Category: Property Owners

Keeping Owners and Guests Safe Online | Mitigate Fraud Risks

As us owners are all too aware there are a number of ways that we can get scammed, but fraudsters are targeting our guests too. Fortunately, as owners, there are a few simple steps we can take to make it much harder for the fraudsters whilst at the same time making life safer and easier for ourselves and our guests.

There have been a number of incidents reported in the press highlighting the problems associated with identity fraud. Whilst these incidents appear to be isolated, they showed the grief suffered by innocent people at the hands of fraudsters. However, a casual observer might think that the issue is related to an individual site. The reality is that online fraud affects the internet as a whole and it is equally as likely that the frauds may have been committed by hackers gaining control of owners / property managers email accounts.

If fraudsters gain access to your passwords, they can impersonate you online, without your knowledge. And it doesn’t stop at taking money from would-be holiday makers, it can go much deeper. In fact, according to Action Fraud, in 2015-16 it was estimated that identity fraud cost the UK a staggering £5.4 billion. And this problem is not about to go away any time soon.

How do online scams work?

Firstly, internet security is a very technical and complex subject. So complex that IT security is an industry in its own right and therefore beyond the scope of this article. The aim of this article is to look at some common vulnerabilities and scams and examine how they might be mitigated.

Let’s take a look at how the booking process generally works:

Booking process

The generic enquiry / booking process for self-catering rentals

A potential holiday maker searches their favourite property listing site for a holiday cottage or property that meets their needs, and makes an enquiry.

Typically, details of the enquiry are then directly emailed, from the site, to the owner / manager of the property.

The owner / manager then contacts the holiday maker to complete the booking and handle the deposit / payment. This process works well, but as with all websites on the internet there are some inherent vulnerabilities.  There are some variations to the above process, including making all communications go through the listings site.  However, once a communication is made directly, the same vulnerability exists.

For the purposes of this post and explaining the generic process we are going to assume that such websites are professionally and securely hosted and that all current security updates, patches and software versions are applied. Also, user account passwords are stored in an encrypted form and transmission of personal data is protected by SSL certificates (HTTPS).

This leaves two key points where an attacker might be able to intercept an enquiry (although there may also be others such as the holiday makers own email account). Again we must stress that this is inherent in all websites on the internet. But, for our example these two main areas are: 1) when information is sent to a website from a users computer / browser (in our case an enquiry) and 2) when an email is forwarded to the owner / manager.

vulnerabilities

Potential vulnerabilities exist with any website

It is worth noting that enquires made to Independent Cottages are protected in transit with industry standard SSL 256-bit encryption.

HTTPS-Secure

Enquiries made to Independent Cottages are secure

This leaves the email from a website to the owner as focus for further attention:

Fraudsters use various methods to try and get account passwords with email accounts being a prime target.

The first is a so-called ‘dictionary attack’: Let’s assume that our owner’s email address is barry123@SomeEmailProvider.com. A hacker can see two key pieces of information from this; firstly, that Barry uses “SomeEmailProvider.com” (a fictitious email service that I made up for the purpose of this article) and secondly, that his user ID is “barry123”.

Hackers share lists of commonly used passwords and sometimes also use sophisticated software to keep trying different password combinations until they “get lucky”. If a user’s password is easy to guess, then it makes it all the easier for the attacker.

Phishing

Another method of getting a users password is known as phishing (click to find out more about phishing scams). Scammers and fraudsters send thousands of emails purporting to be from the recipient’s bank, lawyer, email provider, airline, tax office, social media sites and even holiday makers enquiring about a booking (in all likelihood, you will have received some of these yourself). These emails can often look legitimate but the links that they contain point to fake sites owned by the scammer and made to look like an official site that the recipient uses all the time.

These scam / phishing emails are often easy to spot, or get trapped in junk mail folders but, a lapse in concentration, a sheer coincidence in timing, or a convincing email might make an unsuspecting user enter their user ID and password into a false website.

Also, some viruses / trojans exist to track their victim’s keystrokes. These keystrokes are then reported back to the would-be hacker.

