This past June, Ben Grossman-Cohen began planning for a family trip to Hawaii. In search of an affordable place to stay, Grossman-Cohen turned to the international vacation rental site and AirBnB competitor, HomeAway. He sent out five inquiries using the site’s internal closed-loop messaging system, rolled out last January in order to catch advertisers who are trying to avoid the credit card processing fee the company charges.
Within an hour of sending his initial inquiry, Grossman-Cohen received an email from one advertiser verifying that the listing was available on the dates he requested. The email, which was from firstname.lastname@example.org, included Grossman-Cohen’s initial inquiry, working links and the correct details of both the listing and his personal information. Here’s the screenshot, which Grossman-Cohen provided to BuzzFeed:
He continued to correspond with the supposed owner via email, eventually agreeing to reserve the four bedroom, four bathroom beachfront loft in Kauai. Once the two agreed on terms, the advertiser, who called himself Piero L, provided Grossman-Cohen with something entitled “Rental Agreement Confirmation” for him to sign.
The first lines in the document read, “Enclosed is rental contract and rules which is Copyright 2007-Present HomeAway, Inc. All rights reserved. Unauthorized contract usage is deemed as a copyright violation and subject to possible legal action. Contract belongs to owner property and comes with Carefree Guarantee Letter.”
Under a section labeled “Payment Methods Accepted,” the only option given was a wire bank transfer to a Barclays Bank account in the Kilburn, London branch. Still unsuspecting, Grossman-Cohen wired “Piero L” $2,762.50.
Days later, he found out it was a scam.
“The person who had replied to us initially was not the owner of the house and they had somehow gotten access to the incoming email of the homeowner through this phishing scam,” Grossman-Cohen said. “We contacted the bank in the U.K. and they said the person had closed down the account and they couldn’t find them.”
This is certainly not the first time a HomeAway user has been scammed in precisely this way and it doesn’t seem like it will be the last, on HomeAway or any of the other home-sharing and vacation rental sites that have delivered an existential challenge to the hotel industry over the past few years. Despite being a huge and growing industry, it remains largely unregulated and in a state of flux. (Earlier this year, The Wall Street Journal reported HomeAway cleared $346 million and AirBnB garnered approximately $250 million in 2013.) In New York, for example, AirBnB is currently embroiled in an ongoing battle over the legality of renting out homes and apartments in the city.
It’s precisely because the industry has remained relatively free of regulation that it has become an easy target for scammers, particularly because of the high cost of each listing. Even as the industry leader, AirBnB is not immune to these types of phishing scams that eventually led them to require all users to verify their identity with a government authorized I.D. However, in the U.S. phishing can be prosecuted as a form of criminal identity theft as well as a federal fraud offense.
An examination of HomeAway scams turns up other instances as well as a closed Facebook group created to provide support and resources for victims of rental scams on VRBO and its parent company HomeAway, which has 189 members. Beth King, a vacation rental advertiser in Indonesia and the administrator of the group, has gathered 101 victim files and reports from members of the Facebook group as well as others who stumbled upon her contact information. According to King, the files indicate these scams are a part of a network of fraudsters as opposed to a series of independent actors.
When BuzzFeed contacted HomeAway, company co-founder Carl Shepherd contended that of the site’s more than 1 million listings, only .02 percent “result in traveler loss from phishing.”
During the company’s first earnings call in Q1 of 2012, HomeAway C.E.O. Brian Sharples said phishing scams affect approximately $1 million in transactions. Granted, at the time that amounted to just .1 percent of the company’s total transactions. But given that an average booking costs an estimated $3000 to $6000, that represents several hundred scams in a single year, each of which involves at least two people.
As for the Facebook group, Shepherd said his company was taking steps to address the grievances of the members: “We have provided financial compensation for those in the group who qualified and worked with others to educate them about the best practices for booking a vacation rental such as using safe payment methods and calling the owner before making payment.”
Of course “those who qualify” is a major sticking point, which Grossman-Cohen found out the hard way: “When we contacted HomeAway they said it wasn’t their fault but through some pressure to resolve it they basically said they would pay like a third of what we lost,” he said.
But just a little over a month after Grossman-Cohen endured his first scam he was contacted by what he quickly recognized to be a second scammer, responding to another one of his five inquiries.
“So 40 percent of the people that I reached out to on HomeAway ended up in someone trying to scam me, which is kind of amazing,” Grossman-Cohen said.
Grossman-Cohen had several long conversations with HomeAway representatives about the scammer who was actively pursuing him, one of which BuzzFeed obtained a recording of.
“They basically just said this isn’t our fault, it’s the fault of the owner who got phished,” he said. “We don’t take any steps other than try to put the email address in the system…But the guy who was trying to scam me sent emails from three or four different accounts.”
The basis of the scam, in fact, requires scammers to use several different emails. The way it works: Scammers send HomeAway advertisers an initial, fake inquiry about one of their listings. The inquiry template includes an outbound link that seemingly directs the advertiser back to their HomeAway account, but is actually a fake log-in prompt to solicit information to phish.
Now that the scammer has access to the advertisers’ email account, they can begin intercepting legitimate rental inquiries from HomeAway users. To cover his tracks, the scammer will typically delete it from the original phished email account and reply from an entirely different email address. At times, but not always, the scammer will respond to the inquiry with a different listing from another advertiser so the potential renter never contacts the original, real, advertiser again. Therefore each scam can involve three people: the advertiser who has been phished, the potential renter who is the target of the scam and the second advertiser whose listing is being used as a pawn.
