The famous criminal Willie Sutton was once asked why he robbed banks, and his response was simple, eloquent and humorous: “Because that’s where the money is.” In today’s digital age where financial transactions are easily conducted online via email and mobile devices, the ability to rob banks has now moved into the internet age, and real estate is one of the industries in the crosshairs.
Technology has given real estate agents the tools to be always on, always connected and highly responsive – but technology is also making agents and the broader real estate ecosystem prime targets for fraudsters and cyber-criminals.
Earlier this year, the FBI released data showing that cyberattacks in real estate transactions had grown at a staggering rate. In 2016, there were $19 million in reportedly fraudulent real estate transactions from cyberattacks – and in 2017, the number had grown to almost $1 billion ($969 million). The number of inbound complaints to the agency grew year over year by 480 percent and numerous high-profile seven-figure cyberattacks made headlines.
While the data for 2018 is not yet out, we know from the real estate companies we work with that cyberattacks are hitting faster and more frequently than ever. In the words of one real estate brokerage CIO, “attacks exploded this year.”
Cyber-attackers are targeting Realtors
Cyber criminals are after two things – information and money – and email is often times one of the simplest ways to get to either. The most common attack targeting the real estate industry is phishing, which uses fake emails and websites to trick victims into disclosing sensitive information such as financial data or passwords. The three most frequent real estate phishing attacks are:
In the simplest form, a hacker may be after personal financial data. These kinds of attacks generally try to trick the victim into disclosing their username and password for online retail or financial services accounts — like banks or credit cards. An attack can embed malware on their computers to track/steal account credentials. When obtained, the attackers can sell this information.
Business email compromise phishing/wire fraud
Business Email Compromise (BEC), also known as “cyber-enabled financial fraud,” is a sophisticated scam that targets individuals involved in performing wire transfers. And while any business is vulnerable to a BEC attack, the FBI has specifically explained that the BEC scam “targets all participants in real estate transactions.” In this approach, cyber criminals send spoofed emails that may appear to be from an escrow agent or lender with urgent requests for wire transfers or other critical information. In reality, these messages are actually from criminals trying to trick the real estate business into sending a wire transfer to the wrong account.
Account takeover phishing/wire fraud
A more sophisticated version of phishing involves a two-stage account takeover that takes advantage of the trust relationships that the agent has. In stage one, the agent receives a (fake) email password reset email bringing her to a fake website where she enters her username and password. In stage two, cybercriminals log into the email account and watch every single email interaction the agent has with buyers – and, when the time is right, send out false wire transfer instructions. A real-world example can be found with this cautionary tale.
The damage of a breach only starts with a mis-directed wire transfer. Beyond that, there’s the lost revenue due to a cancelled transaction, the potential for litigation, and the cost of damage to your brand. Your reputation is at stake, and trust is a critical element of the real estate ecosystem.
Read more from our Tech Issue
- Cover story: Starting a tech revolution in real estate
- The real estate sign: Now redesigned with modern tech
- Smart home technology is the new standard
- Wire transfer fraud: What agents can do to prevent it
- Survey: Agents talk real estate technology
Three steps every real estate professional needs to take:
1. Know that you (and your industry) are at risk. Far too often, businesses believe that they are “too small” or “off the radar” for cybercriminal attention. But this could not be further from the truth. Realtors are viewed as rich targets because they often don’t have the same security defenses and because the potential payoff is significant.
2. Slow down in order to speed up – and tell your clients to do the same. Attackers prey upon urgency to get victims to act quickly.
- When a request that comes in appears both urgent and important, take a moment. Call the institution directly – but do not call a number included in the email. Verify the request through known channels. Don’t trust the display name or the email header.
- Look closely at any request for email log-ins or sensitive financial information – and trust your instincts – People often admit that something “didn’t feel quite right.” Tell your clients to take a moment to look for anomalies or telltale differences in a message. Contact a known sender through a known phone number — don’t click on links, attachments or reply to the email until you have verified the sender.
- If you or a customer click on a link or engage in a suspected fraudulent email, contact your bank or lending institution by phone immediately. A breach is a critical event, and you will want to stop any possible transfer or theft. By working quickly, many financial institutions can block or stop a fraudulent transaction.
3. Don’t count on legacy email or web security for protection
- Communicate relentlessly. Share news of possible breaches and “near misses” with clients, colleagues and industry partners so all can be on the lookout.
- Empower caution to protect against theft. Fear and urgency are powerful motivators in virtually all phishing attacks. Let customers and partners know what to expect – including when to expect time-sensitive requests, and when not to.
- Improve your company’s protection with cloud-based security. According to the industry report “Reducing the Risk of Phishing Attacks,” an incremental investment in advanced email and web security results in a median reduction of phishing attacks of about 85 percent — and delivers a median ROI of about 11.7 times.
In the competitive world of real estate, customer and partner trust are critical to creating a positive brand experience. Few events can shatter trust more than a successful cyberattack. Your vigilance can become a tremendous differentiator in today’s turbulent waters.
Dan Maier is a vice president at Cyren (www.cyren.com). Powered by the world’s largest security cloud, Cyren delivers fast time to protection from cyber threats with award-winning security-as-a-service solutions.