Here’s the scenario: It’s closing time, and the funds to close the deal are about to be wired, but the transaction never makes it to its intended destination.
Instead, it’s directed to the account of a hacker who disappears along with the client’s money, leaving you facing a potential lawsuit.
Such security breaches are very real, according to Robert Siciliano, CEO of cybersecurity company Safr.Me, who discussed the issue at the 2019 Realtors Conference and Expo in San Francisco.
It’s a common practice for hackers to monitor such transactions, sometimes posing as an agent and redirecting the wire to an illicit account. “Hackers say once they own your password, they own the email. Because they can pose as you,” Siciliano said in a NAR press release.
He advised agents to alert clients that any unexpected texts or emails requesting funds should trigger a red flag, even if it looks like the message is coming from the brokerage they’re working with. They should inform clients: “If you get any emails from me with wiring instructions, call me,” he said.
If that conversation doesn’t take place ahead of time, “you’re going to lose that sale and someone is going to get sued,” he said.
The Federal Trade Commission has a wealth of information on the topic of cybersecurity and offers a quick guide with the following basics:
• Update your software regularly – This includes apps, web browsers and operating systems. Set the updates to take place automatically.
• Secure your files – Back up important files offline, on an external hard drive, or in the cloud. Make sure you store your paper files securely, too.
• Require passwords – Use passwords for all laptops, tablets and smartphones. Don’t leave these devices unattended in public places.
• Encrypt devices – Encrypt devices and other media that contain sensitive personal information. This includes laptops, tablets, smartphones, removable drives, backup tapes and cloud storage solutions.
• Use multi-factor authentication – Require multi-factor authentication to access areas of your network with sensitive information. This requires additional steps beyond logging in with a password – usually a temporary code on a smartphone or a key that’s inserted into a computer. You can also opt to turn on multifactor authentication through third-party hardware and software providers such as Apple or Google.
• Secure your router – Change the default name and password, turn off remote management and log out as the administrator once the router is set up.
• Use at least WPA2 encryption – Make sure your router offers WPA2 or WPA3 encryption, and that it’s turned on. Encryption protects information sent over your network so it can’t be read by outsiders.
• Require strong passwords – A strong password is at least 12 characters that are a mix of numbers, symbols, and capital and lowercase letters. Never reuse passwords and don’t share them in texts or emails. Limit the number of unsuccessful log-in attempts to circumvent password-guessing attacks.
• Train all staff – Create a culture of security by implementing a regular schedule of employee training. Update employees as you find out about new risks and vulnerabilities. If associates don’t attend trainings, consider blocking their access to the network.
• Have a plan – Have policies in place for saving data, running a secure business and notifying customers if you experience a breach. The FTC’s “Data Breach Response: A Guide for Business” outlines steps you should take. (FTC.gov/DataBreach)
More information also is available in Siciliano’s book: “Defend Against the Data Breach: Protect from Spyware, Malware, Ransomware and Keyloggers.”
“Equifax’s data breach affected 143 million people,” Siciliano said. “So, the bad guys already have your identity. Maybe you have been affected, maybe not, but it’s just a matter of time.”
Siciliano suggests using a password manager and two-step verification for accounts that require signing in. “If you don’t have this, you’re running naked through the woods and you’re going to get pricked,” he said.