If you think the words “vacation rental” and “phishing” are all but synonymous, you’re not alone. Just talk to Ann Schutte, who recently found a rental villa with a “million-dollar” view in Sedona, Ariz., through the rental Web site VRBO.com.
A woman claiming to own the property quoted her a $645 rate for five nights if she wired her the money. “After a number of e-mails back and forth, I agreed to the rental,” says Schutte, a property manager from Phoenix. “I received a contract. Everything looked correct on the contract. It even had the rental property address and logo. I signed the agreement, and wired the money through Western Union to the U.K.”
For those of you following the vacation-rental phishing saga, you probably know what comes next: Schutte never heard back from the “owner,” so she called the phone number under the property listing.
And that’s when she discovered that she had no reservation. She’d been scammed. VRBO “explained that the owner of the property had her e-mail hijacked because she didn’t have the proper filters in place,” Schutte says. “And there is nothing anyone can do.”
Phishing schemes fraudulently extract personal information by e-mail — in this case, the e-mail login credentials of a property owner. The criminals then impersonate the owner, enticing customers to wire money. The vacation-rental industry has been hit hard by this type of scam since 2011, and there appears to be no hope for a quick remedy.
HomeAway, which owns VRBO and has a commanding market share among vacation-rental Web sites, reported 3,000 phishing cases as of last fall. It declined to provide an updated number because it’s a publicly traded company and was working on its latest quarterly earnings report at the time I requested the information.
“The unfortunate fact is that phishing continues to be a part of the landscape of the Internet,” says Carl Shepherd, co-founder of HomeAway. “For this reason, we continue to work to create systems that enable owners and travelers to talk to each other so that each has a great experience, while minimizing the opportunities for either party to be hijacked by a phisher.”
Last year, the company announced a product called HomeAway Secure Communicationthat would have offered a phish-proof way for homeowners and prospective renters to communicate. But it was “met with some trepidation,” according to the company, because it required both owners and travelers to be logged in to a secure HomeAway system to communicate. HomeAway backed away from that proposed solution and is working on an alternative, which it plans to introduce soon.
Guests are impatient with the phishing problem. Consider what happened to Amitav Chakravartty last year when he decided to rent a home for a family reunion in Southern California. He found a great deal on an oceanfront villa on Craigslist, the online classifieds site, with just one catch. You guessed it: He had to wire $900 to the “owner.”
The loss of this money inspired Chakravartty and Anirban Bardalaye to start a company called Zaranga, a more tightly controlled vacation rental marketplace that handles the financial transaction between both parties.