Toronto Star

Would-be renter fell hook, line and sinker for phishing scam

- Ellen Roseman

Ron Quan lost $4,860 (U.S.) to fraud after booking a vacation rental property at the HomeAway website last July. That’s about $6,000 in Canadian dollars.

His story shows how to protect yourself from criminals who hack into a homeowner’s emails — and why you should not just rely on the limited protection offered by this large online marketplac­e.

HomeAway, which was acquired by Expedia this month for $3.9 billion (U.S.), also operates and VacationRe­ Homeowners can add listings for free, but renters pay a service charge.

Unlike rival AirBnB, which forces deals to go through the site, HomeAway al- lows many transactio­ns to occur off the site. It sees itself as an intermedia­ry, a classified advertisin­g service connecting homeowners to renters.

Quan was looking for a rental in Fort Lauderdale, Fla. He clicked on a link of a home he liked and received an email saying it was available.

To ensure the property lived up to its advertisin­g, he asked his son — who lives in nearby Pompano Beach — to call the number listed, meet the property manager and inspect the property. Everything looked good, so Quan proceeded to make all the arrangemen­ts by email.

Once he signed a rental agreement, he agreed to transfer $4,680 to a bank account in Germany through his own bank in Toronto, avoiding a credit card because of fees charged by card issuers.

“Then, the communicat­ions stopped,” he told me. “My son spoke to the property manager, who had not received any of the money. We learned that a fraudster had hacked into the link where I had sent my initial request. I followed up with my bank, which wrote to the other bank. But the money was gone and the account closed.”

He confessed to having a false sense of security, since his son had called the manager and checked out the property. The listing had a real phone number, along with a fake link that diverted his emails to criminals.

This type of fraud, called phishing, is very common. For instance, people often receive what appears to be a legitimate email from a bank or government agency asking you to update your personal informatio­n by clicking a link.

People who rent out their homes can mistakenly provide their email passwords to scammers, allowing them to steal their identity and intercept email communicat­ions with travellers.

“Phishing is the act of a scammer tricking an individual into revealing personal or confidenti­al informatio­n,” said Jeff Mosler, the company’s chief service officer. “Since these incidents of phishing occur outside the HomeAway system, we strive to educate people both at our security center and via email communicat­ions that explain identity theft and provide tips for protection.”

Quan was a victim of secondary phishing, or email account takeover, the company said. No HomeAway systems were breached or compromise­d.

Moreover, he failed to take basic protective measures, such as calling the listed the phone number to confirm payment details before sending any funds.

He also failed to buy HomeAway’s rental guarantee, a type of insurance that protects reservatio­ns up to $10,000. It would have cost him $149, about 3 per cent of the money he lost to fraud.

“The fraudster provided coverage as part of the package, so it wasn’t necessary for me to buy the insurance offered by HomeAway,” Quan explained. “Of course, I did not know it was bogus.”

At the security centre, HomeAway tells renters that its rental guarantee can be purchased only at its website — and is never “free” or “included” in any rental agreement offered by owners.

Quan can still get back up to $1,000 — about 20 per cent of his loss — under HomeAway’s free basic guarantee against online fraud. He hopes to settle for more.

“What irks me, other than my mistakes, is that HomeAway is less than up front at its website,” he says. “Yes, there are some warnings, insurance and advice. But the company is well aware of this problem and is not specific enough about phishing and compromise­d links.” Ellen’s advice Online transactio­ns can be compromise­d. Use your phone to confirm the seller’s identity. Use your credit card, which offers a guarantee against unauthoriz­ed purchases. And never send money to someone you don’t know based solely on email correspond­ence. Ellen Roseman writes about personal finance and consumer issues. You can reach her at or ellenrosem­

 ??  ??
 ?? GINO SANTA MARIA ?? A man’s trip to Fort Lauderdale, Fla., was ruined through an all-too-common type of online fraud called phishing.
GINO SANTA MARIA A man’s trip to Fort Lauderdale, Fla., was ruined through an all-too-common type of online fraud called phishing.

Newspapers in English

Newspapers from Canada