To provide prospective renters with some level of comfort (better than nothing) that it is safe to communicate with me as an owner, I added the following verbiage in my website and email signature.
In my website, I have the following lines:
We use secure means of communication to help protect the security of our clients. You can be sure you are communicating with a verified owner of this property if his email address is at EmailPrefixName at ProviderName dot com and the phone number at signature matches the number at owner’s website.
In my email, just below my Signature, I have the following:
We use secure means of communication to help protect the security of our clients. It is important to know that you are dealing with a Verified Owner. Check that the email address is the same in all correspondence & the phone number at signature is the same at owner’s website.
swlinphx - I'd say you're right: for the most scammers are at least smart enough to make efforts to hide their identity so they can't be caught. But if you're in certain countries where laws and international cooperation is minimal, you can get away with it even if your identity isn't all that well hidden.
Wire transfers are obvious red flags, and the general population is getting smarter about them. But checks are just as vulnerable.
There's no problem depositing a US check in a German (or Russian, or Nigerian) bank. The funds may not be accessible for an extra 3 or 4 days, but if you run the scam for a week and get 8 or 9 checks, wait for them to clear, and then close the account, you're pretty much free and clear. Germany might cooperate with US authorities to try to track down a scammer who did this. But Belerus? Not likely. All you need is a Mailboxes Plus address with automatic forwarding and an overseas scammer can get anyone to believe they are sending their checks to a US based owner.
And then there are the cash checking stores across the US that US baswed scammers can use. Sure, the check cashing stores are good at blocking forged checks, even stolen checks. But a legitimate check that won't be investigated until 2 months after the scammer took it in for payment? They just need to move around and do their check cashing in different places each time.
All my jibber-jabber above is simply to say: a check is no safer than a wire transfer (whether it be bank to bank or cash-based money order).
Credit cards are a different beast because they are managed by a consortium that agrees to cooperate across international lines (unlike banks which are only obligate to follow local laws). I still feel funny making a payment through Pay Pal since I know their barrier to entry for creating an account is so low, but at least it's better than giving my credit card info over the phone to someone I've never met. In fact, as a homeowner, I've dropped my bank merchant CC account in favor of using HA's processing, since I had a few guests who were apprehensive about giving card info to an "anonymous" person on the phone.
Q. Are HomeAway’s systems susceptible to being compromised by hackers?
A. No. We use a combination of encryption, monitoring, and other security devices and efforts to protect data in an owner or PM’s HomeAway account.
Ha, ha, ha, ha. I laugh so hard. Countless companies, bigger and more technologically sophisticated than HA, have been hacked and had personal data of their users compromised. The best protections against hacking/phishing are to be smart, and be so small that one does not attract attention. The larger the target, the more willing will be cyber criminals to put the time and effort into defeating their security.
This scheme would ill-serve owners and guests. My objections are too numerous to list.
Sage, pcb, info - you guys are Super.
Super-security-techno-geek got-it-covered computer guys (or gals). I'm not being sarcastic when I say that - I mean it as a compliment in that you are smart enough to recognize the scams, the phishing attempts, the malware trojan horses, and all the other ways that a thieving scammer might try to hijack your clients. You are diligent in keeping things secure, even though it means extra work. That's a huge diferentiator. I know very few people as dedicated as you guys must be.
There is also a MUCH larger group of "I don't have a clue" homeowners out there. They know they're sitting ducks, and will take any help they can get to make sure they don't become a cog in someone else's scam machinery.
And then there are fools like me, who think I know enough to never get taken advantage of. A bit too confident, a bit too cocky. A bit too gullible. I'm not as diligent about security, or more likely I'm just too lazy to always lock every door and remember my keys to re-open them when I get home again. We're kind of like the people who are secretly thankful for the brake pedal / shift interlock on the starter of our car - we know better but sometimes we turn the key without our foot on the brake. Unfortunately, I think the group of people like me is an even larger group than the I don't have a clue folks.
So what can a company like HA do? Forget about whether "owner impersonation" is a real problem or not and just assume that it is. It's HomeAway's perogative to make this a defining issue for themselves.
And so, how do you design a system that will provide the kind of protection that the cocky fools and I don't have a clue people need (and is easy enough for them to learn how to use) while still providing an escape valve for the Super Security people who already have the bases covered with their own methods? Effectively, two parallel communications pathways?
