By now I expect anyone who reads this will have received at least one phishing email, maybe some rather suspect phone calls and possibly some bank statement irregularities. This is a subset of a global underworld and is just one method which attempts to extort information and maliciously create fake bookings, fraudulently divert funds and even hack your bank accounts!
The following is a summary of the target entry points and methods used to divert money from the correct booking channels, your bank account and the systems you use. Every single one of these we have experience of. These attacks cost time and money, but are generally preventable.
Your Bank Account
Much has been lauded about the lack of security of online banking and many people are nervous of trading, transacting and transmitting money via these systems. Nearly all banks use various ways of identifying their clients who login: passwords, memorable phrases and firmware. This is supported by various IP checks etc. There are all manner of elaborate ways of removing funds, but rely on poorly trained bank staff and some largely unknown banking transaction facts.
As an example, small value direct debits may be set up from major companies on your bank account. These new transactions can be used as identification questions when calling the bank.
Be careful about running your domestic bank account and business account in the same branches or having them linked in any way. Commercial accounts may have firmware transaction authorities and are harder to break into but these can be compromised by staff carelessness but are less likely to cause issues.
Personal identity theft however means your bank details may be stolen and a largely unknown fact is that if they hack your personal account they may be able to “reverse” into your commercial one and transfer out to the domestic account and then remove funds quickly. In the VR industry all elements of identity theft can cause issues, from accessing your bank account to guests, who aren’t who they say they are!
Other attempts have been fake cheques and wire transfer forms handed into the local bank with request to transfer funds out. Fortunately there are greater safeguards on identity these days and large value paper request transfers are unusual and flag up warning signals.
This is the most common of all vacation rental frauds. In its simplest form this means that photos are stolen off of the owner’s site or a listing site, the descriptions are often re-written, prices are made much more attractive and with availability in peak periods. This can be replicated on a listing site with the fake contact details (email and a PAYG phone). Enquiries are replied to and direct wire transfers requested for the booking to the fraudster’s account and transferred on.
a) As mentioned above, this is increasingly common. It is a delivery of an email that looks like a genuine brand email, suggesting that you need to login with a link that redirects to a look-alike site, where the user tries to login and hence gives away their username and password
b) A more even more malicious version is an attempt to force or elicit the download of a program via a link. This can have all manner of disastrous consequences from wiping hard drives to monitoring and relaying all keystrokes and hence full access to your activities.
This is happening in all industries and many are very convincing, trying to establish a “panic” measure or an upgrade, update or with an unmissable offer.
A HomeAway example from their website
Technology & Card Data
The world is being warned continually about trading online and what to look for. Many companies and individuals take money via credit or debit cards and these should be handled securely without card data storage, unless the company complies with some very rigorous standards on technology, facilities and staff.
Many systems are still storing credit card details, online and offline. Websites are easy to breach with poorly designed systems and storage offline is a simple matter of theft or staff temptation.
Poor site technology can also cause issues with code injection that can monitor activity, inject code into unwary site visitors or even redirect your traffic and enquiries.
We all have a personal weathervane in our minds. Speaking to guests or emailing even can give a good indication of the type of person who may book. Remote and unqualified booking can be more risky.
Online booking marketplaces can serve up security issues. Some sites are worse than others, but fraudsters know the ropes. A last minute booking for a night or two can be made on arrival via a stolen credit card and by the time they have left and the card is recharged and the damage is done. People have been known to arrive and ask to pay by cheque, which takes days to clear with the same effect.
Add in the fact that people are inclined to take liberties, arrive with more guests and maybe pets, or be a group of underage individuals or even be using the place for illicit purposes and the gun is loaded!
Many fraud attempts are long and protracted and these long plays are generally attempts to break into bank accounts and transfer funds, but may also be a short term opportunity to redirect communications with guests.
One ploy is for a fraudster to call a phone company and tell them there has been a fire of water leak and can they temporarily re-divert the number. Thereafter calls to the bank are made requesting call backs as part of these elaborate scams to elicit sufficient information to ensure false representation and bank access.
Policy Management and Staff Training
This is more about training than about theft. Downloads, phishing, unusual calls, suspect bank entries, regular password changes and more all need drilling into the system and staff are only human BUT one of the easiest targets to fool unless properly trained and alert at all times.
Any company transacting money and representing owners need address an increasing range of fraudulent activities. A combination of good practice, policy updating and technical implementation is very important.