Leaving Hostaway because of their booking fee?

Phishing and Email Security

  • Posted on
  • By

We have noticed a recent increase in phishing attacks targeting OwnerRez and email accounts. These attacks attempt to gain access to your OwnerRez account and other accounts linked to your email.

Anatomy of a phishing attack

In a phishing attack, an attacker will prepare a login screen that looks identical to the OwnerRez login at a similar domain. For example, OwnerRez using the word "owners" instead of "owner" or with a dash in it. They'll find your email address on a public site, like your booking website. Then, they'll send you an email alert that looks like an OwnerRez email with a link going to the fake login screen. If you type in your username/password, then the attacker will have your password. These attacks are getting more sophisticated, spending more time making the email and login look very convincingly similar to what you receive from OwnerRez.

We implemented two-factor authentication last year. This blocks many attacks because the attacker would need access to your email to get the two-factor code, even if they have your password. However, there still exists a potential vulnerability that could be exploited: If you use email 2FA and your email password is the same as your OwnerRez password, and you accidentally enter your password on a phishing page, then the attacker can gain access to your email. From there, they can retrieve the 2FA code and use it to log in to your OwnerRez account.

Maximizing security

How to defend against phishing and maximize security? There are several things you can do. First of all, we support both app-based and email-based two-factor authentication. We've required at least email two-factor authentication for everyone as a baseline, but we recommend upgrading to app-based security as it's much more secure. If you had set up a two-factor auth app for both your OR account and your email account, you'd still be secure in the scenario above as even if the attacker had the password to both your OwnerRez account and email account, they still wouldn't have access to your two-factor auth app on your email account -- so they wouldn't be able to log in to your email. You can learn how to set up 2FA via an app by reading this support doc.

The other side of security is using unique passwords for each account. Never reuse a password between accounts because this allows an escalation attack where the hacker gets the password to one account and then is able to log in to others using that same password. The best way to do this is by using a password manager. Browsers like Chrome and Safari have built-in free password managers, or if you want more control, there are many third-party managers out there -- Keeper, LastPass, 1Password, Dashlane, Bitwarden, etc. Use the password manager to generate a unique password for each site, and then you only have to remember one password to access the password manager, and it will do the rest to fill in the password for each site. Password managers also look at the URLs you're trying to log in to and will alert you if you're on a phishing URL that's similar to the real URL but not the same.

Step by step

  1. Set up a password manager or use the one in your browser.
  2. Configure unique passwords for each site
  3. Set up app-based two-factor authentication in OwnerRez.
  4. If you currently have multiple people sharing the same OwnerRez account, then it can be hard to share app-based authentication. Instead, create separate Staff Team Access Accounts for each person who will be logging in to OwnerRez so that they can have their own unique password and authenticator app configured.
  5. If possible, also set up app-based two-factor authentication for your email account to protect that as well.

If you follow the steps above to create unique passwords and set up app-based two-factor authentication, that provides many additional layers of security that protect you in case you accidentally do click on a phishing link. This is called "defense in depth" in the industry, and you want as many independent levels of security as possible for a high-value target like your OwnerRez account.

6 Comments (add yours)

Creekside Stayz
Nov 20, 2023 6:17 PM
Joined Dec, 2020 3 posts

Like OwnerWebs contacting me?

Rex C
Nov 20, 2023 6:48 PM
OR Team Member Joined Aug, 2021 53 posts

OwnerWebs was not phishing, that was advertising spam. They were not trying to get your credentials, just trying to sell you their website design service. 


However, that is an unauthorized use of the Inquiry system and we have blocked their domain from submitting any further inquiries.

Katherine E
Nov 22, 2023 10:33 AM
Joined Sep, 2017 3 posts

So, look for OwnerRez versus Owner-Rez?  What are other common names used by phfishers?

KAY-FAR
Nov 22, 2023 1:04 PM
Joined Nov, 2022 7 posts

Wow!  I saw this posted on Facebook and had been wondering what this was about.  Thanks for the article.

Paul W
Nov 22, 2023 4:18 PM
OR Team Member Joined Jun, 2009 848 posts

So, look for OwnerRez versus Owner-Rez?  What are other common names used by phfishers?

The primary domain name we use now is ownerreservations.com.  That, or any subdomain in front of it, like these, is fine:

app.ownerrez.com
www.ownerrez.com
api.ownerrez.com

We also own and manage others like these:

ownerrez.com
orez.io

So if you see those, that's correct as well.  That first one ownerrez.com is going to become the primary pretty soon, and everything will run under that.  There will be a very loud announcement when that happens.  You might have noticed that our email addresses have already switched to that.

It's the mangled versions of those that others buy and try to use like:

ownersrez.com (note the middle "s")
ownerres.com (note the trailing "s" instead of "z")
owner-rez.com (note the middle dash)

And many others.  This is another reason we are moving to ownerrez.com.  In addition to being shorter and easier to read, it matches our name exactly, so there's no room for confusion.

Cowtown Cabins
Nov 28, 2023 8:28 AM
Joined Jun, 2021 1 post

Thanks for the heads up!