THOUSANDS of villa rental clients are facing a holiday nightmare after a major booking site was attacked by fraudsters using ‘phishing’ techniques on clients.
Conmen have potentially left tens of thousands of tourists without a place to stay in Spain after hacking into the emails of holiday homeowners, via rental site Owners Direct.com.
By diverting enquiries, scammers are able to masquerade as the owner in order to get booking fees paid into their own bank accounts.
Owners Direct, launched in 1997, works like an online travel brochure along with sister site Homeaway, receiving more than 53 million requests each month in total.
The average client pays around €500 to the site to be advertised alongside thousands of properties, from cheap and cheerful apartments to luxury villas and fincas.
Last year alone, an estimated 5,000 holidaymakers lost millions from this one site when they discovered their rental homes in Spain, France and other European countries had not been booked.
Meanwhile, the homeowners themselves have also lost vital income from the scam due to losing most of their genuine requests.
“I am furious that Owners Direct accepts no responsibility for the scam,” said Gabriella Chidgey who runs stunning www.alcantarilla.co.uk, a rural farmhouse, near Ronda.
“It’s the second time it’s happened in under a year and you only realise it’s occurred when you get a drop in enquiries… or in our case when, luckily, a potential client about to pay the deposit called up to double check the bank details.”
She explained that the fraudsters are so good at covering their tracks they even send bogus enquiries to allay suspicions, but the names and phone numbers given turn out to be non-existent.
Chidgey, 44, added that Owners Direct refuses to take responsibility or offer any refund.
“They promise to get back in three days if there any problems… But I haven’t heard anything in over three weeks and after three emails and two expensive phone calls to London.
“We have lost thousands this year; it’s fair to say we are cancelling our account.”
Another victim, British expat Peter McLeod who owns Finca La Guzmana, also near Ronda, has lost a series of bookings to the Owners Direct scam.
The former policeman criticised the company for allowing mass fraud to take place through its sites.
It is just as bad for the holidaymakers.
One young family from London, the Macdonalds, found themselves stranded in Marbella after paying €2,000 to rent a villa for ten days, only to discover they had been tricked.
The owner and keys were nowhere to be seen, while its website was also down.
Another British holidaymaker, Jillian Roberts was scammed out of the €4,500 that she paid for a family villa, also in Marbella, after contacting the person she assumed to be the owner through Owners Direct.
Campaigners calling for tighter security say the sites should privately hold all email addresses within their internal systems, instead of giving them out to owners.
The founder of an action group previously said: “They must take action and address the security loophole; change the email domain for renters’ enquiries and change the communication workflow between property owners and renters.”
An Owners Direct spokesman told the Olive Press: “We are sorry to hear about these owner and traveller experiences.
“As a company, our goal is to create the most secure marketplace for holiday rentals, but like any online business, we cannot always be 100% immune from issues.
“Phishing is the most common and sophisticated form of online identity theft and we are constantly innovating to tackle it. For example we have recently upgraded the Owners Direct platform to make it easier for travellers to pay via online payments, which is the most secure way to book a rental property and automatically covers you against internet fraud up to £10,000.”
How the scam works
SCAMMERS access people’s accounts via what is known as ‘phishing’.
This involves sending bogus email enquiries to owners in order to glean vital information.
The most common way is to send a fake enquiry with a click-through link to their email sign-in page.
In reality, this is a fake page, and if the owner logs in, the fraudster is also in and can begin intercepting enquiries.
They pose as the owner, deleting emails to cover their tracks, while the real owner remains oblivious.
After sending fake contracts and details, the scammer finally asks for money to be paid into their own bank account. Thousands have lost out.
Sounds like some dodgy operators using Homeaway/Owners Direct. May be safer to use Airbnb or book with a major operator like Thomsons? At some point maybe it will become too dodgy to book anything online? Back to the days when you organised your digs with a hawker you met at the airport?
