Naked Security Naked Security

Airbnb – the heartache of fake holiday scams

Scammers are using all sorts of techniques to get around Airbnb's anti-fraud detection. Don't get caught out!

Here’s another Airbnb scam story, straight from the balmy, beach town of Esperance in Western Australia:

As ABC News tells it, last weekend, a family of “some very nice people” – also known as utter strangers – showed up on the door step of Carmel Creed.

I opened the door and some very nice people were there going, ‘Is this the B and B?”

And I said, ‘I think you’ve got the wrong address’.

Oh, no, couldn’t be: they had paperwork. They showed it to Ms. Creed, who’s never listed her property on Airbnb. But there it was: an exterior shot of her house, plus another photo that seemed more generic.

It didn’t take long for the realization to settle upon them all: it was a fake listing, and these nice people, who’d driven 4 hours south to get to their vacation spot, had been had.

We were just standing there not knowing what to do really.

Awkward!

Airbnb refunded the family and permanently banned the fake host from the platform, a spokesperson told ABC News. They said that there have been over 180 million guest arrivals on Airbnb, and bad experiences like this one are “extremely rare.”

Well, maybe, but this scam sounds near identical to plenty of others we’ve seen. For example, there were the travelers who booked a flat in Barcelona that they’d found listed on Airbnb. The flat turned out to be a fake, just like that Esperance home in Western Australia.

Although Airbnb promised to investigate and removed the bogus listing, the Barcelona-bound fraud victim found an article that reported, a week before their attempted booking, that the very same flat had been used to scam another customer. To rub salt into the wound, that same flat popped up again, 24 hours after Airbnb had removed it, and stayed up for another 48 hours.

In other words, the flat was a known bad apple, but somehow, Airbnb couldn’t keep the fraudsters from re-listing the same property multiple times.

How does Airbnb (try to) fight off fraud?

Airbnb says its Trust and Safety team works “day and night” to help protect guests and hosts from bad actors who attempt to abuse the platform. It has a real-time risk detection system that uses machine learning to detect and stop fraud before it affects its users – at least, that’s what’s supposed to happen.

But AI or no AI, real-time fraud-squashing or no, scams don’t seem to be packing their bags. Fraudsters have found it a delightful platform to visit. Back in 2015, right around the time that Airbnb Engineer Manager Eric Levine was talking up the machine learning fraud detection, Gizmodo’s Matt Novak submitted a Freedom of Information Act request with the Federal Trade Commission (FTC) asking for any complaints filed with the FTC about Airbnb.

Gizmodo stripped out some names, contact information and bank information and published 22 stories of swindles. The common denominator for most was that victims got talked into going off the site to wire funds to people posing as property owners. Some of the victims lost thousands of dollars.

How does that happen, given Airbnb’s zealous, automatic redacting of email addresses, street addresses and phone numbers, which can’t be shared before a reservation is made and a credit card number gets safely sucked into the company’s system?

Fraudsters have their ways. One is to add an email to a property photo and tempt people to contact them directly to get a better deal. You can see some examples of this scammy workaround on AirbnbHELL, a site that collects what it claims are uncensored stories from hosts and guests.

The Airbnb advertisement clearly said “contact me by email.. since Airbnb is too slow”. Of course.. the app didn’t work and I’ve tried to contact them. Then after I emailed them… everything goes all smooth as expected. Scammer asked me some fake details… then pushed me for transfer money urgently… and that’s the story. When I tried to see my apartment after sending the money, the advertisement and user disappeared. Bank was contacted… no help there. Police also… no help there. Airbnb… of course… “let’s see… we’ll report it…”…but I guess that was the extent of their response.

Other times, Airbnb scam artists set up classic phishing sites. As Sarah Ruiz-Grossman and her fiancé found out, the sites can look nearly identical to the real Airbnb, like so:

They got talked into going to the phishing site above after making the classic rookie mistake of contacting a fake host by emailing them directly, off the Airbnb platform. Nope, they had been told when they first asked about the apartment, it isn’t available to house your wedding guests. But we have other, great three-room apartments (supposedly listed on Airbnb) – here are the links!

The couple followed the instructions emailed by the imposter host, wiring a total of $3,800 to reserve two apartments. Goodbye to that chunk of change!

There’s also been at least one email phishing campaign that impersonated the company and redirected users to a fake Airbnb login page that tried to steal Airbnb users’ credentials.

Airbnb’s other security tools include its Verified ID feature. Verified ID is used to tie users’ online identities to real people in the offline world by use of information such as their Facebook profile, phone number, email address, or government-issued ID.

…which can all be faked. Take, for example, Facebook IDs: back in 2014, Facebook estimated that at least 67 million accounts were fake.

…which brings us to the “what’s old, what’s new” question about Airbnb’s fraud-fighting arsenal. When ABC contacted Airbnb about the Esperance swindle, Airbnb said that it’s recently introduced new fraud detection technologies that include online behavioral analysis and real-time detection that uses machine learning and predictive analytics.

…which sounds pretty much like what it was using back in 2015. So, what’s the “new” part of the equation? I contacted Airbnb for details and will update the article if I hear back.

But whatever new technologies it’s adopted, the scams are still going strong. Of course, we can’t hold Airbnb to blame if people get talked into wiring money off the platform, which they persistently do, regardless of how strenuously Airbnb tries to warn customers against it.

But there are other question marks about Airbnb’s fraud detection. For example, about that Verified ID feature: just a few months ago, in April, the UK consumer group Which? decided to test out how well the feature would detect a fake account deliberately set up to look fraudulent.

Which? set up fake listings on Airbnb, Holiday Lettings and Home Away, all with nary a scrap of ID, it said. (HomeAway was the only one to demand photo ID, although it told Which? on the phone that the group could avoid the requirement if it paid a £478 annual subscription.) In other words, Verified ID?! Oh, please!

To set up our fake listings we only needed an ordinary ‘pay as you go’ phone, some photos of an apartment and email addresses that we set up in less than five minutes.

Despite the fact that Airbnb asks travellers to provide a scan of their passport or other photo ID and a link to a social media account before they can book an apartment through the site, at no point were we asked to prove our identity before listing an apartment.

Then, Which? blew another raspberry at Airbnb’s rules by providing a contact email on the listing. The address got removed … but not for long. The consumer group added the email address back in, apparently without Airbnb noticing.

We found it easy to include a disguised email in the description of the apartment, or embedded in a photo.

What does a fake ad have to do to get removed? Well, it could try flagging itself as fake. Which? used Airbnb’s reporting mechanism to do just that. And it worked… Eventually. But the fake ad was up and active for 13 days. That’s nearly two weeks during which a real fraudster could have scammed a number of people.

This is how Airbnb responded to the Which? Investigation:

Airbnb has denied there are ‘thousands’ of fake listings on its website, but wouldn’t commit to an estimate. It also told us: ‘We are reviewing the results of the Which? investigation as we are constantly looking for ways to stay ahead of fraudsters. The most important thing to know is that as long as you stay on the airbnb.com platform and only send money through Airbnb, you will be protected. We are looking at ways to provide additional warnings about these scams, as well as making it easier for users to contact us directly by phone.’