Vacation rental phishing scams catch more travelers

Shauna Kattler thought she’d found the ideal rental home in Playa del Carmen, Mexico, for her Christmas vacation: a two-bedroom penthouse condominium with a hot tub and an impossibly perfect view of the Caribbean.

And she was getting it for the impossibly low peak-season rate of $450 a night through, a popular vacation rental Web site. “Impossibly” being the operative word.

Shortly after Kattler, a relocation specialist from Kirkland, Wash., wired the money to Mexico, she discovered that she’d paid the wrong person. Her vacation dollars didn’t go to the property owner, but to someone who had stolen the owner’s e-mail password and assumed his identity through a crime called phishing.

Sound familiar? It should.

This past fall, I reported about new phishing problems on HomeAway and another site it owns, I introduced you to Tania Rieben, who lost $4,300 at the slippery fingers of a scam artist posing as a vacation rental owner in Maui.

Since then, I’ve heard from many more phishing victims who wired money to shady characters pretending to hold the keys to a HomeAway vacation rental. And I’ve heard from HomeAway, which says it’s taking steps to prevent future phishing attacks and help the customers who have lost money. More on its efforts in a second.

Let’s get back to Kattler. She tried calling the property, but the person who answered hung up on her repeatedly. Finally, she contacted HomeAway, which reviewed her e-mail correspondence and confirmed her suspicions: She’d been scammed.

“This is not a case of fraudulent activity on the site, but is a case of the owner’s e-mail account being compromised,” the company added. “ takes all fraudulent activities seriously, but our responsibility cannot extend to actions on private e-mail accounts.”

Kattler is understandably frustrated. She says HomeAway should refund the $4,500 she spent for 10 nights that she’ll never use. After all, the crime happened because of one of its listings. “All they can say is ‘I’m sorry,’ ” she says. “HomeAway is not taking any responsibility for the lack of security on their Web site.”

Actually, HomeAway is doing more than apologizing, but it isn’t taking full responsibility for the incidents, either. That’s because the company insists that the crimes aren’t being committed through its Web site. In response to cases such as Kattler’s, it recently expanded its optional Carefree Rental Guarantee to cover phishing losses.

It’s also working with its current phishing victims — there are 18, it says — to negotiate a resolution between the property owner and the guest.

HomeAway suspends a rental’s listing after a phishing incident until the security breach is plugged, which means that the property owner gets a new e-mail address. “In most of the cases, we do come up with a solution that makes everyone happy,” says Carl Shepherd, the co-founder of HomeAway.

Last month, HomeAway also warned the 625,000 property owners and managers with listings on the site about the phishing threat and offered them advice on how to protect themselves. It’s encouraging its owners to use an optional new system called Reservation Manager that offers “bank-level” security for bookings made online.

Shepherd says customers could easily prevent phishing incidents by calling the property to verify that they’re e-mailing the correct person. Criminals haven’t figured out a way of spoofing a phone number — at least not yet.

To that advice, I would add the following: Never wire money. Every phishing incident I’ve tried to mediate — every last one — starts with someone reluctantly sending money to a stranger. Once it’s gone, there’s no getting it back. With a credit card, at least you’re protected and can dispute a bogus charge.

The phishing problem isn’t unique to HomeAway. Other vacation rental customers have also recently been targeted. But HomeAway’s guests seem to be the most vocal. Many of them contacted me to ask for help after the first column I wrote about phishing. The company reports that some of these disputes have already been resolved.

But not all of them. Kattler’s grievance is still under investigation. She flew to Mexico as scheduled and paid another $2,000 for accommodations.

And Rieben’s case may never be solved. The real property manager in Maui says that he warned Rieben that he was the only point of contact for the rental but that Rieben tried to find the owner and then stumbled into a trap, according to HomeAway.

Although the property has offered her alternative dates for a stay in Maui, no agreement has been reached.

“We feel horrible for her,” Shepherd says.

So do I.

(Photo: gradwellsears/Flickr)

Christopher Elliott

Christopher Elliott is an author, journalist and consumer advocate. You can read more about him on his personal website or contact him at Got a question or comment? You can post it on the new forum.

More Posts - Website - Twitter - Facebook - LinkedIn - Google Plus

  • theSuperStar

    All are at fault. The renter should never wire money. The owner probably had a weak password for their email and is ignorant to phishing tactics. The website didn’t ensure the owner’s information is correct and update.

  • Elmo Clarity

    A lot of these problems could be avoid if the listing agency, such as would provide a secured method of communication between renters and owners.  It sounds from this story that HomeAway has started providing something, but with it being optional, that is not sufficient.

    Personally, I feel that any rentals like this should be like when renting a hotel via the main website for the brand.  Even though a lot of the properties are franchises, the reservations and payment go through the main site, give the renter more protection.

  • Crissy

    I think there is blame to go around.  The websites can offer more secure ways to process reservations, but they can’t always make people use them.  Owners need to be responsible for their email accounts if they’re using them and if they find there is a problem contact the website immediately.  And renters need to follow their instincts, when something isn’t right they should step back before sending thousands of dollars to someone they don’t know.

  • Raven_Altosk

    Criminals haven’t figured out a way of spoofing a phone number — at least not yet.————————–
    Actually, they have. Google “Phone Spoofing.” There are even apps you can download to do it. And, many of those scammers who call you to tell you that you can lower your credit card debt (those same ones I’ve emailed you about) use “Credit Services” and a fake number to appear as their caller ID.

    Anyway, I had to vote for the renter. NEVER EVER WIRE MONEY TO SOMEONE YOU DON’T KNOW. I was looking for a diving vacation in Belize, so I looked at Conde Nast Traveler’s Super Agent list. I contacted one there who began working to set up an itineary for me. When it came for me to pay the hotels/dive adventures, and the travel agent, the agent demanded I pay her for all portions of the trip rather than paying the hotel directly. Okay, but then she refused a credit card. She wanted me to WIRE her money. I told her no, credit card only. She threatened to “sue” me for her time (lol, good luck with that, princess)

    I contacted Conde Nast about this “super agent” and her wire scam, but she is still listed as their “Belize Expert.”


  • andrelot

    This is a very tricky question. It boils down to evaluate what is the precise positions and responsibilites of the booking facilitator websites like HomeAway, VRBO, AirBnB etc.

    Let’s take an extreme hypothetical case: Craigslist.

    Does anyone reasonable thinks Craigslist is responsible if some poster (who never paid for posting her/his ad) announces it is selling a car at a deeply discounted price but needs an advancement in form of a money order by mail, and then disappears?

    On the other extreme: a major hotel  franchise.

    Would anyone resonable thinks that Accor should not be responsible for a bogus charge in a hotel bill because “the hotel is an independent franchise despite sharing the Mercure logo, style, appearance, staff uniform and reservation system”?

    Between these two situations, how to sort out vacation rental websites? I think they should take some steps, like providing some sort of payment facilitaiton through their own sites. But with them could come a tsunami of liabilities.

  • Kotch11

    There is blame on all sides, but one must do due diligence when renting like this.  I rented once through VRBO and was very happy, but I did a lot of research and legwork (or brainwork) before doing so.  I even contacted the owner.  Sometimes you have to work to find out these things

  • scapel

    To rent have a phone number to contact and talk to that person and then confirm contact by e-mail. Then use a credit card for deposit and give the credit card number by phone. Lots of places don’t take credit cards and want you to use pay pal which I have had to use, but feel that pay pal was the victim of gettimg my card comprimised and I had to change cards. My CC company credited the four smaller charges, and said the thieves usually try small charges and if that flies they go to a big charge.

  • finance_tony

    “Criminals haven’t figured out a way of spoofing a phone number — at least not yet.”

    As Raven points out, it’s easy.  And, it makes for one “impossibly” funny informercial: (DramaTel TV ad)

    And I’ll echo the other posters:  Who wires money?

  • Doug Marshak

    Of course people shouldn’t wire money in this day and age, but if a site serves as a route of contact between a business (property owner) and a client (renter), it is the responsibility of the site to make sure interactions created through its site are real.  Failure to connect is a failure of the website’s primary purpose, and looks much like a scam as well.

