How to keep your personal and business data secure online

Here’s some key advice you can apply to all your personal and business accounts, including Rightmove Plus, to increase your security and minimise the potential impact caused if a fraudster were to gain access to one of your online accounts.

	What can you do?	Why is it important?
1 – Avoid shared logins	Never share login details with family, friends or colleagues For business accounts, including Rightmove Plus, ensure each team member has their own login	Having individual logins means if one person’s account is breached, the rest of your team will be able to continue working as normal, minimising the disruption to your business.
2 – Use a strong, unique password on every account	Create a unique password for every website and account Ensure your passwords are at least 12 characters long and contain: at least one uppercase character, lowercase character, numeric character (0 to 9) and one special character Create a blacklist of passwords which cannot be used, to include the most common 100 passwords and those previously breached. Here’s an example: https://www.ncsc.gov.uk/blog-post/passwords-passwords-everywhere Use a reputable password manager, such as LastPass, to generate, securely store and manage all your passwords. Whenever you login to Rightmove Plus, our security systems will automatically check your password strength based on the above criteria. If your password needs to be updated, you’ll see a red banner at the top of the page asking you to update your password to something more secure.	A common method fraudsters use to gain access to online accounts, is to obtain a list of email address and use them in combination with the most common passwords and/or passwords which have previously been breached. Using a secure password which does not appear on any of those lists makes it more difficult for fraudsters. By using a different password for every account, it ensures that if a fraudster does get hold of your login details for one account, they can’t use the same credentials to access any of your other accounts.
3 – Stay one step ahead	Check if you have an account that has been compromised in a data breach and set up alerts to find out about any future breaches fast https://haveibeenpwned.com/ Use a browser, such as Google Chrome, with integrated protections against sites reported as being suspicious Keep all your software up to date Be wary of phishing emails and websites – see the section below “How to identify phishing emails and websites” for pointers Stay up to date with the latest scams so you know what to look out for. Action Fraud and CIFAS are good sources of information.	By increasing your awareness of the latest scams and using security software to notify you of suspicious activity, you can stay one step ahead of fraudsters.

 

Fraudsters sometimes target Rightmove Plus accounts, hoping to gain access to lead data, or even post fraudulent listings online appearing to be from a reputable agent. Phishing attacks are the most common method fraudsters use to do this. You can read more about how to identify and avoid those attacks under the heading “How to identify phishing emails and websites”

Under GDPR, you are the primary data controller of the personal consumer data that sits within your Rightmove Plus account.

According to ICO guidelines, this means “You must comply with, and demonstrate compliance with, all the data protection principles as well as the other GDPR requirements. You are also responsible for the compliance of your processor(s). Supervisory authorities (such as the ICO) and individuals may take action against a controller regarding a breach of its obligations.”

You can read more about the GDPR on the ICO website.

To keep your Rightmove Plus account secure:

• Follow all of the advice found in the online security checklist on this page
• Ensure each of your team members has their own account for Rightmove Plus 
• Only use work email addresses  – to keep Rightmove secure, we can’t accept generic domains like Gmail, Hotmail or Yahoo
• When someone leaves your business, let us know so we can remove their access to your branch straight away
• This is another important reason not to share logins – if an employee moves to a competitor, would you want them to still have access to your reports

Your leads can go to a shared inbox, but every member of your team needs their own Rightmove Plus login details.

This means if one person’s account is locked down due to suspicious activity, or if a member of your team with access to your branch leaves, your other team members will still be able to conduct business as usual with their own accounts.

As part of your membership, you can have as many users set up on your branch as you’d like. And with self service, you can even manage your branch user accounts yourself in real time. To request a new account for you or another member of your team, or to update your access level click here. 

We also have some back-up security measures in place to help keep your account secure. If you have trouble logging into Rightmove Plus, it could be that one of these security measures has incorrectly identified fraudulent activity. Here’s how we can help you get back up and running:

[expandsub1 title=”Verifying your Rightmove Plus account” rel=”submenu-highlander” tag=”h6″]When you first login to Rightmove Plus, you’ll need to confirm your email address. This is to ensure that the only people who can access your branch on Rightmove Plus are those with permission, keeping your company’s data secure.

After you input your login details a message will appear saying you need to verify your account. You’ll be sent an email to the address associated with your Rightmove Plus account with details of how to do that.

If you see the verification message repeatedly this could be because:

1. You’re using a browser (such as Chrome, Firefox or Internet Explorer) or a device (such as a tablet, new PC or smartphone) that you’ve not logged in with before.
2. Your internet cookies have been deleted. Your browser uses “cookies” (small files saved on your browser) to remember sites you’ve logged into before. It may be that your computer is set to regularly clear cookies which will mean that you will have to go through this process again.

