The phishing storm is brewing
The vacation rental industry gathered in Austin, Texas last weekend for the HomeAway Summit. Owners, Property Managers, HomeAway staff, and HomeAway partners discussed the state of the vacation rental industry, saw old friends and made new ones, and compared notes.
But this year, a new word entered the conversations in the halls, over drinks, and in the content of the Summit: phishing. Phishing, loosely defined, is the attempt by criminals to steal your online identity, most frequently via accessing your email account. While our industry continues to thrive, the threat of hackers gaining access to owners’ or property managers’ email accounts continues. If we do not pull together to fight this threat, it will affect the way travelers feel about the vacation rental industry, and ultimately, about booking your property. A storm is brewing.
For some, the storm has already come – just ask anyone who has had their email password phished. Scammers have intercepted inquiries, and ruined vacations by stealing money from trusting vacation rental travelers. Owners and property managers have had to scramble to re-secure their email accounts and protect their reputations. And the reputation of the vacation rental industry is in question.
For most, the HomeAway Summit marked the first time that they ever heard of phishing, but they understood how both owners and travelers are at risk because of our industry’s reliance on trusted communications via email. (If you are not familiar with phishing, click for an overview of how it happens, or read Carl Shepherd’s post on phishing.
Today, losses due to phishing are small: in Q1 2012, phishing scams affected less than 0.1% of travelers who found a vacation rental via a HomeAway website.
But even one ruined vacation or theft of an owner or property manager’s identity is totally unacceptable. Everyone in the vacation rental industry – from owners to property managers to HomeAway – has a role to play in stopping phishing scams. While phishing may be a relatively small problem in absolute numbers, recent activity tells us that the phishers are getting smarter and more travelers, owners, and managers are being affected. It is clear that scammers and criminals have figured out that the vacation rental industry is a great target.
- the standard practice in the vacation rental industry is for travelers to pay large amounts of money for vacation rentals, long before the stay and sight unseen;
- not everyone understands or uses safe and secure payment methods;
- many people conduct their business in email accounts from email providers that have been repeatedly compromised; and
- cybercriminals are good at exploiting communities that rely on trust and a personal connection.
Phishing is not new; vacation rentals are not the first industry to be targeted by cybercriminals. Phishers have attacked many online industries ranging from online auctions, banking, social media, travel, e-commerce, even medical and government institutions, impacting major brands like eBay, PayPal, Barclays, Wells Fargo, Chase, and Bank of America.
Everyone of us in the vacation rental industry has a lot at stake, and we will all need to work together to stop phishers. You can do your part by guarding your email password with the same care as you protect your social security number, your bank account, and your most valuable possessions.
Our vision on how to fight phishing
So what can HomeAway do to fight phishing? To be clear, we’ve been fighting scammers ever since HomeAway was founded. But as we look ahead, we have come to the conclusion that HomeAway needs to take a strong stance against phishing.
We believe that we can fight phishing by:
- safeguarding the traveler’s money by providing safe payment methods protected by strong security, such as ReservationManager™;
- protecting owner and traveler email addresses so that phishers cannot readily target those accounts;
- continuing to provide secure authentication so that HomeAway can ensure that only legitimate owners, travelers, and managers can access information; and most critically
- moving interactions between owners or managers and travelers into a secure environment where everyone can be confident they are talking to each other, not a crook.
Our vision is that we can create an environment where we can protect owners, property managers and travelers with something we are calling “HomeAway Secure Communication.” This would be a new system, envisioned only in the last few months, and which is now in development. We plan to make it available starting in the second half of this year.
This proposed system is similar to sites you may use, like Facebook, LinkedIn and others, where authentication is required by both parties before they can connect. On these sites, once two parties have decided to “trust” each other, they can converse via email. But until trust is established, they CAN still communicate keeping key elements of their identity protected.
In our vision, owners and travelers would still receive notifications and messages from each other via email and text message, but they need to reply via a secure system that does not disclose their email address. This way, HomeAway would be able to ensure the legitimacy of the owner or property manager and the traveler.
We’ve already started: we showed one early prototype of HomeAway Secure Communication at the Summit during the HomeAway Sneak Peeks session. We demonstrated how the system will enable owners and property managers to:
- communicate safely with travelers and only reveal their email address when they choose to;
- have a persistent record of the conversation, payments and other events that have occurred;
- manage their conversations, bookings and payments via mobile app; and
- reduce manual and repetitive work for responding to inquiries, sending information about properties and managing bookings and payment.
We recognize that many of our customers rely heavily on email to manage their interactions with travelers. We also know that a system like this will represent a significant change for many owners and managers.
But it is precisely because your email account is so critical to your business that it must be protected.
We are highly sensitive to the needs of our customers and are aware of the scope of change that this solution represents. We are also laser-focused on making this solution as convenient and beneficial as possible; but we are counting on you, our customers – property managers and owners – to help us design and implement a solution that improves the efficiency and effectiveness of responding to inquiries and managing communications with your customers – the travelers.
We’re doing something different than what we normally do. We are announcing our intentions and inviting our community and customers to participate in the process of creating a solution because we believe it is critical to your future success as an owner or property manager: if travelers don’t trust, they will not rent.
And if you have ideas, you can give us your feedback directly by emailing us at email@example.com or via the feedback links on all of our sites. While we don’t respond to every email we get, we do READ every one.
And please sign up for the Secure Communication group on Community from HomeAway to join the discussion – we’ll post updates there as we go forward.
What can I do now to fight phishing?
We all have to pull together to fight phishing. HomeAway has worked hard to educate the industry via emails, messages on our website, and via the Security Center. We continuously invest in technology to actively monitor fraud, to surface suspicious activity, and to harden our systems and protect our customers. More recently, we have introduced new products, such as ReservationManager and Traveler Profiles, and processes such as Phone Verification to support safety.
Here are a few steps you can take now to join in the fight:
- Educate yourself – visit our Security Center to learn about phishing
- Read our to learn how to spot fraudulent inquiries
- When you receive a suspicious inquiry or email, please let us know
- Accept safe payment methods like those offered through ReservationManager
- Include an up-to-date phone number on your listing. We recommend that travelers call the telephone number published on your property listing page to confirm their reservation and payment details
- Use two-factor authentication on your email accounts. See this article on how. http://www.codinghorror.com/blog/2012/04/make-your-email-hacker-proof.html
- If you list on vrbo.com or homeaway.com - log into your dashboard to check your inquiries to make sure you (and not a phisher) are receiving your inquiries.
Never enter your email password on any webpage via a link sent to you by email, or even if a login page that looks like your email provider’s website pops up unexpectedly. Always go to the email provider’s website to log in
- And don’t ignore warning signs or red flags - if you have a bad feeling, it never hurts to double check
Together we can fight this threat to the vacation rental industry, and we’re counting on you, just like you count on us.
Chief Product Officer