Payment instructions allegedly from HomeAway look fishy to me

This is a scam. There are several red flags. With one of them, I’d be highly suspicious. With the trifecta, it’s definitely a scam.

• Using a slightly different domain name which is one of many possible variations on the company’s main domain name. Sometimes it’s the same name with a different toplevel name (e.g. company.com and company.eu), but those are often legitimate. Often it adds something to the company name, e.g. here company-eu.com vs company.com.
  Note that having the suspicious domain redirect to the legitimate domain when you browse it on the web doesn’t prove anything. The scammer can do that. If the site is HTTPS and the certificate contains both domains, then it’s probably legitimate, but beware that it can be difficult to tell as a layman — there are many loopholes that scammers can exploit.
• Using a payment method that cannot be reversed such as a bank transfer. As far as I can tell (I’ve never used that service), HomeAway acts as a middleman and accepts credit card payments. Credit cards are no good for scammers because you can cancel a payment. With a bank transfer, when it’s done, it’s done.
• Requiring a fast payment. Obviously a legitimate payment will have a deadline, but it’ll typically be a fixed number of days before the rental starts. The scammer wants you to pay now and not take the time to think about it. A legitimate business partner also wants you to commit, but it’s more important from the scammer, because if you hesitate with renting a property, you remain in the market for renting a property, whereas if you hesitate with falling for a scam, you might realize it’s a scam.
• A destination account whose name and location doesn’t match the company.
• Scams often have poor grammar and spelling. Supposedly that’s to be psychologically aligned with people who are more likely to fall for the scam.

Note that this is not a problem with HomeAway. The scammer is impersonating HomeAway.

You may report the scam to HomeAway. Realistically, there isn’t much they can do, other than put up a warning about scams on their web page. They may be able to shut down that particular domain, but a domain is extremely cheap. Shutting down a scammer usually requires tracking them through multiple jurisdictions and is hard.

This situation has a couple strong parallels to common housing scams.

Rental scam #1 – the cloned listing

This is one of the most popular Craigslist rental scams, perhaps because it’s so cheap to execute.

The scammer copies and pastes information from a legitimate rental ad, and then offers a price that’s literally “too good to be true.”

If you respond to the fake ad, the scammer may invite you to drive by the property to view the exterior. What they will not do is give you a tour of the interior. That’s because they are “on vacation” or otherwise unavailable to show the place.

I found many "out of town" landlords when I was apartment hunting recently, and while I don’t know for sure whether they were fraudulent (I steered clear), I would be highly suspicious of agreeing to such an arrangement without being able to physically tour the apartment.

Just looking at the domain name:

• homeaway-eu.com – registered in 2018
  • registrar: NAMECHEAP INC
  • registered by: information hidden
  • email account hosted by: privateemail.com (which is a product of NameCheap domain registrar, essentially it’s a 1 minute job to create an email account there)

Whereas:

• homeaway.com – registered in 1998
  • registrar: MarkMonitor, Inc.
  • registered by: HomeAway.com, Inc.
• there is even a homeaway.eu – registered in 2006
  • registrar: MarkMonitor International Limited
  • registered by: Vacation Villas International GmbH
  • no email accounts

A legitimate website normally creates a subdomain (i.e. eu.homeaway.com), or they use homeaway.com for emails but add a slash in their website (i.e. homeaway.com/eu), or lastly might buy a different domain name still preserving the name (i.e. homeaway.eu – though I don’t know whether this is an official one). In this case, having a domain like “homeaway-eu.com” and using a different registrar seems fishy.

I would get in contact with the real homeaway.com by either an email or phone number on their website to confirm any details before transferring money. Otherwise, I would simply say ABORT.

EDIT: Also, by looking at the SSL certificate of homeaway.com, these are the official domains allowed to be used with that certificate:

abritel.fr
aluguetemporada.com.br
bedandbreakfast.com
clearstay.com
escapia.com
fewo-direkt.de (and luxus.fewo-direkt.de)
homeaway.at
homeaway.ca (and fr.homeaway.ca)
homeaway.co.nz (and www.homeaway.co.nz)
homeaway.co.uk (and luxury.homeaway.co.uk)
homeaway.com (and www.homeaway.com; investors.homeaway.com; professionalreferral.homeaway.com; software.homeaway.com; tech.homeaway.com)
homeaway.com.ar
homeaway.com.au
homeaway.com.co
homeaway.com.mx
homeaway.de (and www.homeaway.de)
homeaway.dk
homeaway.es
homeaway.fi
homeaway.fr (and www.homeaway.fr)
homeaway.gr
homeaway.ie
homeaway.it
homeaway.jp (and www.homeaway.jp)
homeaway.lk (and www.homeaway.lk)
homeaway.mx
homeaway.nl
homeaway.no
homeaway.pl
homeaway.pt
homeaway.se
homeaway.sg (and www.homeaway.sg)
homelidays.com
homelidays.es
homelidays.fr
homelidays.it
ownersdirect.co.uk
stayz.com (and www.stayz.com)
stayz.com.au
travelmob.com (and www.travelmob.com; au.travelmob.com; de.travelmob.com; es.travelmob.com; fr.travelmob.com; it.travelmob.com; uk.travelmob.com)
vacationrentals.com
vrbo.com (and traveler.vrbo.com)
www.homeaway.co.id
www.homeaway.co.in
www.homeaway.co.kr
www.homeaway.co.th
www.homeaway.com.cn
www.homeaway.com.my
www.homeaway.com.ph
www.homeaway.com.sg
www.homeaway.com.vn
www.homeaway.hk
www.homeaway.tw