Phighting Phishing

    Phighting Phishing


    The phishing storm is brewing


    The holiday rental industry gathered in Austin, Texas last weekend for the US HomeAway Summit. Owners, Property Managers, HomeAway staff, and HomeAway partners discussed the state of the holiday rental industry, saw old friends and made new ones, and compared notes.


    But this year, a new word entered the conversations in the halls, over drinks, and in the content of the Summit: phishing.  Phishing, loosely defined, is the attempt by criminals to steal your online identity, most frequently via accessing your email account. While our industry continues to thrive, the threat of hackers gaining access to owners’ or property managers’ email accounts continues. If we do not pull together to fight this threat, it will affect the way travellers feel about the holiday rental industry, and ultimately, about booking your property. A storm is brewing.


    For some, the storm has already come – just ask anyone who has had their email password phished. Scammers have intercepted enquiries, and ruined holidays by stealing money from trusting holiday rental travellers.  Owners and property managers have had to scramble to re-secure their email accounts and protect their reputations. And the reputation of the holiday rental industry is in question.


    Today, losses due to phishing are small: in Q1 2012, phishing scams affected less than 0.1% of travellers who found a holiday rental via a HomeAway website. 


    But even one ruined holiday or theft of an owner or property manager’s identity is totally unacceptable. Everyone in the holiday rental industry – from

    owners to property managers to HomeAway – has a role to play in stopping phishing scams.  While phishing may be a relatively small problem in absolute numbers, recent activity tells us that the phishers are getting smarter and more travellers, owners, and managers are being affected.  It is clear that scammers and criminals have figured out that the holiday rental industry is a great target.


    Why? Because:


    • the standard practice in the holiday rental industry is for travellers to pay large amounts of money for holiday rentals, long before the stay and sight unseen;
    • not everyone understands or uses safe and secure payment methods;
    • many people conduct their business in email accounts from email providers that have been repeatedly compromised; and
    • cybercriminals are good at exploiting communities that rely on trust and a personal connection.


    Phishing is not new; holiday rentals are not the first industry to be targeted by cybercriminals. Phishers have attacked many online industries ranging from online auctions, banking, social media, travel, e-commerce, even medical and government institutions, impacting major brands like eBay, PayPal, Barclays, Wells Fargo, Chase, and Bank of America.


    Everyone of us in the holiday rental industry has a lot at stake, and we will all need to work together to stop phishers.  You can do your part by guarding your email password with the same care as you protect your social security number, your bank account, and your most valuable possessions.


    Our vision on how to fight phishing


    So what can HomeAway do to fight phishing?  To be clear, we’ve been fighting scammers ever since HomeAway was founded.  But as we look ahead, we have come to the conclusion that HomeAway needs to take a strong stance against phishing.


    We believe that we can fight phishing by:


    • safeguarding the traveller’s money by providing safe payment methods protected by strong security;
    • protecting owner and traveller email addresses so that phishers cannot readily target those accounts;
    • continuing to provide secure authentication so that HomeAway can ensure that only legitimate owners, travellers, and managers can access information; and most critically
    • moving interactions between owners or managers and travellers into a secure environment where everyone can be confident they are talking to each other, not a crook.


    Our vision is that we can create an environment where we can protect owners, property managers and travellers with something we are calling “HomeAway Secure Communication.” This would be a new system, envisioned only in the last few months, and which is now in development.


    This proposed system is similar to sites you may use, like Facebook, LinkedIn and others, where authentication is required by both parties before they can connect. On these sites, once two parties have decided to “trust” each other, they can converse via email. But until trust is established, they CAN still communicate keeping key elements of their identity protected.


    In our vision, owners and travellers would still receive notifications and messages from each other via email and text message, but they need to reply via a secure system that does not disclose their email address.  This way, HomeAway would be able to ensure the legitimacy of the owner or property manager and the traveller.


    We’ve already started: we showed one early prototype of HomeAway Secure Communication at the US Summit during the HomeAway Sneak Peeks session. We demonstrated how the system will enable owners and property managers to:


    • communicate safely with travellers and only reveal their email address when they choose to;
    • have a persistent record of the conversation, payments and other events that have occurred;
    • manage their conversations, bookings and payments via mobile app; and
    • reduce manual and repetitive work for responding to enquiries, sending information about properties and managing bookings and payment.


    We recognise that many of our customers rely heavily on email to manage their interactions with travellers. We also know that a system like this will represent a significant change for many owners and managers.


    But it is precisely because your email account is so critical to your business that it must be protected.


    We are highly sensitive to the needs of our customers and are aware of the scope of change that this solution represents. We are also laser-focused on making this solution as convenient and beneficial as possible; but we are counting on you, our customers – property managers and owners – to help us design and implement a solution that improves the efficiency and effectiveness of responding to enquiries and managing communications with your customers – the travellers.


    We’re doing something different than what we normally do. We are announcing our intentions and inviting our community and customers to participate in the process of creating a solution because we believe it is critical to your future success as an owner or property manager: if travellers don’t trust, they will not rent. 


    And if you have ideas, you can give us your feedback directly by emailing us at or via the feedback links on all of our sites. While we don’t respond to every email we get, we do READ every one. 


    If you want to learn more about our vision for HomeAway Secure Communication, check our FAQ here.


    And please sign up for the Secure Communication group on Community from HomeAway to join the discussion – we’ll post updates there as we go forward.


    What can I do now to fight phishing?


    We all have to pull together to fight phishing. HomeAway has worked hard to educate the industry via emails, messages on our website, and via the Security Center. We continuously invest in technology to actively monitor fraud, to surface suspicious activity, and to harden our systems and protect our customers. More recently, we have introduced new products, such as Traveller Profiles, and processes such as Phone Verification to support safety.


    Here are a few steps you can take now to join in the fight:


    Educate yourself – visit our Security Center to learn about phishing

    Read our article to learn how to spot fraudulent enquiries

    When you receive a suspicious enquiry or email, please let us know

    Include an up-to-date phone number on your listing. We recommend that travellers call the telephone number published on your property listing page to confirm their reservation and payment details

    Use two-factor authentication on your email accounts. See this article on how.

    Never enter your email password on any webpage via a link sent to you by email, or even if a login page that looks like your email provider’s website pops up unexpectedly. Always go to the email provider’s website to log in

    And don’t ignore warning signs or red flags - if you have a bad feeling, it never hurts to double check


    Together we can fight this threat to the holiday rental industry, and we’re counting on you, just like you count on us.



    Tom Hale

    Chief Product Officer