Q. What is phishing?
A. Phishing is a serious threat to the vacation rental industry. It occurs when an owner or property manager mistakenly gives a criminal their email password, ultimately losing control of their email account and their online identity. Once the criminal, also known as a “phisher,” has control of the email account, they can impersonate the owner or property manager, describing the property and ultimately attempting to convince a legitimate traveler to pay real money for a fake reservation.
Q. What are phishers trying to do to vacation rental owners and property managers?
A. Phishers attacking vacation rental owners or property managers are attempting to gain access to their personal or business email accounts with the intent to intercept communications with travelers.
Q. How do phishers get an owner or property manager’s email address?
A. Phishers typically send bogus inquiries using HomeAway sites. While we have sophisticated trust and security technology, which can stop spammers and block known phishers, some bogus inquiries are indistinguishable from legitimate inquiries. When trusting owners or property managers respond to these criminals, they are revealing their email address.
Q. What are some signs of a bogus inquiry email?
- Unusually long stays – sometimes phishers will try to tempt owners or property managers with too good to be true long stays in off seasons
- The number of guests does not make sense for the capacity of your house – inquiries for 2 people to stay your 8-bedroom house that sleeps 20 may be a sign of a computer-generated inquiry
- Message does not correspond with your property – inquiries that include questions about your beachfront property when your listing is in the mountains may be a sign of a phisher spamming multiple listings
Q. How do phishers gain access to owner and manager email accounts?
A. Once cybercriminals get your email address, they can try to gain control of your email account by:
- Broad scale attacks- using a computer to try millions of combinations of letters and numbers to determine your password
- Phishing attacks- one of the most frequent tactics - sending an email that links to a seemingly legitimate website where you are prompted to enter your username and password. The fake website is controlled by the phisher, so once you enter that information, they have captured your password and can now access your account
- Malware attacks- cybercriminals attempt to install malware (such as a keylogger) on your computer, which enables them to access your accounts
Q. What are some of the risks of a cybercriminal having your email address?
A. Phishers may try to use your email address as a tool to get access to your email, account passwords, banking information and other information relating to you personal identity, such as your social security number, date of birth, address or credit card information.
Q. Why do phishers want to gain access to vacation rental owner and property manager email accounts?
A. Phishers want to gain access to owner and property manager email accounts to intercept inquiries from travelers. By having access to their email, phishers can con a trusting traveler who thinks they’re speaking with the real owner, to send them money to “book the property.” Phishers take advantage of the fact that travelers are often accustomed to paying significant amounts of money for vacation rentals in advance of their stay. If the traveler pays, the phisher has succeeded in stealing from the traveler (who is out the money they paid) and the owner or property manager (who has lost an opportunity with a legitimate traveler).
Q. What do phishers do once they have gained access to an owner or manager’s account?
A. Phishers generally make changes to the email settings to allow them to better intercept emails so that they can run their scams and cons. For example, a common tactic is to set up an email filter which forwards all or some of the emails sent by HomeAway to the owner or the manager to another email account controlled by the phisher. This allows the phisher to reply to those emails, impersonate the owner or manager and scam a traveler. Phishers are so good at hiding their tracks that it can be weeks before an owner or manager realizes that someone has been in their account.
Q. What are the early warning signs that an owner or manager’s email account has been phished?
A. There are a few common signs that might indicate that an email account has been phished:
- The email account has been accessed from a different machine or location
- New folders or filters are set up in the email account
- The email account stops receiving inquiries from HomeAway
Q. Why don’t phishers target HomeAway instead of the owner or manager’s email account?
A. HomeAway makes it extremely difficult for phishers to gain access to HomeAway accounts. HomeAway accounts require two-factor authentication via security questions for all accounts. In addition, the HomeAway security team is continually monitoring suspicious behavior, hardening our systems, and implementing security policies and technology. These protections are often not in place with respect to an owner or property manager’s email account. Owners and property managers who use web-based email services like Gmail, Hotmail, AOL, or Yahoo with single factor (username and password) authentication have appeared to be particularly vulnerable.
Q. Who are the victims of a successful phishing scam?
A. Everyone loses when a cybercriminal succeeds in a phishing scam. Defrauded travelers lose money to phishers, and may arrive at a vacation rental only to find that a traveler is in the house and the legitimate owner or property has no knowledge of their reservation. If you are phished, your business and reputation may be harmed by a traveler who holds you responsible for his loss. And everyone loses when a few successful crimes erode consumer trust in the vacation rental industry.
Q. How often do owners get phished? How often are travelers defrauded?
A. The HomeAway security team monitors, blocks, and shuts down phishing scams regularly; however, cybercriminals are increasingly targeting the vacation rental industry and unsuspecting owners are falling prey to the attacks. The percentage of phishing scams that result in a loss are less than 0.1% of all reservations that occurred as a result of vacation rentals travelers who found a home via a HomeAway website; however, even one traveler fraud or a ruined vacation is too many. For this reason, we are taking efforts to fight phishing.