Let’s just look at the numbers. It is estimated there are 20 million holidays booked via the internet and there are 1500 known cases of people being scammed. It is a threat but a very very low one.
It would probably enlighten you Mark if you actually read this article. It states that twelve thousand people lost an average of seven hundred and eighty euros each, just on Homeaway. Considerably more than your 1500 claim, no? One would almost think you had some kind of stake in this holiday let business?
City of London Police Head of the Economic Crime recently said there were 1,500 known cases with an average loss of £889. Check The Independent recent reporting of this with quotes from the Head of Economic Crime. The Olive Press article has not validated its claim of 12,000 in anyway. Bit of a leap from 1,500 known cases to 12,000?
The only way to be safe is not to do bank transfers as payment. Only use the ones who take payment by credit card.
The Mail says 12,000 people have been scammed worldwide on this scam.
To dismiss it on the basis as ‘let’s just look at the numbers’ then come up with 1500 is rather like saying it’s not important in reality. I suspect the number scammed in Spain is somewhat higher than this as typically in Spain whether mis-selling by agents’ scams, time-share scams and quite likely this holiday rental scam many victims are embarrassed by their predicament and don’t always come forward publicly. Hence the City of London Police saying there were 1,500 known cases. This story is likely to grow in due course.
This holiday group have companies in various countries including 3 in the US, 2 in the UK, 1 Germany, 2 France, 1 Australia, 1 Brazil, and 2 in Spain these being HomeAway.ES and TopRural Spain.
A Google search of it’s Directors only leads to the founders of HomeAway in Texas America, the other companies don’t show their Directors. The European websites seem rather obscure and for that reason I would steer well clear.
There are similar stories of people falling foul as per this article going back to 2011, maybe earlier too.
My advice would be to go into a travel agent and book holiday rental with proper ABTA or similar bonding.
Mark (from Owners Direct) there were an estimated 12,000 people scammed last year according to a Daily Mail investigation and, let’s be honest, most people are not going to report it to the police – and Mark, this is just ONE of hundreds of booking sites – the fact that Owners Direct is so arrogant it does not call its paying clients for over 3 weeks just eventuates how big a problem they know this is. I fear an almighty crash!
If you are the victim of phishing the onus is on you. This goes for any online service, not just holiday bookings. Has Owners Direct been compromised? The answer seems to be no. What has happened is that owners have given away their credentials to fake copycat websites. How is that Owners Direct’s fault?
Will the OP please tell us if Owners Direct has been compromised, or if it is actually the case that owner credentials have been lost by the owners themselves? There is a big difference. In this case there is nothing Owners Direct can do except reset passwords that were lost by owners.
Holidaylettings seem to have this sorted by all payments and communication going through them – until they are hacked!!
Phishing is commononplace, the Correos currently has a phishing scam that does exactly the same thing. They send a fake email with all the Correos branding telling you to log in to get details of a delivery, and the unsuspecting user clicks a link in the email to log in. The fake Correos website then takes the details and the account is compromised. There is no difference between that and the Owners Direct phishing scam, or with any other of the thousands of online services. Owners Direct seem to have no central payment system, relying on owners to communicate and arrange funds, but that’s still not a failing of Owners Direct.
If you lose your passwords, whose fault is that? That is where this article is fundamentally incorrect.
Well said Jon Clarke (publisher) this is probably the tip of the iceberg, a quick Google search reveals this problem with this/these companies has been going on for years. I would never do business with a company that has obscure websites set up in overseas countries that also don’t state who their Directors or Team are in that country. Such a set-up smells of scam!
How come this/these companies get hacked so easily, and somehow led to look-a-like sites? How many companies of all trades do we all use online to make payments for goods every year that lead us to fake copycat websites? Somethings seriously amiss with their websites and security procedures in this case?
If City of London Police are investigating then this is a serious fraud unlike the post about ‘putting it in perspective’. More victims will come forward worldwide.
