Gavin Wright : making the most of OD / HA changes

[Zingara]

Dates
Available
Sep 12-26, 2015
14 nights
Guests
1 adults
Traveler name
Gavin Wright
Traveler email
View in your dashboard
Inquiry from
HomeAway.com
Message from Gavin Wright

Can you please let me know if your property is available for Easter? We are looking to book a full week.
I know it is a busy period, but maybe we can arrange something.

Have a nice day!

Complete with dashboard button, which takes you to a page to enter your password.
Interestingly, I've looked at the dashboard, via the OD site (no enquiyy), but I had to 're-verify' myself with a text code to get in....

[annedab]

Gosh, Easter is *really* early this year......

[Casscat]

Easter in September?

I am concerned about this fake HA enquiry thing. I hope you have passed it to spoof@ but the whole point of 'enquiries via dashboard' is to cut down on fraud. Lack of SMS could be a clue, but the scammers are getting more & more sophisticated it seems

[greenbarn]

The dashboard idea is a Heaven sent opportunity for scammers and I imagine there's going to be a lot of similar attempts with fake "Dashboard" buttons. Obviously nobody should click on a button in the email, no matter how genuine it may look, but it's guaranteed that a lot of people will click on it, particularly in the excitement to answer an enquiry, and before people familiarise with using the system.
When OD advertisers were being targeted with the "Please sync your information" phishing scams the scammers were pretty sophisticated and they're still out there waiting to harvest yet more owners' details and intercept their bookings.
The number of properties make the big sites - not just HA/OD - an obvious target for the criminals. With the previous scam OD tried to pretend it wasn't happening; maybe they've now learnt something and will proactively email all their advertisers with a heads up warning of the risks and likely methods that could be used to extract vital security information.
Maybe they have already? Maybe every contact form now has a big warning saying never, never, ever follow a link to your dashboard, always follow the standard login procedure....?
There's nothing they can realistically do to eradicate the issue, they must accept the responsibility to educate their advertisers.

[Sam V]

What a coincidence, I'll post this separately too

Available
Sep 12-26, 2015
14 nights
Guests
4 adults
Traveler name
Emma Martinez
Traveler email
View in your dashboard
Inquiry from
HomeAway.com
Message from Emma Martinez

We are jewish and we would love to book your property for next year's Hanukkah ( starting December 6th) for a full 2 weeks. Is it available? Please let me know.'
I know it is a busy period, but maybe we can arrange something.

Have a nice day!

[tavi]

I would have clicked the "view in dashboard" link probably too...(forgetting my own advice of not to click on a link in an email).

And, to be honest, if it had led me to a spoof OD log-in page I'd have probably given them my log-in details too... OD's new systems have muddied the waters...sometimes your device remembers the code, sometimes it doesn't. Use a different IP address and you need a new text code....as GB says it's a new opportunity for scammers.

[Zingara]

As I've had a variety of mis-matched (genuine) enquiries since the OD'improvements' :
text only
e-mail only
Direct VRBO and HA enquiries
I didn't think twice about clicking on the link, as this e-mail was in seemingly 'real' formatting of e-mail enquiries,even though the dates didn't match....however the page I was taken too was quite clearly NOT the OD website, and so didn't enter my password, fortunately.
Yes, I forwarded it to the 'spoof' address straight away
I should have borne in mind what someone mentioned previously about not using the 'in-email' button, but it's such a pfaff when busy ...

[newtimber]

Use a different IP address and you need a new text code....as GB says it's a new opportunity for scammers.

I'm sure they wouldn't have done this on IP addresses as for most people these change every time they connect to the internet. I think they do it on MAC address of the device you're using.

[Casscat]

I have had a run of new enquiries and for each I have logged onto HA/OD as appropriate. I would never just click from an email, but then not every advertiser on HA is all that savvy. However this trick is no different to the myriad other variations on the same theme because HA, OD and all the others send email notification of new enquiries and always have done, usually requiring a log in to read them initially.

[French Cricket]

The dashboard idea is a Heaven sent opportunity for scammers and I imagine there's going to be a lot of similar attempts with fake "Dashboard" buttons.

Absolutely - and I wondered how long it would be before the scammers cottoned on to it. Even cynical old me though didn't think it would be that fast.

But no, GB, there has been no communication from OD about it, no warnings, nothing. Are we surprised? No .

Now that OD is chasing the hobby owners - who by implication are likely to be less clued up and vigilant - with their commission options we can expect more, more and yet more successful holiday rental scams. It really doesn't bode well for any of us, whether we're directly connected with OD/HA or not

I'm sure they wouldn't have done this on IP addresses as for most people these change every time they connect to the internet. I think they do it on MAC address of the device you're using.

Yes, it's definitely not IP address - I've logged in from the same device from various IP addresses, while I had to authenticate from a different device on the same IP address that I'd just logged in from on my main device.