Q. Is phishing unique to the vacation rental industry?
A. No. Phishing is not new, and the vacation rental industry is not the first industry to be targeted by cybercriminals. Phishers have attacked various online industries, such as online auctions, banking, social media, travel, e-commerce, even medical and government institutions, ultimately impacting major brands such as eBay, PayPal, Barclays, Wells Fargo, Chase, and Bank of America.
Q. What have other companies in other industries done to fight phishing?
A. Many companies have successfully defended against phishing by placing a protective wall of authentication around systems that contain sensitive data or information that could be used in a phishing attack. By building systems that ensure that only legitimate users can access information, and by requiring users to authenticate that they are in fact legitimate users, many companies have successfully enabled their customers and users to conduct business, manage money, and pay online safely.
Q. Are HomeAway’s systems susceptible to being compromised by hackers?
A. No. We use a combination of encryption, monitoring, and other security devices and efforts to protect data in an owner or property manager’s HomeAway account.
Q. What has HomeAway done to protect the vacation rental industry from phishing scams?
A. HomeAway has worked hard to educate the industry by providing information via emails, our websites, and the Security Center. We continuously invest in technology to actively monitor fraud, to surface suspicious activity, and to harden our systems with the goal of protecting owners, property managers, and travelers. More recently, we have introduced new products, such as ReservationManager™ and Traveler Profiles, and processes such as Phone Verification to increase security.
Q. What is ReservationManager?
A. Accepting reservations via ReservationManager with credit card or eCheck (for U.S. residents) is the most secure way to process a booking on our sites. When the owner or property manager sends an email invoice via ReservationManager, travelers are able to make immediate and secure payments by Visa, MasterCard and Discover credit cards or an eCheck. When travelers pay with ReservationManager, their payment is 100% guaranteed up to $10,000 against Internet fraud.
Q. What is Pre-Payment Phone Verification?
A. If an owner or property manager is requesting payment by credit card, check, PayPal or bank transfer (outside of Reservation Manager), we ask the traveler to call the telephone number published on the property listing page to confirm their reservation and payment details before paying. This is what we call “Pre-Payment Phone Verification.” If the listing does not have a phone number, we ask that travelers please contact HomeAway for assistance at 877-228-3145. Credit cards often offer charge-back protection for unauthorized payments.
Q. Why is Pre-Payment Phone Verification safer than email?
A. While phishers can get access to an owner or property manager’s email accounts, getting access to a phone line is far more difficult. HomeAway’s security measures have made it virtually impossible for phishers to change the phone number on an owner or property manager’s listing. When a traveler calls that number, the traveler can ensure that he or she is dealing with the legitimate owner or manager.
Q. What is HomeAway doing to fight these scams?
A. Our efforts to fight phishing include:
- Safeguarding the traveler’s money by providing safe payment methods protected by strong security, such as ReservationManager™;
- Protecting owner and traveler email addresses so that phishers cannot readily target those accounts;
- Continuing to provide secure authentication so that HomeAway can ensure that only legitimate owners, travelers, and managers can access information; and most critically
- Moving interactions between owners or managers and travelers into a secure environment where everyone can be confident they are talking to each other, not a crook
In this FAQ, we refer to this proposal for a new system as “HomeAway Secure Communication” which is further described below.
Q. What is “HomeAway Secure Communication”?
A. HomeAway Secure Communication is a security measure that we are working on and plan to launch in the U.S. later this year. It moves communications between owners/property managers and the travelers who want to inquire about or book their properties into a secure, authenticated environment on the HomeAway system. With HomeAway Secure Communication, owners or managers and travelers will be able to KNOW that they are talking to each other, and not to a criminal. This proposed system is similar to sites you may use, like Facebook, LinkedIn and others, where authentication is required by both parties before they can connect. On these sites, once two parties have decided to “trust” each other, they can converse via email. But until trust is established, they CAN still communicate keeping key elements of their identity protected.
Q. Will this require me to change the way owners and managers respond to inquiries, interact with travelers, and manage their businesses?
A. We recognize that many of our customers rely heavily on email to manage their interactions with travelers. We also know that a system like this will represent a significant change for many owners and property managers. We are highly sensitive to the needs of our customers, aware of the scope of change that this solution represents, and laser-focused on making this solution as convenient and beneficial as possible. We are counting on you, our customers – the managers and owners – to help us design and implement a solution that improves the efficiency and effectiveness of responding to inquiries and managing communications with your customers – the travelers.
Q. What will be the benefits of HomeAway Secure Communication?
A. Our current thinking is that the system will enable owners and managers to:
- communicate safely with travelers and only reveal their email address when they choose to;
- have a persistent record of the conversation, payments, and other events that have occurred;
- manage their conversations, bookings, and payments via mobile app; and
- reduce manual and repetitive work for responding to inquiries, sending information about properties, and managing bookings and payment.
Q. What is the current status of Homeaway Secure Communication?
A. HomeAway Secure Communication is in active development. We showed an early prototype of the system at the HomeAway Summit during the HomeAway Sneak Peeks session.