Armed with someone’s user ID and password, a fraudster can potentially wreak havoc with just about any online system that the victim uses. Including, but by no means limited to, enquiries from rental listing sites, where the hacker could intercept an enquiry, take on the identity of the owner and request that money be paid into the fraudsters bank account.

IdentityTheft

If a hacker compromises your email, they can impersonate you online

So what can we ALL do to keep safe online?

As owners, we need to be safe online, but we need to educate our guests and make them safe also; and we don’t want to scare our potential guests away either.

Some websites offer a payment escrow service; money is paid directly to the advertising site and released to the property owner the day after the guest arrives. Whilst this offers a level of payment protection to the holiday maker, it can cause cash flow problems to the property owner. But for some, this may be an attractive option. However, it is worth pointing out that escrow schemes can also be a target of phishing scams.

Tips for staying safe online

1 – Choose strong passwords

Weak passwords, such as “rover”, “peaches99” and “sally1” are commonly used and are very easy to guess and likely to appear on a hackers dictionary list. Choose a strong password with three or more words and incorporate uppercase and lowercase letters, special characters and numbers. There is some great advice offered at https://www.cyberstreetwise.com/.

If you only do one thing today: make sure that you change your passwords: Best practice suggests changing them every 30 days.

2 – Keep passwords unique

Never use the same, or similar, password for two sites / systems. If your social media, email, online banking and property listings passwords are the same, it makes life a lot easier for would-be hackers should one of your accounts be compromised or “phished”.

3 – Logout

Many online systems / websites store details of your logged in session for the duration of your visit. However, simply closing your browser can leave these sessions ‘open’ and potentially vulnerable to hijacking.  Logging out before you close the browser will close (or destroy) the session, removing all trace.

4 – Keep anti-virus software up-to-date

For a modest annual fee, virus software can warn about visiting harmful sites (phishing sites), protect against phishing emails and protect against email-borne viruses and trojans aimed at damaging your data or collecting your personal information.

Tips for helping ourselves and our customers to stay safe online

1 –  Encourage a dialogue with your guests

A simple phone call to an enquiring customer can go a long way to build rapport and give the holiday maker a chance to ask questions about the property and the local area.

Also, start to expect more phone calls from enquirers too, and be prepared and allow them time to ask any questions that they might have (i.e. questions that can help them establish if the property is genuine such as information about the area). Look at it as an opportunity to ‘sell’ the benefits of your property, help them make up their mind and provide some reassurance for both yourself and the guest regarding who is involved in the rental. Remember, that establishing a personal relationship might also help when it comes to leaving online reviews too!

 2 – Consider offering payment by credit card. Even if it is just the deposit.

Whilst we appreciate it is not always economic for property owners to accept credit card payments, it offers holiday makers more security and we strongly urge owners to consider accepting this form of payment.

Did you know?

Section 75 of the Consumer Credit Act protects consumers for credit card purchases between £100 and £30,000. But consumers may be protected for the full amount of an item (such as a holiday), even if only the deposit is paid by credit card (the deposit must be £100 or more). This means that if a £100 deposit for a holiday cottage is paid on a credit card, but the balance is paid by cheque, then the whole value of the rental agreement should be protected. Read more from the Money Saving Expert (it is also worth noting the article information regarding what is not covered under section 75).

We can’t tell owners not to accept bank transfers, but we do need to point out that they can leave the holiday maker open to the risk of fraud due to email identity theft as described above. Whilst bank transfer is a popular payment method, until banks offer “charge backs”, or similar levels of protection, it is fast becoming the industry’s least favoured approach due to the risks faced by guests. There are additional costs associated with taking credit card payments which can be hard to justify if you only have one rental property. However, it is likely that demand for this payment method is going to increase in the future, so we recommend owners making provision for accepting credit card payments as it could help secure bookings.

Paypal Buyer Protection: Are cottage rentals covered?

