CLEVELAND — It's the most popular home rental site in the world. And with so many travelers using Airbnb to find cheaper deals than hotels, they're ripe for the picking for scammers.
Even the most seasoned vacationers can get duped like, travel bloggers, Nick Wharton and Dariece Swift. They were one click away from getting taken for about three thousand dollars.
Known as the Goats on the Road, they've been booking their travel on Airbnb for years. And while planning a trip to Lisbon, Portugal,they were lured in by a great deal on an apartment on craigslist, which was also listed on Airbnb.
Nick explained, “I think it would have been about half of all the places we had seen on Airbnb for the price range. That should have been the first real red flag for us. But you are blinded by the price.”
On Airbnb, they would have had to pay about $3,000 for 3 months. But for less than $800 dollars a month, they found what they thought was the same one bedroom on craigslist.
The scammer even insisted they do business on the Airbnb site for safety. But the link they were sent was not from Airbnb at all, despite having the name in the URL.
The biggest tip off for the couple was that the exact address of the property was listed. It’s something Airbnb doesn't show until after you book, to protect the owner’s privacy.
"We both decided to do a Google search,” Dariece said. “So, we went and said, ‘Airbnb scam’ and we put in the exact URL (of the link they were sent). And a bunch of comments came up.”
Nick added, “And they had all lost money. One of them had written that they lost like $60,000 or something.”
Threat Security expert Alex Holden of Hold Security said that during the time of our interview, “There are at least 2,700 malicious websites that these bad guys created.”
And he gave us a rare glimpse into the dark web to show us how it's done.
One set of criminals sets up a fake URL platform to sell to other thieves so they can post fake listings.
He showed us 95 fake properties and their status. For example, “If this person was invoiced or just inquired about a listing,” he explained. “There are also other components. It shows the leads, it shows traffic to their website.”
But that's not the extent of the thieves' handiwork.
Barb Balasz, who has an Airbnb account, said, “I had gotten an email stating that they had $129 taken out of my account for my trip.”
It was for a trip to a $40 dollar a night apartment in Indonesia that she didn't take.
And Barb is one of many people we found who paid for someone else’s rental after their accounts got hacked as part of a different scam.
“They had my account under somebody else's name in another state. But I said, ‘you guys took the money out of my account and you better fix it soon’,” she said.
The company did.
Cyber experts say the hacking likely happened because Barb reused a password from another account and thieves bought it on the dark web.
Tony Pietrocola, president of Agile1 Cybersecurity, had some advice for Airbnb customers.
For the fake listings, simply never stray from Airbnb’s site.
As for protecting your accounts, he said, "When you're dealing with credit card companies, have an old computer or an old tablet that you just do financial transactions on. No browsing. No email. This way you can stop any type of scam that might come your way.”
Here is the full statement from Airbnb and advice for consumers:
"Travelers can help keep themselves, their payments, and their personal information protected by staying on our secure platform throughout the entire process—from communication, to booking and payment. Airbnb will never ask you to pay for anything outside of our site, through email, or through a third-party booker."
1. If you arrive at a site that looks like Airbnb through an email link or other kind of redirection, ensure that the address contains "https://" and doesn't contain any odd additional characters or words. The main body of the address should simply read "airbnb.com." For instance, "airbnb-bookings.com" or "Airbnb1.com" are all invalid web addresses. When in doubt, you can always type "https://www.airbnb.com" directly into your browser to get to the Airbnb website.
2. Be wary of emails that ask you to click a link and enter personal, sensitive information. Email filters are becoming increasingly effective at screening malicious content, but they'll never be perfect. Staying aware and keeping a watchful eye for these fake emails or malicious sites will always be your best defense.
3. Look out for emails that have a false sense of urgency. For example, "Unless you click this link your Airbnb account will be disabled," or "Your account has been compromised, click here to view details." Sentences like these should be a tip-off—especially if they don't come from a recognized @airbnb.com email address. We provide information on our website on how to identify if an email is from Airbnb.
4. Keep yourself, your payment, and your personal information protected by staying on our secure platform throughout the entire process—from communication, to booking and payment. You should never be asked to wire money, provide credit card information or otherwise pay a host directly. If a user receives a personal email from anyone (including an firstname.lastname@example.org or any other email@example.com email address) asking them to pay or accept payment off-site, immediately report it to us and end communication with the sender.
More from Danielle Serino: