For the last three years, stories about real estate hacking and particularly phishing have appeared with increasing frequency in newspaper and blog headlines. Stories like the cybercriminals who stole client contact information from a DC-area real estate company, and with the information then created a “business email compromise” (BEC) scam, which resulted in $1.5 million being stolen in a phishing wire fraud scheme from a couple about to close on a home.
The increase in these types of real estate-focused threats is not merely anecdotal. In 2017, the FBI started warning of a dramatic increase in cyberattacks specifically targeting real estate companies, and real estate continues to figure prominently in the FBI's cybercrime statistics—in fact, it's the only industry vertical named in a list of top cyber "crime types". According to the agency, fraudulent real estate transactions as a result of cybercrime leapt from $19 million in 2016 to almost $1 billion (US $969M) in 2017. The losses associated with 350,000 scams reported to the FBI in 2018 reached $2.7 billion in value, according to the latest FBI report published yesterday (April 22, 2019).
For more background on security and real estate, including a case study and an issues backgrounder, visit this resource page.
Criminals are after two things—information and money (and not necessarily in that order)
The type of attack most commonly targeted at real estate companies is phishing, usually BEC wire fraud or imposter email attacks. These types of phishing attacks can take several forms. In the simplest rendition, the hacker may be after internal corporate data. They will send an email pretending to be someone that the recipient knows, such as a trusted partner or vendor, or even someone that works at the same real estate company. The perpetrator may request user names and passwords to corporate networks, a list of employee W2s or email addresses, the names and email addresses for current clients, or even proprietary data, such as competitive market research. Often this type of information can be sold on the black market or used as a starting point for additional phishing attacks
When money is at stake, particularly the large sums often seen during real estate transactions, hackers turn to more insidious criminal tactics. If the criminal has obtained the user name and password for the real estate agent’s email (through an earlier phishing or malware attack), they may engage in a BEC scam, whereby they send an email directly from the agent’s account to a current customer about to close on a property. Pretending to be the agent, the criminal provides closing instructions, including fraudulent wire transfer details. The customer, not suspecting anything, transmits the money to the criminal’s account. Unfortunately, in many instance these large sums of money, often down payments, are lost forever unless the scam is discovered quickly enough to halt the wire transfer. In a similar version, the criminal may pretend to be someone from the settlement company or the seller’s agent/representative, and send a phishing email directly to the buyer’s agent. As in the other scenario, this email includes closing instructions, including fraudulent wire transfer details, which the buyer’s agent may then pass along to the home buyers.
That “ounce of prevention” could be worth a lot
Cybercriminals already know that the real estate industry is the primary facilitator for high volume, high dollar figure wire transfers, as well as being the owner of a vast amount of highly sensitive personal information, such as customer names, addresses, emails, social security numbers, and banking data. Couple this with the fact that real estate agents often work in highly dispersed locations, such as their car or a café, using unprotected smart phones to connect to corporate networks, and you have the makings of an almost perfect crime. That’s why advanced cybersecurity protection is so critical.
You don’t get protection from browsers, email clients, and online “freebie” security solutions
The recent story of the massive Target Corporation breach is one that most people have heard of. What is less well known is that the malicious email at the source of this highly destructive attack came from one of Target’s small business partners—an HVAC company—and it probably would’ve been blocked had the HVAC vendor been using an effective email security service, instead of a downloaded ‘freebie’ security tool (that did not include real-time updates) to protect its entire system, including access to all the passwords and portals for its various large clients.
Free downloadable security tools are designed for individual consumers, and do not offer the type of protection businesses need. Since threats are evolving constantly, real-time security updates are key. Once a threat has been launched, a business only has seconds to block it. If your security tools, or email client (such as Gmail or Office 365), or browser aren’t updated constantly—in real-time—then the protection simply isn’t there.
Training alone isn’t the answer
Email threats come in a variety of different shapes and sizes. Some are relatively easy to spot, others are highly curated so they appear entirely legitimate—for example, imposter emails. If a fake email arrives in your accounting department, pretending to be from your CEO with wire transfer directions, how much time do you think your accounting manager is going to take investigating and confirming the authenticity of the email. Chances are, if the email appears to come from the CEO or another high level executive, the target employee will ‘get right on the task’ and transfer the money. In these instances, training your employees to spot fake or dangerous emails may simply be asking too much.
Since operational activities with most real estate companies today take place in the cloud, an automated, systematic approach to security is key—one in which threats are evaluated and blocked in real-time, without relying on the ‘human factor’.
With the operational and transactional components of real estate growing by leaps and bounds in an online cloud environment—and cyberattacks growing at an even faster rate—no real estate business wants to be at the center of a data breach that costs a customer their entire life savings and dreams for the future. Real estate businesses need to view cyberattacks as a critical business risk.