What to do
We can help you or your IT team make sure these cookies are not cleared so you don’t have to verify your identity on this device/browser again – email us at customersupport@rightmove.co.uk to find out how to do it.

Verification links expire after 24 hours

To keep your account secure, the link in the email that verifies your Rightmove Plus login expires after 24 hours and can only be used once. If your link has expired, go back to Rightmove Plus and login – another email with a new link will be sent.[/expandsub1]

[expandsub1 title=”Accessing your Rightmove Plus account on multiple devices” rel=”submenu-highlander” tag=”h6″]You can login to Rightmove Plus on as many different devices as you like. The first time you login to a different device you will need to verify that it really is you logging in. See the above advice on verifying your account. [/expandsub1]

[expandsub1 title=”Using SMS based two-factor authentication (2FA) to access areas of Rightmove Plus that contain personal data” rel=”submenu-highlander” tag=”h6″]Two-factor authentication (sometimes called 2FA) is an added layer of security that we’re introducing to some areas of Rightmove Plus that contain personal data. We’re introducing an SMS based type of two-factor authentication.

SMS two-factor authentication means that to gain access to Rightmove Plus you need both:

1. something you know – your password
2. something you have – your mobile phone

You’ve probably used a form of two-factor authentication before – to log in to your online bank accounts for example.

How it will work when you access areas of Rightmove Plus that contain personal data:
You: Enter your login details and password as usual and access one of:

• Lead Reports
• Opportunity Manager
• Viewings Manager
• User Management
• Add & Edit Properties

All other areas of Rightmove Plus will not require 2FA.
We: Send you a one-time passcode via text message to your mobile phone. The one-time passcode will be valid for 20 minutes.
You: Type in the one-time passcode and proceed as usual.

If you have further questions about two-factor authentication, you can visit our 2FA FAQs page here.

We can help if you have technical or practical challenges around you and your team adopting 2FA. We want to help you to take every step to reduce the very real threat to your business from fraudsters getting into your account. We’ve created a specialist team to help you 2FAHelp@rightmove.co.uk or phone us at 01908 712357.[/expandsub1]

[expandsub1 title=”What to do if your IP address is blocked on Rightmove Plus” rel=”submenu-highlander” tag=”h6″]We have systems in place to automatically detect and block IP addresses which have been used for suspicious activity, such as spamming other computers or visiting unsafe websites.

If you try to login to Rightmove Plus from an IP address which has been blocked, you’ll see a message saying your IP address doesn’t look quite right. On this page you’ll also be asked to complete a form, providing your details and a unique Access ID.

Once we receive your form, we’ll work with a third-party provider to investigate why your IP address was flagged as suspicious and determine whether it’s safe to unblock your IP address from accessing Rightmove Plus.

In the meantime, we recommend that you consult an IT professional to run a full virus check on your computer, to check for malware. [/expandsub1]

Whenever you login to Rightmove Plus, our security systems will automatically check your password meets the latest security criteria and run a check against a current global database of breached passwords.

If your password does not meet the latest guidance or has been featured in a breach of another website, you’ll see a red banner at the top of the page, asking you to update your password. It’s important you do this immediately, to keep your account and all the data held within it secure.

When you reset your password, the system will automatically check your new password meets the latest security guidance and does not appear in a current global database of breached passwords.

It’s important you use a unique password for all your online accounts, including Rightmove Plus, and never share your login details with anyone else. See the “Online Security Checklist” above for more information.

We recommend you always access Rightmove Plus via the button in the footer of the Rightmove homepage, or a bookmarked link in your browser. See “How to identify phishing emails and websites” for more details.

If you receive a reset password email from Rightmove unexpectedly, do not click the link. Instead, send us an email on fraud@rightmove.co.uk with a copy of the unexpected email attached and we’ll happily check if it is genuine for you.

Your Rightmove Plus account hosts your leads, which contains personal data. Under GDPR, you are the primary data controller of the personal consumer data that sits within your Rightmove Plus account.

[expandsub1 title=”If a data breach occurs, you will need to:” rel=”submenu2-highlander” tag=”h6″]

• Inform the ICO – you can read their guidance here: https://ico.org.uk/for-organisations/report-a-breach
• Let us know – send email to fraud@rightmove.co.uk with details of the data breach

[/expandsub1]

[expandsub1 title=”What to do if you suspect someone has access to your Rightmove Plus account” rel=”submenu2-highlander” tag=”h6″]

• Let us know straight away (day or night) on fraud@rightmove.co.uk – please attach any emails you have received which have either alerted you to the suspicious activity or which you believe to be part of a phishing attack. This will help speed up our investigations and secure your account more quickly
• Change your password immediately
• If you do use the same password on other sites, you should change the password on those sites as well to keep them secure

[/expandsub1]

It’s important you follow all the advice on this page to keep your Rightmove Plus account secure and avoid breaching GDPR.