  • Bill Armstrong

    Why doesn’t homeaway collect the money on their website and then pay the owners?  Rather than having potentially thousands of places for the renter to pay, there would be one.  The website could emphasize that all payments must be made through the website and not to wire money to anyone.

  • Elmo Clarity

    I think you need to look at one other difference between Craigslist and the major hotel franchise example.  Craigslist does not advertise that they have validated the ads like HomeAway and the others have.  Craigslist is no different as the classified listings in the newspaper.  When you have a site like HomeAway offer guarantees about the quality of their listing, they take certain responsibilities with that assurance.  By allowing the listing party to use their own communication method outside the listing agency’s control, I feel the agency still has responsibilities.

  • Nancy Dickinson

    This happens so often at HomeAway and VRBO because it can.  The site is a target because their practices and website security makes it easy for a scammer to get in the middle.

    “Asking” their rentals to take part in the programs they are implementing doesn’t seem like the right way to do it.  Making it part of their membership policy is.  It occurs to me, how do we know some of these aren’t the work of some of these rentals?  How easy is it to post a picture and “say” a condo or home is for rent?

  • Fly, Icarus, Fly

    I’m still puzzled. Presumably, the owners of these properties use their email daily or at least very frequently. How would they not know that they’ve been hacked?

  • Elmo Clarity

    Actually, the spoofing I think that is being referred to is not the number that comes up on the receiver’s phone, but the number that is connected to by the caller.  If the HomeAway site says the phone number for the owner is (123) 456-7890, when I call that number, a scammer cannot have it redirected to a different number.  Spoofing the caller-id info has been around for a long time.

  • Elmo Clarity

    Sometimes there is no indication of unauthorized activity.  They can get in, delete the message, and get out before you check.  I am no computer novice having been involved with computers for 30+ years in both software and hardware development.  However, I had no indication of an unauthorized access to a gmail account I used other than an alert gmail sent me about access to my account from a foreign country.  And I would have missed that warning if I hadn’t logged on via the web site to the account.  So I’m not too surprised that these owners are unaware of their accounts being hacked.

  • Elmo Clarity

    Agreed.  Having a “secured” method but only “asking” the people listing to take part I think puts them at a greater liability for fraud.  They are admitting that there is a problem, they have a solution, but they don’t care enough about the renters to make sure they get protected.

  • Linda Jordan

    I just had this discussion with my husband and there is no right answer. We have rented homes through and VRBO in European locations with no problem. I have always done my due diligence and I NEVER wire money.  After I find a property I Google it and the homeowner and look for any phone numbers associated with the property.  I read all comments from previous renters make sure the owners are who I am dealing with and that’s about all you can do.
    It would be helpful if the sites had some type of protection to prevent any losses, but then the rental prices would probably go up to cover the increase for the protection.  

    It’s unfortunate that these type of incidents happen, but here are dishonest people in the world. The home owners are the victims as well.

  • TouchyFeely

    It’s called Stupid Tax.  Wiring money to someone outside the country is roulette.  I gamble, and even I wouldn’t do that.  Site like HomeAway and VBRO are just vehicles for scammers.

  • TouchyFeely

    Clearly she was counting on the famed stupidity of Americans.

  • TouchyFeely

    It’s simple, they are nothing more than Craigslist with better websites.

  • TouchyFeely

    And exactly how did you know you were talking to the real owner?  You can’t – that’s the problem.  Chances are pretty good that idiots with stupid passwords have those same passwords on the web sites data, and can easily change things like phone numbers.  It’s a gamble, and you got lucky.