“How come this/these companies get hacked so easily”
They didn’t as far as we know. You’ve fallen into the same misunderstanding as Jon. Who has been hacked? Answer: no one. What security procedures have been compromised? Answer: none.
What has happened here is that a person has used a fake email to click on a fake website to give away their real credentials. That is not the websites fault, it is the user who gave away their credentials in error. Owners Direct just puts holidaymakers in touch with owners of holiday homes. Even if they offered a secure and central payment and messaging system, if the owner gives away their credentials then access is granted and fraud can takreplace, just like if you gave away your banking details to a fake banking email, or fake shopping site, or fake email provider and so on ad infinitum.
Please do tell us whose fault it is if you give away your credentials to a third party, in error? Be interested to hear your answer to that one Mike.
Not fallen into any trap there Fred. Ok so their websites don’t get hacked you say, but you answer this then.
In all my emailing experience when going to any normal company website I have never been led to a fake website because I can clearly see if there are any look-a-like sites on the Google search. Even the US ESTA website has not dissimilar looking sites which end up charging people far more for an ESTA than the official site. So to re-iterate, I have never been a victim of this problem affecting people trying to book through Owners Direct/Home Away etc.
However all the advice via The Guardian and other media reports advises people ‘not to use Owners Direct website until they improve their security procedures (which suggests they can), and at the same time offer free insurance to cover any fraud rather than charge £60 or so to buy insurance. Further search on this company reveals the same problem has been going on for years so it’s not new. The fact they offer compensation of some £700 max suggests the onus to improve systems should be a priority.
Which gets me back to the same advice above, don’t use them whilst they are so easily hacked or led to other sites, don’t use them whilst you cannot find out who their directors are, and for peace of mind book accommodation via travel agents with full ABTA bonding.
Mike, you said “How come this/these companies get hacked so easily” and then provided no proof they (Owners Direct) were hacked. That is just hearsay. The same problem has been going on because phishing has still been going on, and it always will because imitation and impersonation are easy to achieve using the Internet.
“In all my emailing experience when going to any normal company website I have never been led to a fake website because I can clearly see if there are any look-a-like sites on the Google search”
Just because you never do it, does not mean nobody else will. What about less IT-literate people?Phishing is big business and is a major revenue earner for scammers, and we’re probably talking billions of $ globally. Just a click of a link is all that is needed, and anyone can be caught off-guard in this way.
“Which gets me back to the same advice above, don’t use them whilst they are so easily hacked…”
Wrong again Mike, you just don’t understand the difference between a “hack” and a “phish”. When someone responds to a phishing email and sends their (secret) credentials to a third party, that is not a hack. That is social engineering in getting you to pass over your credentials to a nefarious third party. Many fake sites even advertise they have ABTA bonding. You know, when someone books a holiday, they don’t first say “lets research the directors of this company and see if there office is in Texas” when they book, do they? lol
The Guardian also got it spectacularly wrong when they had a headline that included “hacks into email”. In fact, no such thing happened. The owner gave away their credentials; no “hack” was ever needed. Please send a link to The Guardian article that says “not to use the owners Direct website” as I could not find such an article where they stated that.
In any event, what’s the difference between the Owners Direct case and, say, losing your eBay credentials, your Amazon credentials or any other credentials where payments or goods and services are involved? The phishing scams on eBay are legendary.
Please do more careful research next time, because this issue will never be eradicated if so much disinformation on this subject is being given out. I’ve had two phishing emails just this morning, one from PayPal and one from Amazon. If I click on the link to “log in”, and do so, whose fault is that? Exactly.
Here is some more careful research to your request Fred for a link to the Guardian article that says ‘not to use the Owners Direct website’, although I don’t think you can click on links on the OP site.
