banking terms, a “bank transfer” is a domestic transfer between banks using any number of systems that vary between country (like ACH in the US), and WU and MG are person-to-person money transfer systems not involving banks, and obviously avoided to due 99% scam potential.

  • KetchumResident

    I put right on my rental site that all monies must be received through Homeaway/VRBO. So far it’s worked for me.

  • KetchumResident

    You can do a “bank transfer” through Homeaway and VRBO too. Better for us renters b/c there’s no fee.

  • KetchumResident

    You can pay through your bank too via VRBO.

  • Garry Margolis

    I’m sitting in a rental apartment overlooking a Venice canal that is exactly as advertised on Airbnb. This is my fourth overseas Airbnb
    rental, and all of them have been excellent.

    The keys to this success:

    1) Airbnb holds your funds in escrow until after you’ve arrived, so that if there’s any problem, you have recourse. The lister doesn’t get your funds in advance, which reduces, if not eliminates, scamming by owners. In any event, it’s paid by credit card, so there’s that possible route for recourse.

    2) Book a full apartment, not a shared space, and determine that the apartment is only for rental, not one that’s occupied by the owner except when it’s rented. That way, the owner’s personal belongings aren’t a factor in potential accusations of loss, damage, or theft.

    3) Read the reviews and heed their warnings. Airbnb reviews of rentals are restricted to people who actually rented through them, not like some other travel sites where anyone can write a review. Additionally, owners can review renters. We’ve given and received excellent reviews on our previous rentals, which helps owners determine that the potential renters are good prospects.

    4) Do your homework and decide where you want to stay in the area. We use public transportation and need convenient access to it.

    5) Ask questions of the owner via the Airbnb site. The site shows how long it takes the owner to respond on average and what percentage of queries are responded to. A good/serious owner will respond quickly to all inquiries. We’ve clarified issues important to us that haven’t been clearly stated in the listings and get a feel for how easy it is to communicate with the owners.

    Examples: If the apartment doesn’t have a washing machine in it or in the building, how close is the nearest laundry? Since we save money by cooking some meals ourselves, what kitchen facilities are there and how far is it to food markets? Are there nearby restaurants? I’m tall — how big is the bed. Many of these questions are not covered in the owners’ listings, although some may be answered by studying the photos in the listings.

    Airbnb takes a healthy commission for its services, the amount of which is stated up front and is included in the charges they quote. As far as I’m concerned, their fees are worth every penny.

    A friend who owns a short-term rental apartment is using only Airbnb to list it and is just as happy with the results as I am as a consumer.

    Btw I have no connection with Airbnb other than as a user of its service. I highly recommend it to all.

  • pauletteb

    I asked the clerk at my bank if they did “wire transfers,” and he said no, but they did do bank transfers, so the terms are NOT synonymous everywhere.

  • SnDanc5

    Use an escrow company. If the “owner” balks, you know right then it’s a scam.

  • MeanMeosh

    Also keep in the mind that the 60 days (or 120, 180, or whatever the card issuer uses) is just the window in which the card issuer is REQUIRED to accept a dispute. Even if you are outside the window, there’s nothing stopping your credit card company from accepting the dispute. In many cases, the company will work with you if a service provider absconds or goes out of business, even if you are technically outside the dispute window. It never hurts to ask anyway.