Jan. 25, 2017
As tech-savvy short-term rental operators, we're set up with a high level of automation. With a solid payment processing procedure in place and Airbnb to rely on for guaranteed payouts, we didn't give payment fraud a single thought. We're an experienced property management company—what could go wrong?
Booking.com was a new feat for QuickStay. Payment was handled differently, as it was suddenly on us to collect from the guest. One day, after logging in to process a payment through the Booking.com extranet, our guest support team noticed something strange: the credit card was missing the CVC code. Without this code, we can't process the card through our provider, Stripe. We hit the "invalid credit card" button, but after a couple of minutes, we received a new credit card, still missing the CVC details. This time, however, the card had a name that was different from both the previous name and the reservation name.
We suspected it to be fraud and immediately tried to call the guest, only to find out that the phone number when dialled did not have a standard ringtone (it sounded like a cheap VOIP connection). No one picked up and the call disconnected after each attempt. Within minutes, we received an SMS from the same number saying, "I can't talk, just message me."—HUGE red flag. Our guest support team replied to the guest saying that if we can't get a hold of them over the phone, we'll need to cancel the reservation.
After a couple of messages back and forth, threats of cancellations and strange exchanges through the Booking.com portal and SMS, we called our Booking.com rep to explain the situation and ask for advice. His suggestion? "Try running the card again." But how can we run the card without a CVC code? We can't—it was fraud! After a lengthy conversation with the rep about safety and Booking.com's "commitment" to its "partners," our team concluded that because it's not in their best interest to combat these issues, they're OK with putting operators at risk.
Shortly after making this conclusion and forcing Booking.com to cancel the reservation, we got a call from the same number. A young French woman was on the line saying she's been driving for nine hours from Quebec City and really needs a place to stay. We replied with "too bad" (in a much nicer way, of course) and hung up.
After a quick Google search of the name and the phone numbers, our guest support team found out that we had been interacting with an escort service. We started reading online to find that it's a common practice for these services to book through Booking.com. They usually go for a same-day or next-day reservations using fake credit cards, only to leave the operator with thousands of dollars worth of damage and no way to recover the funds or pay for repairs.
To find out home common this is, the CEO at QuickStay reached out within his network. He heard from one of our cleaning vendors that such incidents have happened to their clients on multiple occasions. Apparently, it's becoming a real issue, particularly in the low season (winter months). She once walked into a fully-destroyed unit, with dark stains on the walls, ripped couches, two escorts and their pimps hanging out inside. A short-term rental operator's worst nightmare.
This and a few other instances of fraud caused us to re-evaluate our policy on Booking.com. How could we still use the platform as a channel, bring in the good guests, but greatly reduce its associated risks? We immediately disabled the automated messages upon booking confirmation and removed same-day and next-day reservations. That took care of the escort services. The next thing we did on the platform was enabled credit card verifications, so Booking.com would process a small amount on the guest's card to make sure it's valid before accepting the reservation and passing it to the property. We also added a requirement for guests to provide us with their full address and credit card's CVC code at the time of booking. Now, when a reservation comes in, we first check if the name on the card matches the name on the reservation. Then, we Google the name and phone number to see if it pulls up anything suspicious or out of the ordinary. Finally, we go one step further by searching social media—Facebook and LinkedIn—in an attempt to put a face to the name.
To minimize risk even further, we changed our payment terms to charge 100% of the reservation at the time of booking. If nothing suspicious arises from the guest, we charge the card for the entire amount and send a confirmation via email. We try to have a short and sweet interaction with our guests to determine their intentions of staying with us. We'll give each guest a call, asking them the purpose of their visit, their plans and where they're coming from. If we deem the communication successful, we manually forward the check-in instructions to the guest. By implementing these practices, we were able to get better bookings and reduce fraudulent behaviour.
If you want to protect your properties and your business, make these your default policies on Booking.com.