When Aiste, a biotechnology researcher based in Boston, planned a family trip across Europe, she turned to Airbnb to book 15 different accommodations across several weeks of travel—including one in Dubrovnik, Croatia. The villa was modern-looking, with a pool and beautiful lighting, and she was excited to find a space that looked nicer than others in her price range.
But soon, red flags also caught her attention: The hosts requested that Aiste—her last name has been withheld for privacy—email them directly rather than booking through the site. (Airbnb specifically discourages users from doing.) Even though this was clearly a stunning property, the profile listing didn’t have many reviews.
The dates she requested happened to be available, and the host asked her to send over a copy of her driver’s license for approval—a standard practice on platforms like HomeAway and VRBO and didn’t seem abnormal at the time. After the booking was confirmed, the host asked Aiste to wire $2,800 to an account titled AIRBNB GB LTD.
At the last minute, she decided not to wire the money. She forwarded the listing to Airbnb, which investigated it and told her it was a scam. Aiste, who has a master’s degree from Stanford University in genetics and considers herself “quite technology savvy,” was surprised at how easily she almost fell for the pricey scam.
“We are taught in the real world to operate with good faith, but a whole different set of rules applies when you’re online—and some of us don’t realize how true that is until something like this happens,” she said.
A growing problem
This is a vintage Craigslist scam being retooled for the latest vacation rental apps, experts say. But while Craigslist has been widely known to attract scam artists, criminals benefit from the “halo effect” that trusted and familiar sites like Airbnb bring them. Scammers are also getting better at tricking victims, using Photoshop and other tools to make listings and emails look identical to the real deal.
This scam was particularly believable, Aiste noted, because she had booked with Airbnb in the past and knew that site’s real emails came from its automated messaging service at @ssl.airbnb.com. The scammers sent messages from the nearly identical @ssl-airbnb.com. They also copied the official Airbnb email template nearly exactly.
“Phishing scams have become so sophisticated now,” Choo Kim-Isgitt, head of product at EdgeWave, a cybersecurity company that monitors email security, said. “Unless you have a trained eye, it’s near impossible to tell if a sophisticated phishing email is fake.”
Such hoaxes are common on vacation-rental apps, said Sinan Eren, founder and chief executive officer of security company Fyde. Unfortunately, they’re increasingly difficult to spot. “You find a listing that is most always booked, download all of its photos, and copy and paste the same description,” he said. “It’s a perfect crime in that sense.” As the most popular listings are often booked, they do not come up in most searches on the site.
How to steer clear of these scams
Airbnb has a number of security measures in place to prevent these kinds of scams: The platform uses machine-learning to detect fake listings before they go live and puts a warning to warns users not to go off the platform on every page of the site.
“Fake or misrepresented listings have no place in our community and our team is working hard to constantly strengthen our defenses and stay ahead of fraudsters,” an Airbnb spokesman said. “We’ve introduced security tools to help tackle fake listings and educate our community about staying safe online, including more warnings.”
As long as users book through airbnb.com directly and only send money through Airbnb, they will be protected and refunded if a scam does occur. The Airbnb spokesman said if a user ever receives a suspicious looking email, they can report it to the Trust and Safety Department on firstname.lastname@example.org, which will fully investigate.
Here are other tips for new twists in an old scam, which apply to all situations—not just Airbnb.
• Look for obvious flaws in the email: Do a quick search to make sure the email address of the sender or the URL that was used is legitimate. For example, “Airbnb” versus “Airdnb.”
• Don’t click on links: This is an easy way for hackers to direct you or redirect you to a malicious site. Remember, the sites look very realistic so you may not be able to tell if it is fake.
• Don’t provide personal information and/or credentials to any site claiming you need to do an update. If a site alerts you to a security flaw by email, like TwitterTWTR, +0.22% did this week, go directly to the website to change your password rather than clicking on a link sent by email.
• Be sure to use security measures that allow you to submit suspicious emails, like forwarding a message to Airbnb’s security team or to your office’s IT department for analysis.
Read the full article at Market Watch