Customize your experience by selecting your role:
Owner, Property Manager, or Traveler
A potential guest told me today that she was confused because at the same time she was corresponding with me she had received a response to her inquiry from someone other than me. The response contained her original inquiry. It had the text:
The dates are open, the booking price is $194 p/night including cleaning fees, linen , towels and taxes. Also price doesn't include the security deposit of $1,000 which will be 100% refundable at your departure. This is only to to cover accidental property damages, pay per view etc.
I am at your disposal for any further information.
It had no name or other contact or identifying information, and was sent via a Gmail address from a Comcast account in Emeryville, Calif. My VRBO account has only my address on it. No others. We guessed that the culprit may be trying to obtain the $1,000 deposit. But the huge question remains: How did he/she obtain the original inquiry?
Has anyone else seen anything like this?
I suspect you have been a victim of Phishing Scam. Do you recall receiving an email (you can probably review past emails in your Inbox or Deleted Items & it might still be there assuming the scammer hasn’t deleted it yet) in the last few days with a link to click on, and you clicked on it, and it brought you to what appears a login page to your email (in reality a fake one)? If you clicked on that link, and entered your email login credentials, then your credentials has been captured, allowing the scammer to login to your email. Best thing to do now is as follows:
1. Login to your email, and change your password.
2. Advice your prospective renter that the other email she got was from a Scammer, and not to reply to it, and that you have protected yourself by changing your email password. To assure her, invite her to give you a call using the telephone number listed in your VRBO ad.
Hope this helps. Note: there is an active thread right now where others have reported similar Phishing Scams at http://community.homeaway.com/message/15112#15112
I don't know what email you are using and features in your email setting, but to be sure, check your email settings to see if you have some strange settings added there, particularly the following settings:
Check to see if you have an "auto forwarder" and make sure there is no email address added there. The scammer may have added an email address there so that any emails sent to you will automatically forward a copy to the scammer.
Also, login to your VRBO and review all "Inquiries" there comparing it with what you have received in your INBOX. If you see an Inquiry that exist in the VRBO but missing in your INBOX, contact the INQUIRER to make sure they have not sent any payment to the SCAMMER. Be prepared to have a very good explanation to the INQUIRER so you don't unduly panic him/her.
I would advice you to change also your VRBO password particularly if it was the same as your email password before. If you have a PayPal account and using the same credentials (username and password) as your email, change that too.
This is a case where the Scammer was not able to prevent the Owner from seeing the same email from the same Inquirer, for various possible reasons.
Perhaps the Scammer forgot to delete the Inquirer’s email; or was too late in deleting it; or the Owner may have an email client that is always open and checking for emails to download and received the email already in his/her computer, so even if the Scammer was able to delete the Inquirer’s email through Webmail, it only deleted it at the email server end, and powerless to delete an email that was already downloaded to the Owner’s computer; or Owner is using a Secondary Email address defined in his/her VRBO account where Inquirer’s email is to be sent.
There are many ways an Owner can do proactively to deter a scammer, and I listed them in my previous posting in another thread. The best way is to create a Secondary Email at your VRBO account (but make sure you have different passwords for different emails), that way the Inquirer's email will be sent to both addresses.
==> Also, login to your VRBO and review all "Inquiries" there comparing it with what you have received in your INBOX. If you see an Inquiry that exist in the VRBO but missing in your INBOX, contact the INQUIRER to make sure they have not sent any payment to the SCAMMER. Be prepared to have a very good explanation to the INQUIRER so you don't unduly panic him/her.
Addendum: Perhaps you should expand to contact everyone listed in your VRBO INQUIRIES from a certain date that you believe you have been compromised, whether the same email exist in your INBOX or not. It is possible that the Scammer may have sent them an email with a lower or attractive price offering, just to enduce them to send money. So, you might want to advice them that they may have been contacted by a Scammer masquerading as the Owner, and before sending any money, to advice them to first call the telephone number listed in the VRBO ad to verify that they are dealing with the Owner. (just a thought)
Mostly good suggestions. I did receive the phishing email, and I am sure that I did not receive one, so that is not a possibility. Your suggestions about follow-up are good, but the cause is still a mystery.
==> I am sure that I did not receive one, so that is not a possibility. Your suggestions about follow-up are good, but the cause is still a mystery.
There are only two places your email could be seen:
1. in your email INBOX
2. VRBO "RESERVATION MANAGER - INQUIRY"
If it's not the first, then it's the second. Either your EMAIL was compromised or VRBO's system was compromised. There is no third possibility. But to be fare, you may have not knowingly been compromised or don't remember, so to be fare, I'll re-typed VRBO's email warning below about Phishing and see if it occured to you.
