Scams, Identity Theft, and Phishing

    We've been receiving a lot of questions about scams and phishing and would like to make sure everyone understands that these scammers prey on businesses that have access to financial and personal data. Bad guys want into email accounts for whatever personal and financial info they can get - in the vacation rental industry, it's access to travelers that send large amounts of money to owners. Because of this, phishing (or identity theft) efforts give them an entry point.


    How does an account get phished?

    To be clear, HomeAway’s sites have not been hacked. What is happening is a bad guy is sending you an inquiry to learn your email address. Once the bad guy has your email, he contacts you directly in the form of an identify theft, or “phishing” scam, usually using a fake Gmail or Yahoo login page. Then the bad guy tries to trick you into revealing your username and password of your email provider, at which point, they start corresponding with the traveler, convincing them they are the owner and giving the traveler instructions on where to send the money for their stay – all via email.


    You should always float your mouse over any links and check that the domain of the link provided is related to the true business.  Any legitimate businesses will tell you in their privacy policies that they will NEVER send an email asking you for credit card, login or password information. EVER. HomeAway's privacy policy includes that exact same message.


    Why does it seem to be targeting Vacation Rental Owners?

    They aren’t - the bad guys are targeting all online companies.  However, the bad guys are looking for new targets and vacations are large ticket items.


    How can you protect yourself?

    1. If you’re using Gmail, we recommend using the 2-factor authentication which Gmail rolled out a few months ago. This will drastically thwart the bad guys in the event an owner succumbs to a scam.


    2. Check your email account for filters that you didn’t create – these can redirect emails from your email account to a bad guy’s account and never show up in your inbox.  You can send yourself an email from another account and see if it shows up in your inbox.  Doing this periodically will tell you if a bad guy has taken over your email and set up redirect filters.


    3. Be cognizant of where they are “authenticating” on the Internet. Authentication is anywhere you enter your user name and a password. Owners need to make sure they are not giving away their login information to a criminal.


    4. We also recommend that you are vigilant with your potential guests.  For example, if a guest wants to pay offline or send you a check for more than you agreed upon, and want you to give them the difference back in cash, that should set off warning bells.


    Other areas you are responsible for:

    •    Keep your systems patched and up to date with the latest anti-virus definitions

    •    Don't let other people use your owner account login and password

    •    Don't stay logged into your account from a public computer

    •    Logoff the site when you are finished

    •    Keep ALL passwords and login information secret.

    •    Have a different password for your email and HomeAway accounts.

    •    Notify HomeAway customer support if ANY of your email or even Facebook accounts have been compromised - our Customer Support team will walk you through getting secure again.


    What can travelers do to protect themselves?

    We've found best way for travelers to avoid a scam is to be sure pay securely through our websites. Taking payments off the site is a violation of Marketplace Standards and should not be suggested by property owners. Partners should politely decline requests from travelers to pay off the platform and point them to the Book with Confidence Guarantee.


    How does HomeAway/VRBO help travelers who have been scammed?

    We have an entire team whose sole purpose is to locate and shut down bad guys as quickly as possible.  We also know that identity theft happens, even with the security measures we take to secure our site, so we've taken the additional step to provide access to protection for travelers, just in case they do become a victim of a phishing scam - our Book with Confidence Guarantee is in place to help all travelers who book through our sites. Payments made offline are NOT covered by the Book with Confidence Guarantee.


    Identity theft is unfortunately a reality of internet life, but please know that we are doing what we can to protect both owners and travelers. Educate yourselves, your friends, your neighbors, your kids and your guests.  And don't be afraid to reach out to us!


    *Last Updated April 11, 2018