Would-be renter fell hook, line and sinker for phishing scam
Ron Quan lost $4,860 (U.S.) to fraud after booking a vacation rental property at the HomeAway website last July. That’s about $6,000 in Canadian dollars.
His story shows how to protect yourself from criminals who hack into a homeowner’s emails — and why you should not just rely on the limited protection offered by this large online marketplace.
HomeAway, which was acquired by Expedia this month for $3.9 billion (U.S.), also operates VRBO.com and VacationRentals.com. Homeowners can add listings for free, but renters pay a service charge.
Unlike rival AirBnB, which forces deals to go through the site, HomeAway al- lows many transactions to occur off the site. It sees itself as an intermediary, a classified advertising service connecting homeowners to renters.
Quan was looking for a rental in Fort Lauderdale, Fla. He clicked on a link of a home he liked and received an email saying it was available.
To ensure the property lived up to its advertising, he asked his son — who lives in nearby Pompano Beach — to call the number listed, meet the property manager and inspect the property. Everything looked good, so Quan proceeded to make all the arrangements by email.
Once he signed a rental agreement, he agreed to transfer $4,680 to a bank account in Germany through his own bank in Toronto, avoiding a credit card because of fees charged by card issuers.
“Then, the communications stopped,” he told me. “My son spoke to the property manager, who had not received any of the money. We learned that a fraudster had hacked into the link where I had sent my initial request. I followed up with my bank, which wrote to the other bank. But the money was gone and the account closed.”
He confessed to having a false sense of security, since his son had called the manager and checked out the property. The listing had a real phone number, along with a fake link that diverted his emails to criminals.
This type of fraud, called phishing, is very common. For instance, people often receive what appears to be a legitimate email from a bank or government agency asking you to update your personal information by clicking a link.
People who rent out their homes can mistakenly provide their email passwords to scammers, allowing them to steal their identity and intercept email communications with travellers.
“Phishing is the act of a scammer tricking an individual into revealing personal or confidential information,” said Jeff Mosler, the company’s chief service officer. “Since these incidents of phishing occur outside the HomeAway system, we strive to educate people both at our security center and via email communications that explain identity theft and provide tips for protection.”
Quan was a victim of secondary phishing, or email account takeover, the company said. No HomeAway systems were breached or compromised.
Moreover, he failed to take basic protective measures, such as calling the listed the phone number to confirm payment details before sending any funds.
He also failed to buy HomeAway’s rental guarantee, a type of insurance that protects reservations up to $10,000. It would have cost him $149, about 3 per cent of the money he lost to fraud.
“The fraudster provided coverage as part of the package, so it wasn’t necessary for me to buy the insurance offered by HomeAway,” Quan explained. “Of course, I did not know it was bogus.”
At the security centre, HomeAway tells renters that its rental guarantee can be purchased only at its website — and is never “free” or “included” in any rental agreement offered by owners.
Quan can still get back up to $1,000 — about 20 per cent of his loss — under HomeAway’s free basic guarantee against online fraud. He hopes to settle for more.
“What irks me, other than my mistakes, is that HomeAway is less than up front at its website,” he says. “Yes, there are some warnings, insurance and advice. But the company is well aware of this problem and is not specific enough about phishing and compromised links.” Ellen’s advice Online transactions can be compromised. Use your phone to confirm the seller’s identity. Use your credit card, which offers a guarantee against unauthorized purchases. And never send money to someone you don’t know based solely on email correspondence. Ellen Roseman writes about personal finance and consumer issues. You can reach her at eroseman@thestar.ca or ellenroseman.com