Online security checklist
What can you do?
Why is it important?
1 – Avoid shared logins
||Having individual logins means if one person’s account is breached, the rest of your team will be able to continue working as normal, minimising the disruption to your business.|
2 – Use a strong, unique password on every account
Whenever you login to Rightmove Plus, our security systems will automatically check your password strength based on the above criteria. If your password needs to be updated, you’ll see a red banner at the top of the page asking you to update your password to something more secure.
|A common method fraudsters use to gain access to online accounts, is to obtain a list of email address and use them in combination with the most common passwords and/or passwords which have previously been breached.
Using a secure password which does not appear on any of those lists makes it more difficult for fraudsters.
By using a different password for every account, it ensures that if a fraudster does get hold of your login details for one account, they can’t use the same credentials to access any of your other accounts.
3 – Stay one step ahead
||By increasing your awareness of the latest scams and using security software to notify you of suspicious activity, you can stay one step ahead of fraudsters.|
Keeping your Rightmove Plus account secure
Under GDPR, you are the primary data controller of the personal consumer data that sits within your Rightmove Plus account.
According to ICO guidelines, this means “You must comply with, and demonstrate compliance with, all the data protection principles as well as the other GDPR requirements. You are also responsible for the compliance of your processor(s). Supervisory authorities (such as the ICO) and individuals may take action against a controller regarding a breach of its obligations.”
You can read more about the GDPR on the ICO website.
To keep your Rightmove Plus account secure:
- Follow all of the advice found in the online security checklist on this page
- Ensure each of your team members has their own account for Rightmove Plus
- Only use work email addresses – to keep Rightmove secure, we can’t accept generic domains like Gmail, Hotmail or Yahoo
- When someone leaves your business, let us know so we can remove their access to your branch straight away
- This is another important reason not to share logins – if an employee moves to a competitor, would you want them to still have access to your reports
Your leads can go to a shared inbox, but every member of your team needs their own Rightmove Plus login details.
This means if one person’s account is locked down due to suspicious activity, or if a member of your team with access to your branch leaves, your other team members will still be able to conduct business as usual with their own accounts.
As part of your membership, you can have as many users set up on your branch as you’d like. And with self service, you can even manage your branch user accounts yourself in real time. To request a new account for you or another member of your team, or to update your access level click here.
We also have some back-up security measures in place to help keep your account secure. If you have trouble logging into Rightmove Plus, it could be that one of these security measures has incorrectly identified fraudulent activity. Here’s how we can help you get back up and running:
Verifying your Rightmove Plus account
After you input your login details a message will appear saying you need to verify your account. You’ll be sent an email to the address associated with your Rightmove Plus account with details of how to do that.
If you see the verification message repeatedly this could be because:
- You’re using a browser (such as Chrome, Firefox or Internet Explorer) or a device (such as a tablet, new PC or smartphone) that you’ve not logged in with before.
- Your internet cookies have been deleted. Your browser uses “cookies” (small files saved on your browser) to remember sites you’ve logged into before. It may be that your computer is set to regularly clear cookies which will mean that you will have to go through this process again.
What to do
We can help you or your IT team make sure these cookies are not cleared so you don’t have to verify your identity on this device/browser again – email us at email@example.com to find out how to do it.
Verification links expire after 24 hours
To keep your account secure, the link in the email that verifies your Rightmove Plus login expires after 24 hours and can only be used once. If your link has expired, go back to Rightmove Plus and login – another email with a new link will be sent.
Accessing your Rightmove Plus account on multiple devices
Using SMS based two-factor authentication (2FA) to access areas of Rightmove Plus that contain personal data
SMS two-factor authentication means that to gain access to Rightmove Plus you need both:
- something you know – your password
- something you have – your mobile phone
You’ve probably used a form of two-factor authentication before – to log in to your online bank accounts for example.
How it will work when you access areas of Rightmove Plus that contain personal data:
You: Enter your login details and password as usual and access one of:
- Lead Reports
- Opportunity Manager
- Viewings Manager
- User Management
- Add & Edit Properties
All other areas of Rightmove Plus will not require 2FA.
We: Send you a one-time passcode via text message to your mobile phone. The one-time passcode will be valid for 20 minutes.
You: Type in the one-time passcode and proceed as usual.
If you have further questions about two-factor authentication, you can visit our 2FA FAQs page here.
We can help if you have technical or practical challenges around you and your team adopting 2FA. We want to help you to take every step to reduce the very real threat to your business from fraudsters getting into your account. We’ve created a specialist team to help you 2FAHelp@rightmove.co.uk or phone us at 01908 712357.
What to do if your IP address is blocked on Rightmove Plus
If you try to login to Rightmove Plus from an IP address which has been blocked, you’ll see a message saying your IP address doesn’t look quite right. On this page you’ll also be asked to complete a form, providing your details and a unique Access ID.
Once we receive your form, we’ll work with a third-party provider to investigate why your IP address was flagged as suspicious and determine whether it’s safe to unblock your IP address from accessing Rightmove Plus.
In the meantime, we recommend that you consult an IT professional to run a full virus check on your computer, to check for malware.
Why have I been asked to change my Rightmove Plus password?
If your password does not meet the latest guidance or has been featured in a breach of another website, you’ll see a red banner at the top of the page, asking you to update your password. It’s important you do this immediately, to keep your account and all the data held within it secure.
When you reset your password, the system will automatically check your new password meets the latest security guidance and does not appear in a current global database of breached passwords.
