Phishing is a way criminals attempt to acquire your personal information such as usernames, passwords, bank accounts and credit card details. phishing.jpgCriminals do this by masquerading as a trustworthy entity in an electronic communication to which you respond. The simplest form of this is when the crook creates an email that has the exact look of an email from a company you trust, but, when you click on it, you go to a website that is not hosted by the company, but instead, is a phony website designed to get you to sign in using your username and password from the trusted site. HomeAway members make an attractive target for “phishers” because the average transaction value for a stay at a vacation rental is significant. A crook with access to a HomeAway member’s email account username and password is a recipe for disaster.


HomeAway has invested in trust & security technology, people and processes to help protect consumers against criminal activity on our sites. We cannot disclose the details but we are very successful in identifying fraudulent listings; in Q1 2011, less than 0.01% of our worldwide listings were both fake and cost a traveler any losses. It is our responsibility to keep fictitious listings off our site so we offer both the free basic rental guarantee and the purchasable Carefree Rental Guarantee to protect travelers from outright Internet fraud we could have prevented.


But HomeAway cannot prevent criminals from phishing your personal email account because it doesn’t occur on our site. Therefore, the traveler loss that arises from an owner giving his email password to a criminal is the owner’s responsibility. Your house is real and you are in the business of renting it. When the criminal uses technology to step between you and your customer, they are effectively standing at your virtual cash register while you are out of the store.


HomeAway has made it difficult to phish our accounts, but crooks are clever, which is why we continually improve our own security processes. But there is no technology available to us that will keep you from giving a phisher the username and password to your personal or business email account.


Like all Internet companies, HomeAway needs you, the advertisers, to do your part to make our websites and this industry safer for all travelers, who are your potential guests.


If a phisher can get your username and password for the email account you use to communicate with travelers, they can use this information to steal from travelers.


Two Victims


Phishing results in two victims. The traveler loses money and often their vacation as well. At the same time, the owner/advertiser has had his online identity stolen, and that thief has not only access to his customers, but to all the information he keeps in his email account.


Because the owner is a victim, too, it’s perhaps understandable that some owners do not believe they bear responsibility when their email account has been used to steal from a traveler.


In our view, it is the owner’s responsibility to provide restitution when his email password has been phished. After all, the email account was used to steal from a traveler who responded to an email from your email account and but for the criminal getting access to your email account the traveler would not have experienced any loss.


HomeAway’s guarantees do not apply to traveler losses due to the theft of your identity via phishing. We have no way to stop your email account from being phished. Only you can do that.


Protect Yourself from Phishing:


  1. Never share your email account password to anyone.
  2. Only enter your email username and password after verifying that you are on the website of your email provider. Check the URL. If you want to respond to a request that came via email, open a new browser window and go to your email provider’s website to sign in. 
  3. Only change email information after initiating a session with your email provider. 


Help Protect Travelers:


  1. Do not ask a traveler to wire money via Western Union or another third-party service.
  2. Sign up for a merchant account and accept credit cards. HomeAway offers one through Reservation Manager, but if doesn’t meet your needs; use one of your choice.
  3. Respond to telephone calls promptly. Travelers often want to speak to you before they pay; the call could be your first notification that you’ve been phished, and crooks have better odds when they can get to the traveler first.


HomeAway’s Policy Regarding Phishing


While HomeAway cannot prevent a phisher from tricking you into giving up your username and password to your personal email or HomeAway account, we will continue to do all we can to insure a fair and trusted marketplace.  It may sound harsh, but listings from owners who ignore their role in maintaining a marketplace that is safe for travelers are not welcome on our websites.


When we have reason to be concerned your email account may have been phished, we try to move quickly to limit the possibility that travelers are harmed; we need for you to move quickly, as well. This is how the process works:


  1. When we receive information indicating either your HomeAway or personal email account has been compromised, all of your listings will be suspended. This is to keep unsuspecting new travelers from falling victim to the thief.
  2. We will work with you to verify which of your accounts has been compromised. Sometimes the information we have received from a traveler is wrong; in that case, the listings will be reinstated as quickly as possible.
  3. Once we’ve verified your email address has been phished, we will notify every traveler who has inquired on your property so they can avoid sending money to the thief.
  4. If a traveler has paid a thief using the email address you placed on file with HomeAway before receiving a warning notification from HomeAway, it will be your responsibility to either reimburse that traveler for verified losses, or to provide some sort of in-kind value (a free stay at another time, for example) to the traveler.
  5. If you choose not to work with or provide restitution to the traveler, then your listings are at risk of being removed from or not reinstated on HomeAway websites.  This is a determination we make in our sole discretion on a case-by-case basis in order to make our websites and this industry safer for all travelers.



Warm Regards,


Carl Shepherd

Co-Founder and Chief Strategy and Development Officer


** UPDATE **


The TODAY show   recently highlighted a case in which  some travelers experienced fraud in Fort Lauderdale, Fla.  Luckily their story had a happy ending, but we wanted to share it with you as a reminder to always protect yourself online.  When booking a vacation rental, always remember do the following:

  • Pay with ReservationManager from HomeAway, whenever possible
  • Pay by credit card, check or bank transfer, and never by cash or wire transfer
  • Call before you pay - After you send an inquiry, call the homeowner or property manager via the phone number on the listing to confirm they've received your reservation request

Also, we wanted to update you that as of now, the HomeAway Carefree Rental Guarantee now covers phishing incidents.  For more information, visit