Q. What is HomeAway’s approach to rolling out HomeAway Secure Communication?
A. We are committed to shipping HomeAway Secure Communication as soon as possible to help to protect our travelers, owners, managers, and the vacation rental industry. Our plan is to develop HomeAway Secure Communication in collaboration with our customers, the owners and property managers who we serve. We plan to get feedback to make sure that the system meets two goals: protecting the vacation rental industry and enabling our customers to efficiently manage their business.
Q. How can I give HomeAway feedback?
A. Here a few ways:
- You can post to the “Secure Communication” community group for discussions about the topic;
- you can send us direct feedback via the feedback links on our sites; or
- you can email us at Securefirstname.lastname@example.org
Q. How else will HomeAway solicit feedback?
A. We will use a wide range of tactics, including the Community web site, surveys, focus groups, 1:1 meetings, and our customer advisory boards to acquire feedback from our customers.
Q. When can we expect to be able to use HomeAway Secure Communication?
A. We plan to be testing the system over the summer and expect to roll it out in the U.S. in 2013.
Q. How long will it take before HomeAway Secure Communication is fully rolled out across the HomeAway network of web sites?
A. Our goal is to roll out HomeAway Secure Communication across all of our worldwide brands within 12 months of the U.S. launch.
Q. I am a legitimate owner that has never been phished, why do I have change the way I do business when someone else can’t keep their email account safe?
A. Phishing is an issue which threatens everyone who participates in the vacation rental industry. We believe that we need to lead the industry to a safe and trusted marketplace. While the vast majority of owners and managers are legitimate, and their email accounts have stayed safe, even a handful of ruined vacations and fraud can threaten the overall success of the vacation rental industry.
Q. Does this mean that HomeAway will have the email address of all of my guests?
A. Yes, we will need to have email addresses for guests that want to communicate with you via our system. However, travelers who inquire, provide their email address in the inquiry form already, so nothing is changing in this regard.
Q. I need to respond to inquiries with my mobile phone, how will I do this?
A. HomeAway has already released an iPhone application that allows owners listed on HomeAway to securely log-in to the app to respond to inquiries, using the custom emails that they have saved inside of their dashboard. To download the application, go to iTunes . We plan to enhance this mobile application to HomeAway Secure Communication.
Q. Does HomeAway Secure Communication mean I need to take payments using ReservationManager?
A. No. We believe that you should have the choice to take payments by check, credit card, PayPal, or any other payment method as you see fit. When HomeAway Secure Communication is available, you will have your choice of payment methods.
Q. Will I have to log in to respond inquiries?
A. Yes. In order to protect your email address and to protect you from phishing, you must log-in to your dashboard to respond to inquiries. Inquiries will no longer have the traveler’s email address in the body of the inquiry email, and if you reply to the inquiry using your email client, it will be sent to DoNotReply@homeaway.com.
Q. How will I know if I have an inquiry from a traveler?
A. You will receive an email notification and an SMS notification on your mobile phone that you have an inquiry. In addition, if you are using the mobile app, you will receive an alert as well.
Q. Will travelers have to log in to respond to each message?
A. Yes. In order to ensure the legitimacy of travelers, and to protect owners and property managers from phishing attacks, we will need to require travelers to log in.
Q. Will I be able to see the email address of my travelers?
A. Yes. Our current plan is that you will be able to see the email address after you have logged in and responded to the traveler’s inquiry. We look forward to working with our customers to refine our plans for HomeAway Secure Communication.
Q. I am a property manager; will I need to log in as well?
A. We anticipate than many property managers will use the HomeAway Secure Communication system. Others will establish a trusted relationship with HomeAway so that they can directly receive inquiries via secure and trusted technical integration. We look forward to working with the property management community to design a solution that will work for their needs.
Q. Will other vacation rental web sites move to HomeAway Secure Communication?
A. We believe that the vacation rental industry, like online banking, online payments, and e-commerce before it, will move to a secure system over time. We look forward to working with our customers to design a solution that will work for the vacation rental industry as a whole.
Q. How can I avoid getting phished before HomeAway Secure Communication rolls out?
A. If you receive an email that looks suspicious and claims to come from one of the HomeAway brands, please call us at 1-877-228-3145. If you receive an email or message that asks you to enter your username and password for your email provider, close that window and sign into your email account from the email provider's website.
Q. I think I’ve identified a bogus inquiry, what should I do?
A. HomeAway continuously invests in trust & security technology to detect spam and scam inquiries, but even so, occasionally sophisticated spam attempts get past our filters. When you receive a fraudulent email, please let us know.
Q. Where can I learn more about HomeAway tools and processes for security?
Q. Before HomeAway Secure Communication is available to me, what can travelers do to better protect themselves?
A. We recommend that travelers call the telephone number published on the property listing page to confirm your reservation and payment details. If the listing does not have a phone number, please contact HomeAway for assistance at 877-228-3145. You can also purchase the HomeAway Carefree Guarantee, which covers phishing.
*Please note that the FAQs relating to the HomeAway Secure Communication system reflect our current plans and goals. The way the system will work, timing and branding are subject to change based various factors such as our testing, feedback and development work..