So this is how you would like to communicate with your guests? You want to always send your email to someone else first instead of communicating directly with them? What if you want to send them a Christmas wish email? Do you send it to Flipkey so they can forward it to them?
I wonder if the guests get confused as to who they are really communicating with. Looks like junk email address to me. How do they know the diferrence?
We pay to advertise on your site HA/VRBO. A guest is interested in our property. Let us know who it is and then leave us alone! You (HA/VRBO) have done your job! The more complex the transaction becomes the less likely we are to receive inquiries. If we got to start using some super secret hand shake code, do we really think that will make most guests comfortable with the transaction. Ah yes, that email came from slkfjsldkfjoiueoire89*&*608968s.homeaway.com. It must be Randy!
If you (HA/VRBO) don't want to be responsible for sending us our guest information , then at the least send us an email with everything except for the personal stuff like name, phone, and email address. We can check out guest inquiries and get what we need from there. Then we can communicate with our guest however we see fit. Don't want to see this happen (think over kill) but I think it is better than using third party (HA/VRBO) to communicate with our guests!
I wonder what the current statistics are of HA/VRBO emails getting intercepted and fraud occurring?
On Owner's response to Inquiry, Owner always has the option, if desired, to ask for Traveler's email address and whatever information Owner desires. That is his/her business to conduct. The coded address is used only when Owner or Traveler hit the reply button in their email client, but it doesn't preclude them from asking for the other's email address.
Addendum: actually, all the information is supplied to the Owner. Whatever data fields the Inquirer filled up when sending the inquiry is sent to the Owner including Traveler's email address.
I experimented with Flipkeys coded email address and didn't find any security improvement after all. So, I'm wondering why they made the change.
Looking at the Inquiry, I copied the entire contents of the Email Inquiry (body, coded email return address, subject), and pasted it to my wife's email address, then composed a reply & sent. This is the kind of thing that a scammer might do in intercepting a phished email account. I was hoping it will be intercepted at Flipkey's Email Redirector, but it didn't. It went through. Not impressed with this change after all.
FWIW, I received my first FlipKey inquiry today and the email address was still contained in the body of the email and I was able to reply directly to the guest using their non-encrypted email address.
There is also a reply button in the body of the email that appears to re-direct through the site (and I did have to log in) for those who wish to do so.
Seems the new FlipKey re-direct isn't yet universally deployed.
Also FWIW, while I much prefer direct email, it would be acceptable to me, personally, to have the email re-directed via FlipKey or HA for the initial email if that would placate those concerned about phishing. At least that method wouldn't bring my business to a grinding halt.
While I feel as a kindred spirit with pcb-randy, in this case I actually think FlipKey has struck a (barely) acceptable balance if what tfv describes is rolled out. I don't see the necessary connection between the encrypted email and identifying owners or guests...
Still I think it would be better to address phishing and fraud at the root-cause level rather than inconvenience owners and guests with any of these stop-gap schemes.
Owner's receipt of Inquiry shows an encrypted email address for the inquirer, and upon hitting reply, the encrypted address appears at the "to" field. I therefore assume that owner's response is first routed to Flipkey and then forwarded to the inquirer. Likewise, upon inquirer's receipt of owner's response, the "from" field shows an encrypted email address, and upon hitting reply, the encrypted address appears at the "to" field. Therefore, communications back and forth between owner and traveler, so long as both of them uses the "reply" button, goes to Flipkey first, before it is forwarded to the intended recepient. For what purpose, I can only assume there must be some security purpose; however, I haven't yet figured that out.
The owner is able to see all data fields that the inquirer answered, therefore inquirer's email address is shown in the body of the inquiry. Likewise, inquirer is able to see the owner's true email address somewhere at the lower part of owner's email. Now assuming, owner's email credential is compromised due to phishing, scammer would be able to view the inquirer's email address and will have the ability to communicate to inquirer. So, it puzzles me as to what purpose is Flipkey implementing this change.
Since communications between owner and inquirer goes through Flipkey first, before it is forwarded to recepient, Flipkey should now have the means to perform some checking for bonafide owner and inquirer, but as to what exactly it is doing, I still haven't figured that out.
One thing that is becoming clear, HA/VRBO customers are not pleased with the forced changes and penalties imposed upon them when they do not use what HA/VRBO thinks is best for us! I talked to a friend yesterday and he told me that he has pulled all his listings from HA/VRBO and is using Flipkey. He has been getting great responses and is booked until fall for all his properties.
I know what HA/VRBO is probably thinking about - not everyone will be happy with our changes but it will just be a few so we will be ok. Isn't that what Netflex thought about its customers when they changed their plans and pricing?
A great business never loses site of the customer and listens to what they have to say! A company that thinks it is great, does what it thinks is best for its customers!