As a back-up, we have also put in place measures to help identify and block fraudulent activity on Rightmove Plus, should a fraudster gain access to your account.

If our systems pick up suspicious activity on your account, we’ll take immediate steps to protect your data.

[expandsub1 title=”We’ll immediately switch off Rightmove Plus access for the affected user(s) while we investigate” rel=”submenu3-highlander” tag=”h6″]We do this to protect the personal data held within Rightmove Plus, as giving unauthorised access to this data is a breach of GDPR.

If your branch shares a log-in, this will mean your whole branch being made invisible on Rightmove until we’ve fully investigated the instance. That’s why we require you to create a log-in for each individual user, so that only the compromised user would have their access revoked and not the entire branch.

[/expandsub1]

[expandsub1 title=”After we’ve investigated the incident, we’ll make sure you reset your Rightmove Plus password” rel=”submenu3-highlander” tag=”h6″]We’ll also ask you to confirm you’ve changed your password on your email account and any other websites where you used the same password. If you didn’t previously have individual logins set up, you’ll need to create them before we put your branch back online.

We reserve the right to suspend the account of any agent who gives their Rightmove Plus account details away multiple times, as outlined in our terms and conditions.

[/expandsub1]

Fraudsters use phishing attacks to obtain sensitive information, such as usernames and passwords, from people and businesses.

A common method for this is to send an email which appears to be from a person or brand you communicate with or use regularly, with a link to a website requesting you to login. When you input your login details, the fraudster gains access to your account, where they’ll be able to carry out fraudulent activity and access any additional data within that account. They may also attempt to use the same credentials to log-in to your other accounts.

[expandsub1 title=”Check the sender’s email address” rel=”submenu5-highlander” tag=”h6″]

• Hover over the sender address. Make sure you recognise it as a genuine email address that matches the sender name.

[/expandsub1]
[expandsub1 title=”Watch out for unusual URLs” rel=”submenu5-highlander” tag=”h6″]

• Hover over any URLs in emails to check the link underneath is the same as the text. Do not click the link if it is different to what the text says.
• This includes links using a URL shortener, e.g. bit.ly/abc or goo.gl/abc. These are used legitimately by businesses to shorten long URLs but can also be used by scammers to hide a fake URL. Rightmove will never share a bit.ly or goo.gl link with you.
• Fake links often look very similar to the real thing but could include unusual characters that try and closely mimic real addresses, e.g. R1ghtmove with a number 1 instead of the “i”.
• They might also include the word Rightmove, but with some extra symbols or text afterwards, e.g. “Rightmove.co.uk-property.co.uk” or “Rightmove-co-uk” instead of Rightmove.co.uk.

[/expandsub1]
[expandsub1 title=”Be wary of unusual requests in your leads” rel=”submenu5-highlander” tag=”h6″]

• “Applicants” asking you to log in to Rightmove Plus to look at a specific property. A genuine home mover would never direct you to Rightmove Plus.
• “Applicants” asking you to click on a link to view their “property requirements” or similar.

[/expandsub1]
[expandsub1 title=”Common characteristics of a phishing email” rel=”submenu5-highlander” tag=”h6″]

• As phishing emails are sent to a large number of people, they typically won’t be personalised in any way. Be cautious of unexpected emails that start with ‘Dear customer’ or don’t address you by your name personally.
• Phishing emails are often designed to make the victim respond to a sense of urgency, fear or curiosity. If an email asks you to take action with a strict deadline and that doesn’t feel right, the right thing to do is ignore this.

[/expandsub1]

[expandsub1 title=”Rightmove will never…” rel=”submenu5-highlander” tag=”h6″]

• Ask for your personal details. We’ll never ask you to send us your Rightmove Plus login details or your bank details via email.

[/expandsub1]

• Don’t click on any links or attachments
• Send the email as an attachment to your IT department
• If you’ve received an email from someone pretending to be Rightmove, save the email and send us a copy as an attachment (rather than forwarding it over), to fraud@rightmove.co.uk

A really simple way to save an email as an attachment, is to drag the email onto your desktop. This works on most laptops. You can then attach this to a new email like you would any other document.

Sharing this information with us helps us investigate and block potentially fraudulent activity as quickly as possible.

• Consult an IT professional to run a full virus check on your computer, to check for malware
• Do not enter any log in details onto websites that look like Rightmove Plus or other popular websites. Always log in to Rightmove Plus via the link in the footer of the Rightmove home page if you’re unsure.
• Let us know straight away at fraud@rightmove.co.uk if you think you’ve given away your Rightmove Plus log in credentials.
• Do not respond to emails from suspected fraudsters. Instead send us a copy of their emails as an attachment, following the guidance above.
• If you’ve entered your login details to a phishing website, change your password for each service you use those credentials for.
• Be on the lookout for any strange activity subsequently associated with those accounts.