For Chris and Annie, a two-week break in the France is the perfect way to unwind. The couple and their two little girls take a scenic drive down through the French countryside before arriving at their rented site. ‘We choose locations with their own pool where the children can play and we can just get away from it all,’ says Chris, 42. This January, the couple and their daughters, Jessica, nine, and Emily, seven, were more in need of a quiet break than ever. Just after Christmas, Annia, 39, went onto the Owners Direct website to search for a property. The family loves the site for the sheer variety that it offers.
Owners Direct, which was launched in 1997, works like an online travel brochure. Thousands of properties are advertised on the site, from cheap, cheerful apartments to luxury houses costing several thousands a week. Owners pay the site S$450 a year to advertise their properties — and reach a much larger audience than if they had advertised privately in magazines and on the internet. Holidaymakers browse through the properties to find one they like, then contact the owners ‘direct’ by clicking the ‘Enquire Now’ button. During this process, the renters fill out an online form that asks for their email address. The villa owner then receives an email from Owners Direct to say someone wants to rent his property. He can access their details by clicking on the link and logging in to his Owners Direct account. From then on, owner and renter deal directly to arrange contracts and payments. Of course, there is always an element of caveat emptor — buyer beware — when buying anything online and this is no different. And now the website is at the centre of a scandal that’s affected at least 12,000 property renters worldwide.
‘We’ve used Owners Direct for years with no problem, so when Annie spotted a place in a pretty little town called Fiac, she emailed the property owner via the website,’ says Chris. ‘A man called Hamish responded and, after we’d corresponded over email, we agreed to rent out the property in the first week of August.’ Hamish, emailing from a Hotmail account, asked if we could send the money to his online bank account. ‘I thought it a little odd to ask for all the money at once but because we didn’t want to lose it, we paid S$4200 into Hamish’s bank account and that was that.’
But the money had not been deposited into the property owner’s account at all. Yes, the property owner was called Hamish. But retired lawyer Hamish Porter had no idea the family were keen to rent his holiday home, let alone that he had allegedly been ‘paid’ for the privilege. Hackers had intercepted the family’s messages. It is believed they do this by sending owners like Hamish a fake enquiry from a potential renter — which looks just like a genuine Owners Direct enquiry. When the owner clicks on the link, it takes him not to the genuine Owners Direct page, but to a fraudulent duplicate webpage created by the hacker. When the owner enters his details onto this fake page, he unwittingly gives the fraudster access to his email account.
From then on, the scammer can pretend to be the owner, intercepting emails from would-be renters, replying, answering questions, sending out fake contracts and asking for payment directly into his own bank account — and deleting all evidence as they go. Hamish — the real one — says the first he knew about the scam was two weeks after Chris had made his booking when he got a phone call — his genuine number appeared on the Owners Direct website — from another potential renter. ‘He thanked me for sending a rental contract when I knew I hadn’t,’ says Hamish, 62, from London.
‘When I asked him more about it, it was clear he’d been defrauded by someone pretending to be me and I asked him to send me the email chain. He did and I still didn’t receive it because the perpetrators were intercepting my emails and deleting them. ‘I spoke to him again, set up a different email account using Gmail and asked him to send it again. That’s when it became clear what had happened.’
Hamish forwarded this email exchange to Owners Direct, and two weeks later learnt that four people — including Chris and Annie — had tried to inquire about the property through the site. ‘I obtained their email addresses from Owners Direct and emailed them — that’s when I found out two couples had lost money,’ says Hamish.
‘I felt extremely sorry for them. The other couple said they had sent their entire holiday fund to the fraudsters and now couldn’t afford to go on holiday. It also made me feel very exposed. If they can hack into my email, what else can they hack into?
‘I emailed Owners Direct again and asked if they were going to report it to the police, but they said it wasn’t their responsibility as it was my email that had been hacked. ‘I wasn’t very happy, surely I wasn’t an isolated case? The police would be more interested if the incidents were reported to them as one larger fraud. ‘But the website didn’t seem interested in pursuing it so, as far as I’m aware, nothing happened. My subscription lapsed in June, so I didn’t renew it, and now I’m only going to let it out to friends.’
When the family learned the truth — after the ‘real’ Hamish contacted them — they were devastated. ‘My wife was distraught, in tears,’ says Chris. ‘The real Hamish told me that the villa was already booked for the week we wanted and there was nothing he could do to accommodate us. ‘We contacted Owners Direct customer services, who said at first that because we hadn’t taken out their insurance there was nothing they could do. But, after several conversations, they eventually gave us back S$1400. But we’ve still lost nearly S$2000.’
Thankfully, the family were still able to afford to go on holiday — to a different farmhouse that they also booked through Owners Direct. This time they made sure they had proof the villa owners were genuine by asking to see an electricity bill for the rental property. ‘I’m just glad we found out before we’d set off or we might have turned up and had nowhere to stay,’ he says.
Owners Direct is part of U.S. parent company HomeAway, the world’s biggest villa rentals company, which has more than one million listings of homes in 190 countries. HomeAway’s chief executive Brian Sharples has publicly claimed that ‘phishing’ scams — when hackers pose as someone else to defraud a victim — account for around 0.1 per cent of the website’s transactions.
It may sound a small amount, but it’s no consolation to the thousands of heartbroken holidaymakers who lose money or find themselves stranded with nowhere to stay.