Randy, I agree with much of what you have said in your posts throughout this thread. But, Netflix is not a good example to cite to Homeaway as reason not to change policies. Just recently Netflix was touted in many financial columns for it's successful efforts to increase it's customer base and the stock jumped in value. I think I read somewhere that it reached a new 52 week high (?). Not to say Netflix is the success it was or could have been prior to the shake up, but it's hardly been the disaster that was predicted at the time of the botched decisions. Many users have returned to Netflix - is there an alternative available - do customers really have a choice?
As an owner that advertises one vacation property on homeaway and vrbo, and manages all aspects of the rental process independently, I am distressed with the systemic changes that are, in my opinion, making my property unattractive to prospective guests.
I'm waiting to learn how the changes in progress will work and how someone who uses the site for advertising will be able to function.without having to participate in and purchase services they do not wish to have.
And the quesiton becomes - is there an alternative available and will customers (owners) have a choice?
The likely answer: no.
I too, will consider dropping my membership with VRBO. I ALWAYS do an internet search on the inquiry name and email address and telephone number. I just did this last nite, and have "round filed" the inquiry due to the telephone being in the pacific ocean and the email address associated with nefarious activities.
This is so not acceptable. Please do not implement.
This is getting ridiculous with VRBO...if we have to sign into our dashboard, then let's fix the sign in process. I just had a cancelation and need to sign in to delete the reservation and I can't even do that. So now I have next weekend available but I can't delete the reservation to show its available. VRBO has been having a lot of sign in issues and then when you do finally get logged in, it takes forever to enter a new reservation in. It either locks up or it won't enter in the correct information.since VRBO has increased its yr rates, it seems they have had more issues and you can't just log in, enter in your reservation and then you're out. I've heard a lot of good things about flip key and I see a lot of my neighbours listing their rentals there and it's a heck of a lot cheaper. With the economy so bad these days, I need to watch every Penney!
We too use FlipKey/TripAdvisor and like it a lot. It even has a Reservation Manager system with credit card processing from VRP, same as HomeAway/VRBO. And they don't have multi-level pricing. Everyone pays the same, and sort order is by number and rating of reviews for the most part.
That being said, I have never had any issues logging in with HomeAway/VRBO, although I usually stick to HomeAway for making reservations. Also Kathy, are you sure after you canceled the reservation and it showed as "canceled" in your Dashboard, that it still showed as booked in the guest view on the site? If you pull up your listing via the direct link like any traveler would, does it show as booked or available?
Just another thought - since VRBO technical support is only available from 7am to 7pm central time, what do we do if we received notification that we have an inquiry waiting for us but we can't log into VRBO for some reason to see it and it is after 7pm central time? Wait until 7am central time to follow up on an inquiry?
As a traveller who actually lost money to a phisher, I read this news about Homeaway's new secure communication system with relief (and quite a bit of anger that it has taken so long).
Reading through your messages, I can understand how this adds an additional burden when responding to inquiries. If you are posting on this thread, you are probably among the few homeowners who would not fall for a phishing email. Unfortunately, your fellow homeowners are not-so-savvy. These phishing scams work by two different means - by getting a homeowner to login to their Homeaway account on a fake login screen, or by sending an email with a link to a page telling the homeowner that their yahoo or gmail session has expired, prompting the user to reenter his or her email login credentials. The crooks block inquiries coming to your email account, either by diverting the emails directly through the Homeaway site or by putting in filters in your email account to filter out any inquiries from Homeaway.
You should be aware that when a homeowner falls victim to phishing, and travellers lose money, Homeaway's first course of action is to wash their hands of the matter and tell travellers to seek restitution from homeowners (even if that means small claims court). I am in contact with several other victims, and all have had the same experience. Homeaway sends out a form email disclaiming liability. If you call, they ignore you, take days to respond, promise phone calls back and never call. While their legal liability is an open question, I can tell you that the system as it stands is, unquestionably, a customer service nightmare. Homeaway estimates $1 Million of transactions affected by phishing for 2012, but that's doesn't count the $1M of lost income for homeowners, or the additional money homeowners lose when they are pressured to compensate the victims. Here is a telling excerpt from an article I'm sure most of you have seen:
"... because HomeAway is the world's largest online marketplace for the vacation rental industry, it can dictate the terms of compensation and compel them to quietly accept them... One rental management company representative told me that her company spent thousands of dollars compensating customers who lost $2,000 to $2,500 apiece in five separate phishing incidents last November. It had no choice: More than half of its business comes from HomeAway, which was threatening to pull the management company's listings if it didn't compensate the defrauded customers. HomeAway says it wasn't involved in any settlement matching that description and that at any rate, the rental management company's interpretation of its view is distorted." http://articles.chicagotribune.com/2012-04-03/travel/sns-201204031630--tms--traveltrctntt-b20120403apr03_1_homeaway-phishing-rental-owners/2
When I tell people I know about how this scam works, they are astounded. Nobody wants to use Homeaway! Even WITH the knowledge that they should never wire money, people just don't want to use that form knowing that some crook is going to learn when they are going to be on vacation. If people are going to use any kind of electronic communication, they need to feel that they are communicating with a legitimate homeowner or rental company.