So, are holiday rental payments made via Paypal protected? Paypal offers a payment gateway for money transfer and is a payment method that is regularly used by rental owners. However, PayPal’s “Buyer Protection Scheme” has exclusions which include “real estate” and “services” transactions as well as transactions which have “multiple installments” (such as a deposit followed by a final balance which is the case for many cottage bookings). Thus meaning holiday rental payments appear not to be covered by Paypal’s “Buyer Protection Scheme” as confirmed by a Paypal administrator. It is also worth noting that if payment is made via Paypal using a credit card, it is unlikely that it would be protected by the ‘safety net’ of Section 75 as services purchased through an intermediary (such as Paypal) appear to not be covered (find out more from MoneySavingExpert.com).

In Summary

As owners, we must be extra vigilant for phishing emails and take online security seriously as the threat of being caught up in online fraud is a growing risk to us all. Whilst the incidents are isolated, they are terribly distressing for everyone involved. Just as owners are subjected to scams and the risk of fraud, so are holiday makers and indeed anyone purchasing online. However, there are a number of things we can do as owners to help protect ourselves and provide additional protection to our guests.

Online fraud and internet crime (financially motivated) can be reported to Action Fraud.

4 thoughts on “Keeping Owners and Guests Safe Online | Mitigate Fraud Risks

  1. Alison Evens

    I find it most disturbing that as a property owner, I will end up with no choice but to accept credit cards and the associated costs.. When this issue started to emerge some time ago, I really thought that eventually common sense would prevail. For the consumers, a bank transfer is a perfectly safe way of paying provided they are happy about the bona fides of the person they are dealing with. These can be checked e.g. by looking up the property on http://www.qualityintourism.com/. Paying by credit card is no protection against fraud – you can get your money back, which is a big help, but you will still end up having to start all over again with a holiday booking and that could be avoided if consumers were advised to take responsibility and check up on credentials before entering into such an important transaction. The reason you have so much protection when paying by credit card is because of the high incidence of fraud associated with this payment method – the whole credit card edifice would have fallen apart several years ago had the banks not intervened to protect what is a very lucrative market for them. And how do most of us pay our credit card bills? By bank transfer! The truth is that there is no way of completely eliminating any risk of fraud, but everybody should take steps to minimise the risk. I appreciate that credit cards are a very convenient way of paying and may be best for international payments, where the cost of bank transfers can be very high. I have never therefore totally ruled out accepting credit cards, but do object to being forced to accept them by scare-mongering.

    Reply
  2. Debbie Copas

    Excellent article and the more of these we have, the better educated people will become. There are a frightening number of people out there, both owners and guests who are unaware of even simple phishing scams such as emails from your “bank” which are an attempt to get your passwords. The emails are getting more and more difficult to spot too, as they look so genuine.

    One factor that I don’t think you mentioned is that you may not be covered by Section 75 if you pay using your credit card but via Paypal. Many credit cards consider that your transaction is with Paypal (a third party) and not the merchant you were purchasing goods or services from. I have personally been caught by this. It makes a mockery of our rights as a UK Consumer (Paypal is a US provider) and is one of the reasons why I plan to move on to a different provider for credit card transactions, that also offers lower fees than Paypal. I think it will become increasingly important to offer Credit Card payment to our guests if only to allay their fears.

    Debit cards also offer some protection under the chargeback scheme, which isn’t a legal requirement as Section 75 is, but offered by many providers. A great guide is written here by Money Saving Expert. http://www.moneysavingexpert.com/shopping/visa-mastercard-chargeback

    For the UK I would like to see more owners join EASCO, the English Association of Self Catering Operators. A small organisation but with a voice that is listened to within the travel industry. The more owners that join, the more powerful they will become and is another way that guests can verify that we are genuine accommodation providers.

    Reply
  3. Rachel Browning

    Thanks for the information. It is a difficult area. Currently we only accept payments by cheque as we only own 1 holiday cottage. We have never liked bank transfers, although we do get asked, especially by overseas guests. For the moment we intend to stick with chequea but no doubt we may have to change in the future.

    As a side point we have belonged to EASCO for some time and have always found their monthly newsletter helpful and informative. It keeps you in the picture re legislative changes that affect self catering owners. You can also ask for individual advice. It costs less than £50 per year for one unit. Well worth the investment.

    Reply

Leave a Reply

Your email address will not be published.