Here's the Catch: How do you set it up so that the lazy, cocky fools like me don't just opt for the escape valve path even though I don't have half the infrastructure knowledge and diligence that the Super Security people do? Because I'll bet you the majority of the cocky folks will take that escape valve simply because it's easier and doesn't require them to change what they're comfortable doing already. Seriously, us cocky fools are the problem.
Two communications pathways requires that they determine:
- How can they come up with a solution that channels everyone into something more secure (again, let's not get into how much more secure), while still letting the truly capable have an escape valve?
- How do they validate that those who claim they are capable REALLY ARE CAPABLE of handling communication security on their own?
- How will they make sure people don't just pass the initial test and then let things slide after they've gotten approval to take the escape valve?
- How will they justify the cost of maintaining two separate, parallel systems?
Or do they just estimate their potential losses and develop a system without a safety valve for the super security folks - knowing that those who won't accept a single solution will leave for a different service altogether?
>> There is also a MUCH larger group of "I don't have a clue" homeowners out there.
>> They know they're sitting ducks, and will take any help they can get to make
>> sure they don't become a cog in someone else's scam machinery.
I don't think so. The world is getting tech-educated very quickly and, as the new generation that grew up with this stuff starts taking over, scams that rely on obvious techniques like phishing will be relegated to the files of history. I'm much more worried about the impact of a centralized database held at HA offices -- those will be the real target of the new, even more sophisticated hacker.
Additionally, Homeowners renting on HA, VRBO, etc.. are no more exposed here than anywhere else on the Internet. If they're sitting ducks here then they're sitting ducks everywhere online, in any store where they use a credit or debit card, etc. If they really are sitting ducks here, they should simply walk away from all online activities -- and that's a clear overreaction. We are truly blowing this out of proportion.
>> How do you set it up so that the lazy, cocky fools like me
>> don't just opt for the escape valve path even though I don't have
>> half the infrastructure knowledge and diligence that the Super
>> Security people do?
There have been several solutions proposed in this forum that strike a balance between the super-security that HA would like to implement (that will grind our businesses to a halt without offering any *real* protection) and the 99% solution that will deflect most scams and not impact our businesses.
>> Unfortunately, I think the group of people like me [paraphrase: who
>> don't consistently employ commonly expected security measures ]
>> is an even larger group than the I don't have a clue folks
But what you describe, I would consider to be negligence. If you don't properly lock your e-mail (i.e. use a strong password and change it often) and you're running a business with that e-mail then you are being negligent. Lock that metaphorical door! It's your responsibility when running a business. Maybe -- for the first time -- I see why HA wants owners who get their e-mail hacked to compensate guests who lose money. If we're not doing our part, we put them in a bad position. Shame on us if that's the case.
>>You are diligent in keeping things secure, even though it means extra work.
The only extra work I do, personally, is to delete obvious scam e-mails. I get a few every week. Click-delete. There's nothing to it.
We are not "Super Security" people. There is no special knowledge required to protect yourself from a phish.
Anyone who has visited and read this thread will have all the tools to protect themselves. It is a falsehood that this is rocket-science. One requires only common sense and some due diligence.
Instead of completely redesigning the owner/traveler interface, why can't HA just generate a weekly inquiry to every listing and compare the email from the owner's response to the email HA has on file? If an "owner" response is received from a different email, HA can call the owner and figure out if his/her email has been hacked. Owners would need to register all possible email addresses that they might use with HA.
The test emails would need to vary a bit in time and content, of course, so they would not be detectable by the scammer or the owner, but this is a relatively simple programming job for HA. Yes, it would be one more email to deal with each week for us, but heaven knows we get enough non-productive inquiries anyway, so one more won't be noticed. It would be far less work than having to log in to the dashboard, and it would address the privacy issue several of us have raised about HA having access to our owner/traveler communications.
Nah, I've thought about it, but decided against it. I didn't want to unduly alarm prospective guest and didn't want to overextend my warning. The verbiage I have is sufficient itself in my opinion.
I understand, but I thought you might want something to fall back on that protects you should this happen and the guest (or HomeAway, VRBO, etc.) holds you financially accountable. If this happens a lot and that one statement protected you legally, it'd be worth it.
why can't HA just generate a weekly inquiry to every listing and compare the email from the owner's response to the email HA has on file?