“www.theguardian.com/money/2014/aug/11/ownersdirect-holiday-hack-email-lost-money”
where it then leads to a link saying ‘£2,790 in identical circumstances’ click on that and the last para written by Miles Brignall 11/08/14 for the Guardian says ‘Better still, avoid Owners Direct and Home Away until they do more to resolve this problem – or offer a decent insurance to bookers for free’
Unfortunately the words ‘hacked’ and ‘phishing’ have both been used extensively in the same breath on many occasions relating to this on articles, on a previous Guardian article a group of villa owners claim ‘they have had their Owners Direct accounts hacked 5 times’ so you are needed to educate them and us with your knowledge asap, and suggest you inform The Guardian about getting it ‘spectacularly wrong’ as this might further educate it’s readers. Broadside expected in due course! Ha!
My advice remains the same, avoid Owners Direct/Home Away as mentioned before and as advised in 1st para above, always use a credit card, and an ABTA bonded agent!
Sorry to hear about your 2 phishing emails this morning, not experienced that yet, must be lucky I suppose.
The Guardian link that led to the above link I posted earlier was:
“www.theguardian.com/money/2014/aug/23/holiday-book-online-owners-direct-homeaway-scam”
What is more worrying re Owners Direct and Home Away is the mention in “www.thisismoney.co.uk” on 4th August 2014 about 2 ways of being scammed, ‘either victims are being conned with fake property listings on the site, or, a legitimate property listing is hijacked and emails intercepted’
Would have thought the onus is on the holiday website if the former is true, showing fake properties? The latter either on the booker and/or the company for lack of due diligence and security issues and paying without using a C.C.
Fake listings on existing property websites are definitely the responsibility of the website in question, but in this particular case phishing was the scammers weapon of choice, and it is to that specific area that I am talking about here.
Big players like eBay and PayPal have buyer protection, and so too do Owners Direct. I wonder why buyer protection was not mentioned in the original article? Did the people involved have buyer protection? It is all clearly stated on the Owners Direct security page. If buyer protection was in place and Owners Direct did not invoke it, then it maybe it was because the owner gave away their credentials by accident. Buyer protection is a very grey area, there are whole websites devoted to peoples complaints about it.
Mike, yes that’s the article with the incorrect headline that I mentioned. The press always get this wrong. If a person “brute forced” an account, trying thousands of combinations of passwords and eventually found a working password, then yes, that would be “hacking”, but that did not occur here. In this case, the owner (at some point) gave away their credentials accidentally, and customers were from thereon dealing with fake owners. If you blame someone else when you, yourself, gave away your details to a fake website via a fake email, you only have yourself to blame. No broadside needed lol.
In my opinion I think the Olive Press article has highlighted a very real problem that needs sorting out with not just Owners Direct/Home Away but also sites like Airnb, Gumtree etc In the case of Owners Direct/Home Away this has been going on since 2010 using an online search and the problems are still there. Apparently, the companies mentioned are reckoned to have a million properties worldwide that can be linked to, they quite likely don’t even know which properties are fake listings. The tip of the iceberg is what this is and no doubt we will hear more of this in due course from the media. We’ve successfully booked villas, apartments abroad in the past but never had problems gong through ABTA bonded travel agents which is what I advise, or, use a credit card with any other booking.
Mike, the OP article is specifically about phishing attacks allowing access to owners credentials. The issue of fake property adverts is something else.
Phishing is as old as the hills, and it’s not just properties. There are fake auction site, fake estate agents, fake tax websites, the list is endless. Sadly, phishing is not going away anytime soon, and of course it’s not just done using the Internet. People get fake letters and documents and phone calls from scammers too. It’s all part and parcel of the same type of scam: getting you to trust a scammer.
Mike, you hit the nail on the head when you say to stop this the customer simply has to pay with a credit card. Add to that the protection this affords to the customer and it really is pointless using bank transfer. I know some will want to save the credit card fee but let’s be honest would you rather lose £30 or so or £2500 for a scammed booking!?!?!
Paying by credit card will not help you if you have given away your credentials in error, unless at the discretion of management in specific cases. Read the small print…
Not sure about that Andy. Do credit cards pay out if you haven’t followed the site’s required safety steps?