Shauna Kattler thought she’d found the ideal rental home in Playa del Carmen, Mexico, for her Christmas vacation: a two-bedroom penthouse condominium with a hot tub and an impossibly perfect view of the Caribbean.
And she was getting it for the impossibly low peak-season rate of $450 a night through HomeAway.com, a popular vacation rental Web site. “Impossibly” being the operative word.
Shortly after Kattler, a relocation specialist from Kirkland, Wash., wired the money to Mexico, she discovered that she’d paid the wrong person. Her vacation dollars didn’t go to the property owner, but to someone who had stolen the owner’s e-mail password and assumed his identity through a crime called phishing.
Sound familiar? It should.
This past fall, I reported about new phishing problems on HomeAway and another site it owns, VRBO.com. I introduced you to Tania Rieben, who lost $4,300 at the slippery fingers of a scam artist posing as a vacation rental owner in Maui.
Since then, I’ve heard from many more phishing victims who wired money to shady characters pretending to hold the keys to a HomeAway vacation rental. And I’ve heard from HomeAway, which says it’s taking steps to prevent future phishing attacks and help the customers who have lost money. More on its efforts in a second.
Let’s get back to Kattler. She tried calling the property, but the person who answered hung up on her repeatedly. Finally, she contacted HomeAway, which reviewed her e-mail correspondence and confirmed her suspicions: She’d been scammed.
“This is not a case of fraudulent activity on the HomeAway.com site, but is a case of the owner’s e-mail account being compromised,” the company added. “HomeAway.com takes all fraudulent activities seriously, but our responsibility cannot extend to actions on private e-mail accounts.”
Kattler is understandably frustrated. She says HomeAway should refund the $4,500 she spent for 10 nights that she’ll never use. After all, the crime happened because of one of its listings. “All they can say is ‘I’m sorry,’ ” she says. “HomeAway is not taking any responsibility for the lack of security on their Web site.”
Actually, HomeAway is doing more than apologizing, but it isn’t taking full responsibility for the incidents, either. That’s because the company insists that the crimes aren’t being committed through its Web site. In response to cases such as Kattler’s, it recently expanded its optional Carefree Rental Guarantee to cover phishing losses.
It’s also working with its current phishing victims — there are 18, it says — to negotiate a resolution between the property owner and the guest.
HomeAway suspends a rental’s listing after a phishing incident until the security breach is plugged, which means that the property owner gets a new e-mail address. “In most of the cases, we do come up with a solution that makes everyone happy,” says Carl Shepherd, the co-founder of HomeAway.
Last month, HomeAway also warned the 625,000 property owners and managers with listings on the site about the phishing threat and offered them advice on how to protect themselves. It’s encouraging its owners to use an optional new system called Reservation Manager that offers “bank-level” security for bookings made online.