That's an interesting idea. Of course, that does't protect the many scammers who can spoof e-mail addresses (just like they spoof Caller ID) to fake where an e-mail is really coming from. HomeAway would have to have a good system that doesn't just look at the e-mail address given in the "From" field but the entire pathway in the long headers to detect spoofing.
Come to think of it, I've had my PayPal account compromised (thousands of dollars drained from online PayPal account which in turn proceeded to draw from my linked bank accounts once they depleted that) in the space of an hour, as well as my eBay account once (someone bought a computer from a legitimate seller using my screen name) and my outside e-mail address, which I mentioned before had the password cracked, changed, and all mail forwarded to their address while simultaneously deleting them from the server so my client never got them or knew they ever existed. I guess I should be more gun shy but in each case I was able to resolve the issues. For PayPal, I now use key cards which use algorithms to generate six-digit numbers that I need in addition to my password to access my account.
The key is to be diligent to prevent te majority of attacks and then, if you are diligent like I am and still get compromised, to know that the company (like PayPall, eBay, your ISP, etc.) will back you up and not hold you accountable.
Anyone know the answer to (or care to comment on) my other question?
My bad-My apologies.The inquiry downloaded on the desktop (blame hubby). Once downloaded on desktop, it doesn't download on the laptop, which is what is generally use
Okay, wait. I'm confused. You are "downloading" inquiries as files? Or do you mean your e-mail client is pulling them from the server? Does this mean what everyone is saying about FlipKey requiring log-in to get inquiries "starting today" is legit or not? As you can see, wildherbs seems to have just confirmed this, or are they mistaken too? It gets really confusing when we hear about new rules and regulations here and it turns out to be just the poster's mistake, so I don't know what to believe.
I never really use check cashing places. Is there any way a person can write a check to someone (even if they are the scammer who the check is made out to, and who can prove their identity) so that the check can only be deposited and not cashed without being deposited? You could require the traveler to make checks out only to the name on the property listing, but then we have travelers make checks out to our business bank account which is under an entirely different business name.
Another question I just thought of: Does anyone know if HomeAway is accountable if one of their legitimate listers (advertisers) is a scammer and the traveler went through HomeAway and followed the right procedures but was nevertheless scammed? I realize this is less likely because the scammer would have to pay for a listing and then, as soon as they scammed someone, HomeAway would investigate and remove the listing immediately. However, if it was for an expensive rental and/or over a long period of time (say $10,000 total) the scammer could justify paying for a $400 listing for a profit of $9,600. Once banned they need only create a new account under a new name & e-mail address and start all over, scamming one traveler one time per listing, so that wouldn't work in our case.
I don't "worry" about sharing my traveler information with HA... I already use Reservation Manager and the inquirer already provides their information when they complete an inquiry form.......but I do agree with your other comments about marketing information. I have felt from the beginning of all these discussions regarding HASC that this was the real reason that this new system was being implemented and that security and phishing is secondary.
I've yet to seriously consider the implications of the following message from FlipKey -- but, at fist glance, it seems like a well thought out and balanced response to the problems that some have encountered with fraud and phishing:
FlipKey writes to owners:
You will begin to notice that when you reply to a guest inquiry from your email account, the email is sent through a special FlipKey email address instead of the traveler's email address. But don't worry - your email will automatically be delivered to the guest, and replies from the guest will be delivered directly to your email account. Directing guest emails through FlipKey simply allows us to store all messages in your FlipKey account so you can more quickly access and manage your booking communications.
Your guest's email address and phone number are still included in the text of your inquiry email, so you can always contact them directly if you prefer.
Other benefits of this new feature include:
- Improved Email Deliverability. Our engineering team are email deliverability experts, which ensures that more of your messages successfully reach prospective guests' inboxes.
- Enhanced Security. Criminals are targeting rental owners' personal email accounts through a variety of techniques. If these criminals gain access to your email account, they can steal money from travelers inquiring on your property without your knowledge. By keeping your communications in a secure, private system, we're able to better protect your email account from phishing and email theft.
Response Templates (Coming Soon!). You'll soon be able to use customizable response templates that let you easily respond to travelers with the click of a button. Better yet, as we learn more about how you communicate with your guests, we'll roll out even more new features to suit your specific needs.