Essentially, recording a single email address does little to prevent future scams or catch current scammers. HomeAway does record additional information that helps either prevent or stop scams, Shepherd told BuzzFeed, but he would not go into specifics to avoid tipping off scammers.
After Grossman-Cohen’s attempts to report the active scam to HomeAway failed, he filed a simple report to Actionfraud, a site run by the British police. A few weeks later, he received a response from the agency that read: “Your report has been assessed by the NFIB and the information you provided has enabled the police to take action to disrupt the activities of suspected criminals.”
When BuzzFeed brought this to Shepherd’s attention he responded, “More often than not, authorities need the victim(s) to provide the information. In the case of vacation rentals, the owner and traveler have the most complete information, so it makes sense for the victim to submit the report to authorities.”
However, in the recording of the phone call between the HomeAway representative and Grossman-Cohen, Grossman-Cohen continuously offered all the information that was available to him — which included the bank account information of the scammer — to the representative, who refused to accept it and repeated that as a policy HomeAway did not deal with law enforcement.
HomeAway, which was valued at $3 billion when it went public in June of 2011, has acquired 19 other vacation rental sites in the past several years. Their stance remains that the liability for the scam falls on the shoulders of the owner of the email account that has been phished, given that they provide ample guidelines for HomeAway users to follow to avoid being scammed. These guidelines include warnings against wiring money. (Grossman-Cohen said he did not see these warnings on the website.)
Given that the scam occurs strictly through email, BuzzFeed asked Shepherd if it would make sense to simply restrict communication between advertisers and renters to the website.
“As a company, our goal is to create the most secure marketplace for vacation rentals, and we strive to achieve this by improving our technology, our processes and educating our customers about best practices,” he said. “But all internet users must be aware that there are criminals out there, and they will work to subvert any technology barrier.”
Shepherd added that the site has begun to roll out a new secure communications system that does not reveal the email addresses of either renter or owner.
Another layer of responsibility in the HomeAway scams falls on the shoulders of the financial institutions that are commonly used in these scams, including Barclays, the seventh largest bank in the world, which allows users to create bank accounts online.
King provided BuzzFeed with 13 of the 101 victim files that she had on hand, many of which use the exact Rental Agreement template Grossman-Cohen encountered. As with Grossman-Cohen’s case, many scammers — 95 percent of those reported to King, she said — use a Barclays UK bank account. Of the 13 files King provided to BuzzFeed, 11 used Barclays accounts. Of those 11, two of the account numbers were used in two additional and separate scams each.
Other financial institutions used in scams include AccessPrepaid and TSB Bank.
Complaints of phishing scams that use Barclays bank accounts on other vacation rental sites like AirBnB and Trip Advisor have also been reported in online forums and to King.
In response to a BuzzFeed request for comment, Barclays spokesperson responded with a statement confirming that “Barclays complies with all regulatory requirements and has robust identity and verification process.” The email goes on to state, in boilerplate language and without specifics, the general process Barclays follows when alerted to a “suspicious” account.
Barclays Bank does, nonetheless, allow accounts to be created online. But, as the spokesperson clarified, the account cannot be activated unless the customer visits the branch and provides proper identification.
But according to a transcript of a chat between King and a Barclays Bank representative during which she inquired about opening an account with foreign identification, opening and activating an account in-person would take a maximum of 15 to 20 minutes.
And in fact, in a letter that BuzzFeed obtained dated June 11, 2013 from a Barclays senior case manager David Chapman to Sir Peter Bottomley, a member of parliament who was writing on behalf of one of his constituents that had been scammed out of money, Chapman admitted that fake identification can at times slip through the bank’s “standard detection methods.”
For those who have reported scams to Barclays after the fact, receiving assistance or a refund from the bank has proven difficult. Typically, victims of scams must provide a UK court order to receive the funds, according to a document King compiled to educate members of the group and letters from Barclays to the banks of victims.
BuzzFeed provided the information for those 11 bank accounts involved in the scams that King had on file and furnished to BuzzFeed to the Barclays spokesman. Though he said Barclays would begin an investigation into those accounts he would not be able to provide the results of the investigation due to confidentiality agreements.
However, BuzzFeed obtained a letter that Barclays Bank sent to a victim of a scam notifying him or her that the investigation of the bank account he or she reported had been completed. In the letter, Barclays Bank confirmed that the account was closed down and offered to return the money on a “goodwill basis and without any admission of liability” under the condition that the victim would not pursue any action beyond the refund and that the settlement would remain confidential.
In Grossman-Cohen’s case, the account in question had already been closed and the bank indicated there was no way of locating the person who opened it in the first place. It’s a situation that seemingly conflicts with Barclays Bank’s supposedly “robust identification and verification process.”
When asked for comment about their inability to find the account holder, the spokesperson said that Barclays “…cannot disclose to a victim of fraud any details of the account that they have paid funds into (in accordance with the Data Protection Act), our records will detail the name of the account holder,” he said.
It seems in searching for some form of recourse from Barclays Bank, victims of frauds typically come up empty unless otherwise bound by a confidentiality agreement that removes Barclays of all liability.
Like any burgeoning industry, the home-sharing industry is going through what some may consider growing pains. But to be seriously considered as a viable alternative to the hotel industry, companies like AirBnB — which was most recently valued at $10 billion — and HomeAway — which is valued at $3.23 billion — have to considerably fortify the fraud protection and preventative methods they’re currently employing and establish some sort of system of oversight.