  • sanibelsyl

    Though all are partially responsible, I think the vacation rental guest holds the most responsibility.  As others have mentioned, she should not have wired money to a total stranger on whom she had little to no information.  That’s like walking down a dark alley with money hanging out of your pocket.  Yes, it’s still the thief at fault, but it was a foolish thing for the victim to do.  As I say to my own vacation rental guests (all who pay by credit card), “don’t take my word” and do your own research……

  • LeeAnneClark

    While I agree with other commenters that there is blame to go around, I voted for the primary responsibility to be on the renter.  Why?  For Pete’s sake, people, it should be eminently clear by now:

    NEVER NEVER NEVER wire money to someone you don’t personally know…as in, have met them in person, know their voice on the phone, possibly even share some DNA.  NO scam can take place if you don’t wire money.  EVERY scam of this type involves blind-wiring money through Western Union, MoneyGram, or bank-to-bank, to a stranger. 

    Simple.  NEVER WIRE MONEY. If people would stop doing that, the entire multi-billion-dollar business of internet scams would crumble like a house of cards.

    The simplicity of avoiding these scams is staggering.  And yet, people do it every day.  Every day there’s a new sucker posting on asking if they just got scammed.  Read their posts and, sure ’nuff, they wired money to someone.  Doesn’t matter the reason:  they thought they were paying a property owner; they thought they were helping a “friend” who got mugged in London; they thought they were paying the fees for a big lottery win; they thought they were helping a Nigerian prince transfer millions to the US, and would bestow them a couple mil for their help.  (Yes, people still fall for that.)

    It’s all the same thing:  classic internet scams, usually perpetrated by con artists working out of cramped, sweaty, fly-riddled internet cafes in Nigeria, Ghana or Benin.

    I used to feel compassion for the victims, but these days, not so much.  Now I just think they’re stupid, and deserve what they get.

    How hard is it to realize that blind-wiring money to strangers is not a very good idea?

  • Dick Jordan

    If it would effectively prevent the type of fraud you have reported, then HomeAway should require that all of its property owners use the Reservation Manager system. Travelers would feel safe making payments, property owners would be assured of receiving them, HomeAway’s reputation would be enhanced, and all concerned would avoid the aggravation and financial losses associated with phishing. 

  • Josh S

    Let’s pretend for a moment that this was not a vacation from, but a sale of a used item on Craigslist. (It’s a pretty good analogy, really.)

    A person sees a listing on Craigslist that says, $Item for sale–only in-person transactions are accepted. They respond to the listing (which is usually an anonymous email that gets forwarded to a real email, call it Seller@used$ ).

    Meanwhile, the Seller@used$ email address has been compromised. When the buyer sends the response to the listing, the real owner of the listing never gets it. Instead, some scammer responds directly from the Seller@Used$ address, asking for money to be wired before $Item is shipped because of some excuse. Maybe their cash-handling computer is broken today or something. And because that machine is broken today, I’ll even give you a HUGE discount–50% off!!!

    Now, this ought to raise a billion red flags. Craigslist has a bunch of warnings all over that say, “Never wire money. It’s almost certainly a scam!” But people wire money anyway, and since the email exchange is now occurring outside of Craigslist, those warnings aren’t visible. 

    The Buyer decides, “Well, it’s a bit unusual, but I’ll go ahead and do it because that excuse sounded mildly plausible, and this is such a deal!” They wire the money, which vanishes to some scammer in Nigeria or Pakistan or Naperville… and the Buyer is stuck.
    Now, who is to blame? Craigslist? Not really. All they did was provide the (perfectly legitimate) listing, and facilitate the initial connection between buyer and seller. Heck, they even gave a bunch of warnings!The Seller? Perhaps a little. They could have protected their email better. But who knows if it was an easy-to-guess password or some sophisticated virus that allowed them to get hacked? So I’m going to say that they are not to blame, since they never knew the transaction was even taking place. And even if they realized that they were locked out of their own email, they might not have had any recourse to warn people–they’re locked out!The buyer? They have a bunch of the blame. They ignored the warning signs because they were dazzled by a ‘good deal’.The scammer? For sure. This is the person who ought to pay up. But good luck trying to find them to sue or prosecute. This is what makes it such a good scam to run–it’s impossible to trace the evildoers.Now, swap Craigslist for HomeAway, and it’s the exact same thing. The person to blame is impossible to find, and the people you can find have no responsibility for the buyer’s (somewhat stupid/naive) actions. Who should be responsible for making the buyer whole? Well, the blame is shared between buyer and scammer, so the scammer ought to make the buyer whole. Anyone else who offers to do *anything* is going above and beyond. 