Did you receive VRBO's email warning with a subject "New Phishing Scam - Beware". Here it is. Read it and see if anything like the described warning happened to you.
Urgent Notification: Beware of New Phishing Scam
We want you to be aware of a new phishing scam targeting unsuspecting owners and property managers. This week, phishers have been sending fake inquiries and fake login pages to attempt to take over email accounts.
We believe these attacks are specifically targeting owners and property managers using Gmail, Yahoo! Mail, Hotmail and Windows Live email addresses.
Only use your email service provider's official login page
The current scam works as follows: If you open a fake inquiry email, the scammer will place you on a webpage indicating that your email session has ended and that you need to log back in. The page on which you will be asked to log in is actually a fake email login page that looks almost identical to an official Gmail, Yahoo! Mail, Hotmail or Windows Live login page.
Warning, if your session is interrupted, do not log in on that page. By doing so, you will give the phishers full access to your email account.
In these recent attacks, the webpage URL contains several numbers in random order. Always log in to your email account by typing in the official URL. The official login URL of your email service provider will contain recognizable English words, such as:
Gmail: accounts.google.com or mail.google.com
Yahoo! Mail: login.yahoo.com or mail.yahoo.com
Hotmail/Windows Live: login.live.com
Official login page example
Watch out for suspicious inquiries
In this new phishing scam, the email includes "HomeAway" in the subject line – so it looks like an official inquiry.
This fake inquiry email does not contain property details that you would expect to see in a normal HomeAway email inquiry request.
The email includes a link to "View Message." If you click on this link, you will be sent to the fake login page for your email provider.
Learn how to protect your online accounts from identity theft
Recently, we sent an email explaining how to protect yourself from online identity theft and phishers, with these recommendations:
Never provide personal information to anyone through email communication.
Always access your email from the official login page of your email service provider.
Never reply or click on a suspicious email or webpage.
Look for clues that the email is official: contains normal brand heading, no typos or errors, and never asks for personal information via email.
To access your owner dashboard, only log in to our official websites. To confirm it's an official website, make sure the URL on the login page starts with https://cas.homeaway.com (for both HomeAway.com and VRBO.com) or https://www.vacationrentals.com.
I think you should read this: http://community.homeaway.com/message/15210#15210
After inquiring about a house on HomeAway.com, I recieved an email back from "email@example.com". This person isn't the real owner of the house, as I have been in contact over phone with the real owner. his person is located in the United Kingdom and has somehow hacked the "Contact Owner" portion of the website and is intercepting emails sent to the real owner. This person requests a wire transfer of money to his bank in the UK, "Barclay Bank", and gives you a great discount to lure you in. He then sends you a fake rental agreement, falsely using the HomeAway logo on the form, and asks for your signature and gives you 72 hours to send him the money through bank wire transfer.
I have been in contact with HomeAway.com about this, and they know it's a breach of security on their part. Word of warning to all, if you get an email from "firstname.lastname@example.org", DO NOT RESPOND!
tfv has shared some great advice and information on phishing. I just wanted to chime in and let you know that our Trust and Security team will be contacting you soon about ensuring your account is secure.
I apologize for the delay and any inconvenience this may have caused. Please know that someone will contact you as soon as they are able to work on your case.
Please let me know if you have any further questions.
Well, Travis, thanks. I didn't hear from anyone and today, a renter called me to tell me he couldn't find my listings. I tried to call them up, and sure enough, they were gone. I called VRBO support to find that they were taken down for security purposes. Without any notice to me. I was requested to make some changes to my account, and assured that the listings would be brought back up soon. I then discovered that my Homeaway listing had been taken down, too. Also without notice to me. I know you guys are working hard to fix this, and I hope you get it squared away. For the record, I'm pretty sure that the emails were not obtained from my email server/account. I am very sure I was not a victim of phishing. And I suspect that the emails were intercepted either from your server directly or as they left your server.
Scary. The email you receieved is nearly word for word the email my friend and I received while searching for a rental home in RI, though slightly different and from a different email address (but was also a gmail account). Unfortunately for me, I wasn't smart enough to realize it was a fraudulent email and neither was my friend. I am completely new to the whole renting and vacation search and I fell for it bigtime, transferring $1647 to a bank in England. I had no idea that transferring money was probably the #1 sign of a scam artist. My assumption was that here was this rich person who happened to have an overseas bank account, not entirely uncommon. Figured I had found an amazing deal on a great place and so didn't my friend. The rental agreement looked legit, even sending a refund form in case I was to request that.
I honestly feel so dumb, I can't believe I let this happen.