It’s important you use a unique password for all your online accounts, including Rightmove Plus, and never share your login details with anyone else. See the “Online Security Checklist” above for more information.
We recommend you always access Rightmove Plus via the button in the footer of the Rightmove homepage, or a bookmarked link in your browser. See “How to identify phishing emails and websites” for more details.
If you receive a reset password email from Rightmove unexpectedly, do not click the link. Instead, send us an email on firstname.lastname@example.org with a copy of the unexpected email attached and we’ll happily check if it is genuine for you.
What to do if someone gains access to your Rightmove Plus account
Your Rightmove Plus account hosts your leads, which contains personal data. Under GDPR, you are the primary data controller of the personal consumer data that sits within your Rightmove Plus account.
If a data breach occurs, you will need to:
- Inform the ICO – you can read their guidance here: https://ico.org.uk/for-organisations/report-a-breach
- Let us know – send email to email@example.com with details of the data breach
What to do if you suspect someone has access to your Rightmove Plus account
- Let us know straight away (day or night) on firstname.lastname@example.org – please attach any emails you have received which have either alerted you to the suspicious activity or which you believe to be part of a phishing attack. This will help speed up our investigations and secure your account more quickly
- Change your password immediately
- If you do use the same password on other sites, you should change the password on those sites as well to keep them secure
What happens if our systems pick up suspicious activity on your Rightmove Plus account?
It’s important you follow all the advice on this page to keep your Rightmove Plus account secure and avoid breaching GDPR.
As a back-up, we have also put in place measures to help identify and block fraudulent activity on Rightmove Plus, should a fraudster gain access to your account.
If our systems pick up suspicious activity on your account, we’ll take immediate steps to protect your data.
We’ll immediately switch off Rightmove Plus access for the affected user(s) while we investigate
If your branch shares a log-in, this will mean your whole branch being made invisible on Rightmove until we’ve fully investigated the instance. That’s why we require you to create a log-in for each individual user, so that only the compromised user would have their access revoked and not the entire branch.
After we’ve investigated the incident, we’ll make sure you reset your Rightmove Plus password
We reserve the right to suspend the account of any agent who gives their Rightmove Plus account details away multiple times, as outlined in our terms and conditions.
How to identify phishing emails and websites
A common method for this is to send an email which appears to be from a person or brand you communicate with or use regularly, with a link to a website requesting you to login. When you input your login details, the fraudster gains access to your account, where they’ll be able to carry out fraudulent activity and access any additional data within that account. They may also attempt to use the same credentials to log-in to your other accounts.
Check the sender’s email address
- Hover over the sender address. Make sure you recognise it as a genuine email address that matches the sender name.
Watch out for unusual URLs
- Hover over any URLs in emails to check the link underneath is the same as the text. Do not click the link if it is different to what the text says.
- This includes links using a URL shortener, e.g. bit.ly/abc or goo.gl/abc. These are used legitimately by businesses to shorten long URLs but can also be used by scammers to hide a fake URL. Rightmove will never share a bit.ly or goo.gl link with you.
- Fake links often look very similar to the real thing but could include unusual characters that try and closely mimic real addresses, e.g. R1ghtmove with a number 1 instead of the “i”.
- They might also include the word Rightmove, but with some extra symbols or text afterwards, e.g. “Rightmove.co.uk-property.co.uk” or “Rightmove-co-uk” instead of Rightmove.co.uk.
Be wary of unusual requests in your leads
- “Applicants” asking you to log in to Rightmove Plus to look at a specific property. A genuine home mover would never direct you to Rightmove Plus.
- “Applicants” asking you to click on a link to view their “property requirements” or similar.
Common characteristics of a phishing email
- As phishing emails are sent to a large number of people, they typically won’t be personalised in any way. Be cautious of unexpected emails that start with ‘Dear customer’ or don’t address you by your name personally.
- Phishing emails are often designed to make the victim respond to a sense of urgency, fear or curiosity. If an email asks you to take action with a strict deadline and that doesn’t feel right, the right thing to do is ignore this.
Rightmove will never...
- Ask for your personal details. We’ll never ask you to send us your Rightmove Plus login details or your bank details via email.
What to do if you receive a suspicious email
- Don’t click on any links or attachments
- Send the email as an attachment to your IT department
- If you’ve received an email from someone pretending to be Rightmove, save the email and send us a copy as an attachment (rather than forwarding it over), to email@example.com
A really simple way to save an email as an attachment, is to drag the email onto your desktop. This works on most laptops. You can then attach this to a new email like you would any other document.
Sharing this information with us helps us investigate and block potentially fraudulent activity as quickly as possible.
What to do if you’ve clicked on a suspicious link or attachment
- Consult an IT professional to run a full virus check on your computer, to check for malware
- Do not enter any log in details onto websites that look like Rightmove Plus or other popular websites. Always log in to Rightmove Plus via the link in the footer of the Rightmove home page if you’re unsure.
- Let us know straight away at firstname.lastname@example.org if you think you’ve given away your Rightmove Plus log in credentials.
- Do not respond to emails from suspected fraudsters. Instead send us a copy of their emails as an attachment, following the guidance above.
- If you’ve entered your login details to a phishing website, change your password for each service you use those credentials for.
- Be on the lookout for any strange activity subsequently associated with those accounts.
Put your knowledge to the test.
Head over to the Take Five website, led by UK Finance, and backed by the government, to take their quick fraud-spotting quiz and learn more about fraud prevention. Take the quiz.