  • Bruce Burger

    Sometimes you need to wire money. I have rented places from many property owners around the world who required payment that way. I’ve never had a problem. There is always some risk, and I’m glad more secure systems are becoming more popular, but wiring is still expected by some people. If I have any doubt about legitimacy, I talk to the person by phone, on the theory that a real criminal won’t want to do that.

  • Jeanne_in_NE

    Umm – I’ve had the repeated phone calls and messages from the “local UPS Manager who can’t deliver your package” (with a LA-suburb phone number).  A relative has had the “favorite grandson who needs money to post bail” phone call – and who left a message for her to call back.  I wouldn’t be so sanguine about speaking to a person by phone in order to ensure legitimacy.

  • Kotch11

    Disqus generic email templateI did know who I was talking to
    —– Original Message —–
    From: Disqus
    Sent: Saturday, January 28, 2012 10:19 AM
    Subject: [elliott] Re: Vacation rental phishing scams catch more travelers

    TouchyFeely wrote, in response to Kotch11:

    And exactly how did you know you were talking to the real owner? You can’t – that’s the problem. Chances are pretty good that idiots with stupid passwords have those same passwords on the web sites data, and can easily change things like phone numbers. It’s a gamble, and you got lucky.
    Link to comment

  • Raven_Altosk

    Even more disgusting that Conde Nast still lists her as one of their “trusted super agents.” Ugh.

  • Raven_Altosk

    Ah, trufax. 

  • LeeAnneClark

    What you are looking at here, folks, is a future scam victim.

    No legitimate business requires wiring money to purchase something.  Simple as that.  I’ll repeat:  NEVER WIRE MONEY TO A STRANGER.  Sure, some legitimate businesses might ask for it, as it’s a quick and easy way to get your payment…but if they insist on it and offer no other way to accept payment, they are scammers.

    And don’t be so confident about phone calls.  It costs very little to get a disposable cellphone in Nigeria, and its easy to get a phone number that doesn’t even look like an international call.  Real scammers talk to their victims by phone ALL THE TIME.

    I know whereof I speak.  I spent years counseling scam victims.  I’ve seen all manner of scam, and the scammers are getting more wily every year.

    Once again, there is one sure-fire way to avoid ever getting scammed:  NEVER WIRE MONEY.  Period.

  • BlondieDC

    If someone required that money be wired, I don’t care how fabulous the place/price/location is, I would move on to the next posting.  I just wouldn’t do it.

  • LeeAnneClark

    And here we have someone who, smartly, will never be scammed.  See how easy that is? ;-)

  • $16635417

    Re-reading the poll and notice a lot of people feel the site this was “booked” on is responsible. Is homeaway a “booking” site or a listing site. I could only see options to contact an owner and no option to actually book it. How would this differ from Craigslist??

  • Jeremy

    Unfortunately LeeAnne, while your viewpoint may be true in the US, it’s not so simple worldwide.  For example, in Australia it is common place to wire money domestically (called a “bank deposit”) for purchases between private parties.  These do have a few more controls than Western Union, Moneygram, etc, because they are regulated under the local banking system, but they still are subject to similar scams.  Yet there is often no alternative for private party transactions – it is not worth it for many vacation home owners or similar micro-businesses to set up credit card accepting facilities, especially with the very high rates typically changed in Australia.  Cheques are no longer used here.  True, some vacation home owners will align themselves with real estate agents or other brokers who can accept credit cards, but this is not universal and a request to wire money via bank deposit, or international bank transfer (SWIFT), if the renter is outside Australia, would not be considered unusual.

    I do agree that never wiring money will help prevent you from being a scam victim, and a cautious traveler may prefer to stick wtih credit-card-accepting businesses.  But it is simply not true that legitimate businesses do not sometimes require this method of payment, outside the US.

