As us owners are all too aware there are a number of ways that we can get scammed, but fraudsters are targeting our guests too. Fortunately, as owners, there are a few simple steps we can take to make it much harder for the fraudsters whilst at the same time making life safer and easier for ourselves and our guests.
There have been a number of incidents reported in the press and also on the BBC Watchdog programme (aired November 2014) highlighting a particular problem associated with identity fraud. Whilst these incidents appear to be isolated, they showed the grief suffered by innocent people at the hands of fraudsters. However, a casual observer might think that the issue is related to an individual site. The reality is that online fraud affects the internet as a whole and it is equally as likely that the frauds may have been committed by hackers gaining control of owners / property managers email accounts.
If fraudsters gain access to your passwords, they can impersonate you online, without your knowledge. And it doesn’t stop at taking money from would-be holiday makers, it can go much deeper. In fact, according to Action Fraud, in 2012 fraud cost the UK £73 Billion (with identity theft accounting for £1.2bn). And this problem is not about to go away any time soon.
How do online scams work?
Firstly, internet security is a very technical and complex subject. So complex that IT security is an industry in its own right and therefore beyond the scope of this article. The aim of this article is to look at some common vulnerabilities and scams and examine how they might be mitigated.
Let’s take a look at how the booking process generally works:
A potential holiday maker searches their favourite property listing site for a holiday cottage or property that meets their needs, and makes an enquiry.
Typically, details of the enquiry are then directly emailed, from the site, to the owner / manager of the property.
The owner / manager then contacts the holiday maker to complete the booking and handle deposit / payment. This process works well, but as with all websites on the internet there are some inherent vulnerabilities. There are some variations to the above process, including making all communications go through the listings site. However, once a communication is made directly, the same vulnerability exists.
For the purposes of this post and explaining the generic process we are going to assume that such websites are professionally and securely hosted and that all current security updates, patches and software versions are applied. Also, user account passwords are stored in an encrypted form and transmission of personal data is protected by SSL certificates (HTTPS).
This leaves two key points where an attacker might be able to intercept an enquiry (although there may also be others such as the holiday makers own email account). Again we must stress that this is inherent in all websites on the internet. But, for our example these two main areas are: 1) when information is sent to a website from a users computer / browser (in our case an enquiry) and 2) when an email is forwarded to the owner / manager.
It is worth noting that enquires made to Independent Cottages are protected in transit with industry standard SSL 256-bit encryption.
This leaves the email from a website to the owner as focus for further attention:
Fraudsters use various methods to try and get account passwords with email accounts being a prime target.
The first is a so-called ‘dictionary attack’: Let’s assume that our owner’s email address is barry123@SomeEmailProvider.com. A hacker can see two key pieces of information from this; firstly, that Barry uses “SomeEmailProvider.com” (a fictitious email service that I made up for the purpose of this article) and secondly, that his user ID is “barry123”.
Hackers share lists of commonly used passwords and sometimes also use sophisticated software to keep trying different password combinations until they “get lucky”. If a user’s password is easy to guess, then it makes it all the easier for the attacker.
Another method of getting a users password is known as phishing. Scammers and fraudsters send thousands of emails purporting to be from the recipient’s bank, lawyer, email provider, airline, tax office, social media sites and even holiday makers enquiring about a booking (in all likelihood, you will have received some of these yourself). These emails can often look legitimate but the links that they contain point to fake sites owned by the scammer and made to look like an official site that the recipient uses all the time.
These scam / phishing emails are often easy to spot, or get trapped in junk mail folders but, a lapse in concentration, a sheer coincidence in timing, or a convincing email might make an unsuspecting user enter their user ID and password into a false website. Angela Rippon was a high profile victim of such a scam.
Also, some viruses / trojans exist to track their victim’s keystrokes. These keystrokes are then reported back to the would-be hacker.
Armed with someone’s user ID and password, a fraudster can potentially wreak havoc with just about any online system that the victim uses. Including, but by no means limited to, enquiries from rental listing sites, where the hacker could intercept an enquiry, take on the identity of the owner and request that money be paid into the fraudsters bank account.
So what can we ALL do to keep safe online?
As owners, we need to be safe online, but we need to educate our guests and make them safe also; and we don’t want to scare our potential guests away either.
Some websites offer a payment escrow service; money is paid directly to the advertising site and released to the property owner the day after the guest arrives. Whilst this offers a level of payment protection to the holiday maker, it can cause cash flow problems to the property owner. But for some, this may be an attractive option. However, it is worth pointing out that escrow schemes can also be a target of phishing scams.
Tips for staying safe online
1 – Choose strong passwords
Weak passwords, such as “rover”, “peaches99” and “sally1” are commonly used and are very easy to guess and likely to appear on a hackers dictionary list. Choose a strong password with three or more words and incorporate uppercase and lowercase letters, special characters and numbers. There is some great advice offered at https://www.cyberstreetwise.com/.
2 – Keep passwords unique
Never use the same, or similar, password for two sites / systems. If your social media, email, online banking and property listings passwords are the same, it makes life a lot easier for would-be hackers should one of your accounts be compromised or “phished”.
3 – Logout
Many online systems / websites store details of your logged in session for the duration of your visit. However, simply closing your browser can leave these sessions ‘open’ and potentially vulnerable to hijacking. Logging out before you close the browser will close (or destroy) the session, removing all trace.
4 – Keep anti-virus software up-to-date
For a modest annual fee, virus software can warn about visiting harmful sites (phishing sites), protect against phishing emails and protect against email-borne viruses and trojans aimed at damaging your data or collecting your personal information.
Tips for helping ourselves and our customers to stay safe online
1 – Encourage a dialogue with your guests
A simple phone call to an enquiring customer can go a long way to build rapport and give the holiday maker a chance to ask questions about the property and the local area.
Also, start to expect more phone calls from enquirers too, and be prepared and allow them time to ask any questions that they might have (i.e. questions that can help them establish if the property is genuine such as information about the area). Look at it as an opportunity to ‘sell’ the benefits of your property, help them make up their mind and provide some reassurance for both yourself and the guest regarding who is involved in the rental. Remember, that establishing a personal relationship might also help when it comes to leaving online reviews too!
2 – Consider offering payment by credit card. Even if it is just the deposit.
Whilst we appreciate it is not always economic for property owners to accept credit card payments, it offers holiday makers more security and we strongly urge owners to consider accepting this form of payment.
We can’t tell owners not to accept bank transfers, but we do need to point out that they can leave the holiday maker open to the risk of fraud due to email identity theft as described above. Whilst bank transfer is a popular payment method, until banks offer “charge backs”, or similar levels of protection, it is fast becoming the industry’s least favoured approach due to the risks faced by guests. There are additional costs associated with taking credit card payments which can be hard to justify if you only have one rental property. However, it is likely that demand for this payment method is going to increase in the future, so we recommend owners making provision for accepting credit card payments as it could help secure bookings.
Paypal Buyer Protection: Are cottage rentals covered?
So, are holiday rental payments made via Paypal protected? Paypal offers a payment gateway for money transfer and is a payment method that is regularly used by rental owners. However, PayPal’s “Buyer Protection Scheme” has exclusions which include “real estate” and “services” transactions as well as transactions which have “multiple installments” (such as a deposit followed by a final balance which is the case for many cottage bookings). Thus meaning holiday rental payments appear not to be covered by Paypal’s “Buyer Protection Scheme” as confirmed by a Paypal administrator. It is also worth noting that if payment is made via Paypal using a credit card, it is unlikely that it would be protected by the ‘safety net’ of Section 75 as services purchased through an intermediary (such as Paypal) appear to not be covered (find out more from MoneySavingExpert.com).
As owners, we must be extra vigilant for phishing emails and take online security seriously as the threat of being caught up in online fraud is a growing risk to us all. Whilst the incidents are isolated, they are terribly distressing for everyone involved. Just as owners are subjected to scams and the risk of fraud, so are holiday makers and indeed anyone purchasing online. However, there are a number of things we can do as owners to help protect ourselves and provide additional protection to our guests.
Online fraud and internet crime (financially motivated) can be reported to Action Fraud.