Hi Mews Community, 

In recent months, there’s been a rise in sophisticated phishing attempts where hospitality employees are being tricked into revealing their login credentials.  

We’re aware that a small number of Mews customers have been targeted and fallen victim to these malicious campaigns. As Senior Product Manager for Security at Mews, I’m part of the team that is actively monitoring the situation, and our Customer Support colleagues are supporting those affected.  

I've always found the best form of defense against these threats is to make sure you know how to keep your login credentials – and therefore your data, your guest data and your business – secure. 

Today, I’ll talk you through how these malicious phishing campaigns typically operate and the precautions you can take to enhance your security. 

How do these phishing attempts work? 

They’re sophisticated. Cybercriminals use search engine ads to trick hotel employees into entering their user credentials on a fake login page that mimics the behavior of the Mews website. Here’s an example: 

The malicious entities then often proceed to access the hotel’s system, download guest data and send messages to trick guests into giving away their card details or further personal information. Like we said, it’s sophisticated. This is not unique to Mews and is being seen across the hospitality industry. 

How to guard against it 

The security team automatically monitors these fake websites to ensure they’re removed as quickly as possible (typically we block them within 60 seconds). However, their creation is ultimately out of our control. That’s why it’s vital that all hospitality businesses know how to secure their login credentials to avoid future phishing attempts. Here are some precautions you can take: 

1. Never use search engines to access your Mews login. Using search engines as a shortcut to access your Mews login leaves you vulnerable to this type of phishing. Bookmarking or saving it to your favorites is just as quick. 
2. Bookmark the Mews login URL. Bookmark the following link and always use it to access your Mews login page: https://app.mews.com/ 

3. Enable Two-Factor Authentication (2FA).   2FA adds an extra layer of security to your account beyond your password, requiring a unique code sent to your device via apps like Microsoft Authenticator or Authy. You can also receive a login link via email (sometimes called a ‘magic link’) rather than a code. Learn more here.  

4. Verify URLs. Subtle variations in spelling can be easy to miss, so check, double-check, and triple-check the URL before you enter any login details. 

5. Use a single login per person.  Employees should never share logins or passwords. They should use individual login credentials and keep them secret, even from colleagues and other team members. 

6. Use a password manager. If your team has to remember lots of logins and passwords, password managers like 1Password or LastPass can help generate and securely store complex, unique passwords for every site your staff will access. 

7. Apply password best practices. Make passwords strong with a mix of upper- and lower-case characters, numbers and special characters, and don’t reuse them across different accounts. 

Further advice and training 

We constantly update our learning platform, Mews University, with educational materials. The courses linked below are designed to help you keep your hospitality accounts secure, so please take a look.  

1. Mews CEO Matt Welle on safeguarding your systems against phishing 

2. Two-Factor Authentication (English) 

3. Two-Factor Authentication for Admins (English) 

Vigilance is key to security 

The malicious entities behind these phishing attempts are persistent and creative. There’s no doubt they’ll keep trying to invent new ways to trick employees in hospitality, and other industries, into revealing sensitive information. 

The strongest security measure against phishing is training staff to ensure their login credentials aren’t compromised. 

The security team and I are keen to answer your questions. Please submit them via this Slido link. Over the next few weeks, we’ll gather all questions, answer them in a video and post a link to that video here in the comments. 

That’s all from me for now. Stay vigilant.