We have noticed a recent increase in phishing attacks targeting OwnerRez and email accounts. These attacks attempt to gain access to your OwnerRez account and other accounts linked to your email.
Anatomy of a phishing attack
In a phishing attack, an attacker will prepare a login screen that looks identical to the OwnerRez login at a similar domain. For example, OwnerRez using the word "owners" instead of "owner" or with a dash in it. They'll find your email address on a public site, like your booking website. Then, they'll send you an email alert that looks like an OwnerRez email with a link going to the fake login screen. If you type in your username/password, then the attacker will have your password. These attacks are getting more sophisticated, spending more time making the email and login look very convincingly similar to what you receive from OwnerRez.
We implemented two-factor authentication last year. This blocks many attacks because the attacker would need access to your email to get the two-factor code, even if they have your password. However, there still exists a potential vulnerability that could be exploited: If you use email 2FA and your email password is the same as your OwnerRez password, and you accidentally enter your password on a phishing page, then the attacker can gain access to your email. From there, they can retrieve the 2FA code and use it to log in to your OwnerRez account.
How to defend against phishing and maximize security? There are several things you can do. First of all, we support both app-based and email-based two-factor authentication. We've required at least email two-factor authentication for everyone as a baseline, but we recommend upgrading to app-based security as it's much more secure. If you had set up a two-factor auth app for both your OR account and your email account, you'd still be secure in the scenario above as even if the attacker had the password to both your OwnerRez account and email account, they still wouldn't have access to your two-factor auth app on your email account -- so they wouldn't be able to log in to your email. You can learn how to set up 2FA via an app by reading this support doc.
The other side of security is using unique passwords for each account. Never reuse a password between accounts because this allows an escalation attack where the hacker gets the password to one account and then is able to log in to others using that same password. The best way to do this is by using a password manager. Browsers like Chrome and Safari have built-in free password managers, or if you want more control, there are many third-party managers out there -- Keeper, LastPass, 1Password, Dashlane, Bitwarden, etc. Use the password manager to generate a unique password for each site, and then you only have to remember one password to access the password manager, and it will do the rest to fill in the password for each site. Password managers also look at the URLs you're trying to log in to and will alert you if you're on a phishing URL that's similar to the real URL but not the same.
Step by step
- Set up a password manager or use the one in your browser.
- Configure unique passwords for each site
- Set up app-based two-factor authentication in OwnerRez.
- If you currently have multiple people sharing the same OwnerRez account, then it can be hard to share app-based authentication. Instead, create separate Staff Team Access Accounts for each person who will be logging in to OwnerRez so that they can have their own unique password and authenticator app configured.
- If possible, also set up app-based two-factor authentication for your email account to protect that as well.
If you follow the steps above to create unique passwords and set up app-based two-factor authentication, that provides many additional layers of security that protect you in case you accidentally do click on a phishing link. This is called "defense in depth" in the industry, and you want as many independent levels of security as possible for a high-value target like your OwnerRez account.