The rental villa on the French Riviera that Sonia Guillaume found online looked picture-perfect. It featured an impeccably manicured garden, spacious living areas, a pool and stunning views of the medieval village of St. Paul de Vence.
And there was the price: 10 percent off the weekly 1,700-euro rate in August, a time when pretty much all of France is on vacation.
You know what happened next, right? Guillaume says she contacted the owner through the Web site, which is owned by the U.S. vacation rental listing site HomeAway, and wired him the money. Then she discovered that she wasn’t dealing with the real owner, but with someone who had fraudulently obtained the owner’s e-mail password, a crime known as phishing.
“It was a scam,” says Guillaume, a subcontracting manager who lives in Poissy, a suburb of Paris.
I’ve been following similar incidents since the fall. In a report that I wrote in January, HomeAway promised to crack down on phishing and to work with victims to save their vacations. But since then, more defrauded renters and homeowners with listings on HomeAway have come forward to tell their stories.
Rental owners complain that they’re being unfairly blamed for the phishing. And customers allege that the company’s attitude is dismissive, that it’s showing little interest in rescuing their ruined vacations or bringing the scammers to justice.
HomeAway, which also operates VRBO.com and has a commanding share of the vacation rental market, says that nothing could be further from the truth: It hasn’t been contacted by any law enforcement officials about a phishing case, but if it were, it would fully cooperate with any investigation. The company has added phishing warnings to its sites and recently posted a job notice for a director of global fraud prevention to help manage its efforts to “detect, prevent and mitigate fraud and other undesirable events.”
And it says that of the 13 phishing cases I’ve brought to its attention since November, seven have been “resolved,” although it declines to name them or discuss how the problems were fixed, citing its privacy policy.
I tried to reach the victims. One of the customers, Guillaume, says that no one from HomeAway has contacted her with a resolution. (I brought her case to HomeAway’s attention March 16, and the company says that it has tried to reach her but that she hasn’t responded.)
Another would-be renter, Tania Rieben, says that the company hasn’t helped her, either. HomeAway says that the property manager has offered her a resolution that she hasn’t accepted.
Kathryn Bowden, an artist in Sorrento, Fla., who says she lost $3,800 on a vacation rental in Kissimmee, Fla., that HomeAway listed, told me a story that matched many details of Guillaume’s case, including the location of the fake homeowner, the size of the discount and the way the scam was perpetrated. I contacted HomeAway on her behalf in mid-February.
“The only thing I have heard from HomeAway is that they expect the owner of the property we tried to rent from to resolve any issue,” she says. “It makes it sound as though they feel the owner is somehow to blame and must make restitution. That’s their choice of words, not mine.”
Bowden says that she and a group of other unhappy customers plan to file a class-action lawsuit against HomeAway.
Some HomeAway customers didn’t respond to my inquiry because they’d been required to sign nondisclosure contracts as part of their settlement with the company.
But one customer who was privy to the details of a HomeAway settlement agreed to tell me her story. Alisa Golson, a former human resources consultant and a stay-at-home mom in San Francisco, contacted me in December after her mother-in-law wired $7,300 to a scammer for a rental property in Capistrano Beach, Calif., that she’d found through VRBO. She says that the company has urged the homeowner to settle with her family, but that he has refused. HomeAway insisted that it wasn’t to blame, either.
“They appeared to do little or no investigation into what happened,” she says. “They took a very strong stance that they were not responsible.”
So her mother-in-law hired an attorney, who contacted HomeAway. The company eventually agreed to cover the $7,300 she lost in the scam, Golson says.
Carl Shepherd, HomeAway’s co-founder, says that his company doesn’t take the phishing attacks lightly and cares about the outcome of every case. “We are taking this seriously,” he says. “We launched a significant education effort to travelers and our owners. We’re working with other people in the industry, and we’ve had two summit conversations with them to collectively combat phishing. Also, we’re developing some product changes that we hope to announce soon.”
He added that even though HomeAway has “no legal responsibility” for phishing, “we work diligently with both the owner and the traveler to find an appropriate solution, and when all parties are looking for something equitable, they usually work something out.”
Christine Karpinski, a former HomeAway employee and author of the book “How to Rent Vacation Properties by Owner,” says that the company’s problems aren’t unique and that its actions — and those of other home rental sites that have responded to the phishing problem — are a promising start.
“Vacation rental sites need to plaster their pages with warnings to never pay by wire transfer,” she says. As of now, you have to do some “hard-core digging” to find any alerts about possible fraud on any rental site, she adds. As a vacation rental owner herself, she understands the reason: Prominent warnings would frighten customers away.
Shepherd disagrees, insisting that his company is now offering ample warnings. They include a series of direct e-mails that were sent to both travelers and rental owners after the scams were discovered last year and a new security center on its Web site with advice on how to avoid phishing.
Some of the most revealing conversations I’ve had about this problem have been private. Because of HomeAway’s dominant market share, and because of confidentiality agreements signed by customers, vacation rental owners who are affected by phishing are hesitant to speak out about their experiences.
Rental owners say that they are not responsible for the phishing and that they shouldn’t be on the hook for the damages. But they also say that because HomeAway is the world’s largest online marketplace for the vacation rental industry, it can dictate the terms of compensation and compel them to quietly accept them.
One rental management company representative told me that her company spent thousands of dollars compensating customers who lost $2,000 to $2,500 apiece in five separate phishing incidents last November. It had no choice: More than half of its business comes from HomeAway, which was threatening to pull the management company’s listings if it didn’t compensate the defrauded customers.
HomeAway says it wasn’t involved in any settlement matching that description and that at any rate, the rental management company’s interpretation of its view is distorted.
“We always state that there are two victims: the owner or property manager and the traveler,” Shepherd says. “We work to resolve the situation in a way that is satisfactory to both.”
Some owners I spoke with said that the question of liability needs to be addressed by a court, a notion that appears to be gaining traction, according to Karpinski and some of the victims.
Shepherd predicts that HomeAway would win such a case.
“It is our judgment — from our legal position, from our attorneys — that we have no legal liability,” he told me. “We have a marketplace. We are not a party to the transaction.”
Customers such as Guillaume see things differently. Because HomeAway bills itself as a trusted intermediary between her and her vacation rental, she says, it owes her more than an empty apology. She says that after she lost her money, HomeAway officials told her that they were sorry but that it wasn’t their problem. The rental owner isn’t willing to help her, either.
And after losing six months of savings to an unseen criminal, Guillaume says, she doesn’t know where to turn.
“They’ve violated my trust,” she says.
(Photo: Britrob/Flickr)