  • Rentthings

    The website owner should protect the renter but it’s all depend on their policies the thing that users don’t really check before signing up in any website.
    Never wire money without checking the feedback of the rental place owner.

  • Jim Jacobs

    HomeAway should put a clear warning on its home page instructing people not to wire money. 

  • Cybrsk8r

    Checking feedback really isn’t going to accomplish anything as far as preventing these type of scams.  A landlord could have stellar feedback, but as soon as his account is hacked, that feedback becomes meaningless.

    While HomeAway isn’t completely to blame for these scams, their site IS facilitating the scam and they don’t get to just say “sorry” and walk away.

    These sites need to REQUIRE that all landlords accept credit cards and ban landlords from even asking for wire transfers. Anytime a user clicks on a listing, the site should display a pop-up warning the user not to wire money. The user would have to click thru this pop-up to get to the actual listing.

  • MarkieA

    People just need to vote with their wallets, then. If folks become aware of more and more scams that require you to wire money, they’ll stop wiring money. Then, your small businesses will either have to figure out all that complicated credit-card stuff, or fold.

  • Zod

    Last year, my wife and I spent a week on a beach-front cottage on the North Shore of Oahu in Hawaii! I never considered using Home-Away or any of the established home rental sites for just the reasons sited above. I just don’t trust working through the individual. Instead I did a Google search for vacation rentals Hawaii and found that there are realestate companies who manage rental homes for owners. After validating that the realestate company was legit, and they sent me a contract, they too wanted me to wire them money. I instead offered a credit card which they accepted but I had to pay a credit card fee…for the security of using a credit card, not that big of a deal.
    In all. because I did *NOT* use home away, my vacation on the North Shore was perfect!

  • Zod

    Actually, while it is a non-trivial matter, it is possible to “spoof” a phone number so that it gets redirected to a third party number. This technique is used quite a bit for bank transfer thefts. It goes along the line of requesting a forwarding of a phone number to a disposable phone or googlevoice number from the phone company. Apparently this is a rather simple thing to do and the phone company does not validate request. So even calling the number doesn’t always guarantee that you will reach the intended party!

  • Lindabator

    As a travel agent, I ALWAYS tell my clients to use a credit card – sometimes I am paying a wholesaler or consolidator, and not the hotel directly, but I can guarantee YOU will never be paying ME – just having me put through a payment on your credit card on your behalf.  You are correct – NEVER WIRE MONEY!  If the companies I use oversees need it wired (there are some legitimate companies that do), i collect your paymnet from your credit card, and forward the wire from my agency.  FAR SAFER!

  • Vacation Rental Guru

    Chris, I cannot believe the result of the poll. People think the owner is the least responsible and yet it is their lack of security that has led to the phished email address! I own a rental listing business and also a reservation and booking management company and we have NEVER (underlined!) had a scam on our systems. That is because we have extremely tight control of revenue transferral(and as you point out renters should ALWAYS pay with a credit card). I cannot believe the amount of people prepared to send large sums of money via transfer or cheque (check) to complete strangers. It simply is not worth the risk. Out other system checks on property footprint and we partner the GB group to vet owners of property to an extremely high standard. I feel very sorry for customers when this happened and I am shocked it has done so on Homeaway. With the resource at their disposal they ought to do better.

  • Vacation Rental Guru

    Elmo, spot on. And this is why we’re developing (it goes live next month) a comms system to secure all comms to a thread within our https encrypted site.

  • msj

    The same thing happened to me very recently through a homeaway site called ownersdirect they have been useless and very unsympathetic. they just told me to take it up with the owner. What about the data protection act I thought businesses were legally obliged to hold your data securely. a) owners direct passed my data to an unsecure source and b) the villa owner is running a business and did not keep my data secure. surely when you complete a form on the owners direct website a message advising to phone before payment is better situated on the form rather than by the number as the form is the first port of call and then you enter into correspondance without looking at the page again.

  • MikeSmithy

    Thanks for this post! I’ve been planning a trip to Hawaii specifically Maui, and I’ve had to look a lot at the options for maui vacation rentals in the area, so I could find something that would work for us. This post helped a lot thanks!