Advisory: Phishing Attempts Targeting Hostaway Users

UPDATE: We have been informed of phishing attempts to impersonate Hostaway communications, specifically targeting users by requesting API tokens or login credentials.

Please be advised: Hostaway will never request your API tokens, passwords, or credentials via email or unsolicited messages. Do not share sensitive information through email or any unofficial channel.

What You Need to Know

There has been a slight increase in malicious emails attempting to phish for access to Hostaway accounts. These phishing emails and websites may imitate official Hostaway branding, use similar wording, or reference legitimate-looking requests to create urgency and gain your trust.

Phishing tactics often include:

• Requests to reset your password
• Prompts to click suspicious links or download attachments
• Messages that look like they are from Hostaway but come from unofficial email addresses
• Appeals to share API tokens, login information, or other sensitive credentials

How to Stay Protected

To keep your account secure, please follow these best practices:

• Never share your Hostaway credentials or API tokens via email or unfamiliar forms
• Never log into any Hostaway site except for our official website https://dashboard.hostaway.com 
• Double-check the sender’s email address and links before clicking
• Enable Two-Factor Authentication (2FA) on your account for additional security
  • Exercise extreme caution when entering 2FA tokens
  • Remember that Hostaway staff will never request your 2FA tokens under any circumstances
  • If someone claiming to be from Hostaway asks for your 2FA credentials, report this immediately as a potential security threat
• Enable 2FA on all business-critical platforms
  • Airbnb 2FA Setup
  • Vrbo 2FA Setup
  • Booking.com 2FA Setup
  • Your email provider (like Gmail or Microsoft Outlook)
• Use strong passwords on Hostaway and all OTA (Online Travel Agency) connected email accounts
• Educate your team on how to spot phishing attempts and verify suspicious communications

If you want to learn more about how to stay safe from online scams, read our article here.

What to Do if You’re Unsure

If you receive a suspicious message or have concerns about your account’s security:

• Do not respond or click any links
• If you encounter any suspicious websites:
  • Close them immediately
  • Access Hostaway only through the official URL: https://dashboard.hostaway.com 
• Forward the email to our support team at support@hostaway.com

• Contact Hostaway Support immediately if you believe your account may have been compromised.