Real-estate companies are the current lowest-hanging digital fruit for cybercriminals. “Gone are the days when hackers would only target retailers,” writes security analyst Robert Siciliano in his Finextra article The Top Cyber Security Threats to Real Estate Companies. “These days, bad guys target businesses in any industry, especially those that aren’t quite up on cyber security.” As to why there’s a lack of cybersecurity in the real-estate profession, Siciliano offers the following reason:
“Federal law requires some industries, like hospitals and banks, to have some type of security in place, but the real-estate industry is quite vulnerable.”
What do cybercriminals expect to gain by attacking a real-estate agency and associated businesses such as title companies, lenders, and real-estate lawyers? Each of these entities handles personally-identifiable and financially-sensitive information such as Social-Security numbers, bank-account information, and credit/debit-card numbers, all of which cybercriminals could use to defraud an organization and/or its customers.
Security threats being directed at real-estate companies
Siciliano details several threat vectors that are being used against real-estate organizations.
Business Email Compromise (BEC)
BEC is a spearphishing attack focused on tricking employees of real-estate businesses into wiring money to the attacker’s bank account. “The FBI has found that multi-billions in business losses can be attributed to BEC,” writes Siciliano. “That’s scary enough, but the FBI also says that real-estate companies are specially targeted in these attacks and every participant in the real-estate transaction is a possible victim.”
In Alison DeNisco Rayome’s TechRepublic article Beware: Hackers are trying to scam your company with this attack, she mentions something that should be of interest to owners of real-estate organizations: More often than not, owners and CEOs are the ones being impersonated in the BEC attack.
BEC is enough of a concern that the US Department of Justice (DOJ) issued Business E-Mail Compromise The 12 Billion Dollar Scam, which states:
“The BEC scam continues to grow and evolve, targeting small, medium, and large business and personal transactions. Between December 2016 and May 2018, there was a 136 percent increase in identified global exposed losses. The scam has been reported in all 50 states and in 150 countries.”
The public-service announcement from the FBI includes several way to prevent being scammed:
- Verify all requests for a change in payment type and/or location, as well as the recipient’s financial information;
- Be wary of any communication that is exclusively email based and establish a secondary means of communication for verification purposes; and
- Be mindful of phone conversations, as victims have reported receiving phone calls requesting personal information for verification purposes.
The FBI’s PSA also states: “Some victims report they were unable to distinguish the fraudulent phone conversation from legitimate conversations. One way to counteract this fraudulent activity, is to establish code phrases that would only be known to the two legitimate parties.”
SEE: Phishing and spearphishing: An IT pro’s guide (free PDF) (TechRepublic)
Mortgage-closing wire scam
It may seem unlikely, but Siciliano mentions that scammers have been successful at stealing mortgage down-payment funds simply by sending a realistic-looking email about the closing that includes instructions on how to wire money for the down payment to–once again–the scammer’s bank account. As to the success rate, Siciliano notes the FBI’s Internet Crime Complaint Center reported over a 1,000% increase in mortgage-closing wire scams between the years 2015 to 2017, with financial losses totaling over $56 million.
SEE: How to prevent wire-transfer fraud: Tips for SMBs (TechRepublic)
One of the more insidious scams played on real-estate companies is ransomware. Bad actors send out malicious emails similar to those used in BEC attacks, but all the criminal wants is the intended victim to click on a link in the email, which, if everything goes right for the attacker, will encrypt the victim’s data (which is usually business-critical), making it unusable until a ransom is paid.
Siciliano does not want anyone to rule out simpler types of malware that have been around for a while–they can be very effective at stealing sensitive client and employee information.
SEE: Quick glossary: Malware (Tech Pro Research)
Cloud computing providers
Digital scammers are no different from other cybercriminals when it comes to getting the biggest bang for their buck. Rather than attack individual real-estate organizations, the bad guys are finding it makes more sense to focus on cloud-service providers contracted by realtor groups.
Siciliano urges caution when dealing with cloud-service providers. “By using a cloud company, it might seem you are lowering the risk of your business becoming a target, but the truth is, the risk still lies with your company, how secure your own devices are and how effective passwords are managed,” he writes. “In most contracts with cloud-computing companies, the customer, which would be your business, is not well-protected in the case of a cyberattack.”
SEE: Incident response policy (Tech Pro Research)
Include clients in the security solution
Besides employing normal cybersecurity practices and educating employees about BEC attacks, Siciliano firmly believes educating clients is critical. He puts a finer point on the DOJ’s preventative measures.
- Phone communications: At no time should the client engage in a money wire transfer unless the client speaks to the real-estate agent in person or over the phone to confirm the legitimacy of the money-wire transaction.
- Email communications: Clients should always look for language in the real-estate agent’s email communications–especially those requiring an exchange of money or information–that suggests checking with the the sending party.
The real-estate industry has had luck on its side, as cybercriminals were able to find success elsewhere; unfortunately, that is no longer the case. Those responsible for a real-estate organization’s digital security must be proactive or face the consequences.