Yes, just now. One of my guests just sent this to me. Scary!:
---------- Forwarded message ----------
From: Vacation Rent <email@example.com>
Date: Sun, Feb 12, 2012 at 3:24 PM
Subject: Re: Inquiry from **** - Jul 23 to Aug 7 - Listing #234923
The dates are available to book for $6000 including cleaning fees and taxes.
If you choose to book now , you will be eligible for several cost saving options which include a 10% discount for full payment in advance Our regular payment terms, 50% in advance and 50% at check in.
I am at your disposal for any further information.
I did not send this, but it is my vrbo #. (I took out their names and e-mail address)
We have been in contact with someone suspicious for property vrbo #xxxx Kona Bay Estates.
All of the info was the same. Email contact, discounts, requesting Payment within 72 hrs and wiring the
Money to barclays bank in london. That's when we said something was not right. The email they used was
Over.firstname.lastname@example.org. We have reported this to vrbo.
That is the EXACT email that duped me, email@example.com
They had me send money to Natwest Bank in London. I also reported this email to the HomeAway security team, FBI, FTC, and MA Attorney General.
Same scam, just caught an Italian family. This time it was firstname.lastname@example.org, but absolutely identical process and text.
Homeaway claimed our email (specifically, gmail) account was compromised. We use Mac and Ubuntu, so are somewhat less likely to have standard viruses. Both systems use global corporate security systems.
I would propose that Homeway / VBRO send some guidelines on how to book / pay that includes caution, for example, with requests for payment with Western Union.
I just got hit by this type of scam. I received a voicemail from a potential renter who had some questions about the rental contract that was being sent to her. But I never heard of her or had seen her inquiry!
In this case someone using the email email@example.com had intercepted the VRBO inquiry and was in the process of trying to get this person to do a $1800 wire transfer to them.
VRBO support deactivated my account until I changed my contact email address (not just the password), informed me about the phising scam, and told me they had encountered this email address performing other scam attempts with VRBO property owners.
As it turned out, VRBO's advice wouldn't have fixed the security breach for me. I used a contact email address for VRBO that I had forwarded to my primary Gmail address. While I usually access my Gmail account from an IMAP client, I brought up Gmail in a browser and clicked on the "Details" link under the "Account Activity" link in the bottom right portion of the screen. This showed a table of access details over the last 24 hours - all from my IP address but one. I was in Lake Tahoe, but this IP address was in Washington D.C. The scammer!
So it turns out that ths scammer had somehow hacked into my main email account, and had intercepted the VRBO inquiry forwarded to it.
To ensure this never happens again I turned on Gmail's 2-pass verification security feature. It's a bit of a pain, but makes it nearly impossible to have your email account hacked, and I would encourage all homeowners to use a Gmail account and turn the 2-pass verificaiton feature on. Here's a link that shows how it works.
The other thing I did was activate SMS alerts from VRBO whenever an inquiry comes in.
I'm going to escalate this issue with VRBO however. It seems they can be more proactive to attempt to track down and have these scammer prosecuted, as they are violating a number of different federal laws. In this case I have the scammer's IP address, and it would be easy to subpeona their ISP and get their identity and hopefully have the FBI proceed with investigating these scammers.
I don't THINK I've been hacked (so far- knock on wood). I do have one comment/question..
We do not provide the address of our home until we have received full payment. The address is not on our Rental agreement either. The name of our home and it's listing # are- this is at the advice of our attorney.
SO, if someone hacks your email, responds to a renter by sending a bogus contract, then takes the $$- won't the renter want to know the address of the home once they have made full payment?
Maybe I will add a clause to my listings on various sites stating that the address of our home will be diclosed to the Primary Renter after they have spoken with me personally, and payment is received.
My normal process is to speak personally with the renter- just a short phone call to verify things- once i receive a completed application/agreement and BEFORE I charge their CC. This works for me since I don't use RM, and all my guests appreciate the caution.
There's been much conversation on phoning/talking with renters in these forums- some pro, some con. I can only say I, as a traveler, would not send any payment to anyone unless I've talked briefly with the Owner atthe phone # lsited on their listing.
I agree completely with you. I never give out a home address until we have received a deposit of $1000 and verified the check is good.
May times we get an email requesting address, when we ask a question such as are dates flexible, what are your needs, please provide a phone number etc, we rarely get a response back. I am also asked addresses so they could look up location of our homes and I state landmarks nearby. I explain, for security reasons, we cannot give out an address.
I have put a disclaimer on all websites that we never request that money be sent via Western Union or via wire transfer. Payment is always made by check as we do not accept credit cards. This way if a scammer requests a wire transfer perhaps the renter will remember our website stating that we never ask for this.