Yes, email is easy. It is also extremely vulnerable. It was never a safe way to communicate with renters, and the platform should never have been designed with this vulnerability in place. Just like people got used to riding in cars without seatbelts, you have gotten used to using email for business transactions that are highly vulnerable to cybercrime, and that has to change.
Wow, very interesting article Jen! I once had one of my e-mail accounts hacked (not the one used for vacation rental business though) and they set my settings to forward all the mail from the server to their e-mail address and delete it from the server so that I never got it. It was only after some time that I realized I was not getting mail from one of my addresses regularly that I discovered this.
I would like an opinion however that if no traveler ever wired money to a homeowner or property manager ever again, would their still be a risk? If say they took a check they would be revealing their identity (or a paper trail to it) and if they used a service like PayPal, VRP or some other credit card processor would that processor be responsible or at least likely to reverse the charge and refund the money, and would that also provide a trail to the perpetrator??
Sorry to hear about your loss! What I don’t understand is why you are relieved about this new secure communication system that is being proposed.
First, we haven’t even seen anything from HomeAway to tell us what they are planning to do. All we have seen is speculation of what they might do and what homeowners do or do not like about this speculation. Second, based on your explanation of the two different means phishing scams work, the proposed solution will not be any more secure. How would it stop people from still signing in to their HomeWay account with a fake login screen? How would it stop people from responding to fake emails telling them to reenter their email login credentials?
Last, with the proposed change do you think HomeAway will take on any additional responsibility for fraud? My guess is that if you read the small print, they will protect themselves! I’m not saying that nothing should be done. I’m just not sure that we understand their real intentions and if the changes they make will be any more secure. I’m not convinced that the additional steps will make us any more secure and I know it will delay my response to my guests.
To answer your questions pcb-randy:
1. I should have been clear, I from the stories I have compared, I believe that the primary means by which the scam is executed is via email. If homeowners no longer receive inquiries via email AT ALL, then if a homeowner does get some kind of phishing email, it no longer looks legitimate. An inquiry from a renter purporting to contact you about a rental would look, to a homeowner, more like that email from your great uncle in Zimbabwe - its unsolicited. Currently the phisher (or phishers) are duplicating the form that comes from Homeaway with your inquiry, so it looks very legit. We all know that banks never ask for credit card or banking information via email. Now you, the homeowner, will know that any email inquiry you get is not coming legitimately from Homeaway - there is no form they can copycat. Furthermore, if all communications about the rental are required to take place on the Homeaway secure site or by phone, as a condition of use, then what good are the email credentials to the scammer?
2. The Homeaway login will probably add extra authentication steps to its Homeowner login, just like your bank. This is the way everything is going. So it won't be as easy to steal Homeaway login credentials.
Swlinphx - Many people raise this question about wiring. It seems like the obvious solution - just don't wire money! I have a few arguments there.
(1) Sites like Homeaway, VRBO etc. have such good search functionality that people can increasingly use them for rentals that begin on fairly short notice. So when someone posing as the homeowner via email says that they need a quick payment if they are going to get the house ready in time, a renter feels the need to accommodate and take steps to prove that they are legitimate and acting in good faith.
(2) I think its hard fo any renter to understand WHY wiring is risky when you have all this information on Homeaway (impossible to falsify) about a house that tells you its legit! I think it is very hard for a typical renter to understand that when they find a 5 star listing that's been on Homeaway for years, with stacks of stellar reviews, that they need to be skeptical of any request that a "homeowner" might make. As a renter, I recall thinking, "Well, this is a businessperson. What the heck do I know about the risk they take in accepting checks by mail from perfect strangers or the cost of accepting credit card payments?" I felt that the high ratings and long history of the rental I booked were sufficient to protect me. I initiated the inquiry from the most reputable site in the industry, I got a reply. Why would I question what a homeowner feels they need to protect themselves against somebody who doesn't have the money? It seems to me that I have lots of ways to assure myself that a listing is A-OK, but a homeowner has fewer ways to check on me. Why do I want to rock the boat and risk losing my rental by ticking off the homeowner by telling him or her that a wire is an unreasonable request? There is an implicit imbalance of power in these communications that make that wire request look fairly reasonable when it happens.
(3) Last, because of the way the site is currently built, Homeaway only warns renters about wire transfers at the time of inquiry. A typical user might send an inquiry, vet it out with his or her family and friends, spend a few weeks comparing properties, and then eventually contact the homeowner to book the property. Warnings about how to protect yourself from fraud that came weeks or months ago aren't overly effective, especially when the warnings say "Don't wire money" and stop there without offering any context to make sense of that warning. The warnings could say "This form will go to the owner via email. We cannot guarantee the security of this transmission. Please be aware that scammers can and have intercepted email communications and have posed themselves as homeowners. Always call. Never wire money." How simple! But that would cost Homeaway money, no? Much cheaper to keep the warnings thin and let homeowners and renters bear the cost. Are they providing a valuable service if they rely on email and then pass the buck when that falls apart? Heck no.