So why is the Real Estate industry such a big target for cybercriminals? Because it’s an easy target with a potentially big payday. So many things that would be a red flag for other industries are day-to-day operations in real estate.
Whether you’re an independent Realtor, a broker at a large firm, or work at a mortgage lender or bank, it’s likely that you are regularly dealing with people’s financial information (and other personally identifiable information), you’re regularly emailing new people and getting links and attachments from people you don’t work with all the time, you’re talking to people about what forms of payments they can use for large sums of money (like down payments). And you’re more worried about doing your job than worrying about cyberattacks—as you should be!
One of the most common cyberattacks aimed at the real estate industry is phishing (sometimes called business email compromise attacks), particularly phishing attacks with the goal of getting the victim to wire money to the scammer. In most industries, getting a request like this is pretty unusual and should raise a red flag, but that may not always be true in real estate—especially when these attacks are targeted at your buyers.
Phishing attacks don’t only take the form of wire transfer scams. Sometimes phishing emails are used to send ransomware or to try to steal your email and password. We’ve seen a string of recent phishing attacks that look like closing documents. The links in these emails led to fake log in screens. These came from the real email addresses of real mortgage companies. It’s likely they themselves fell victim to an attack then the attackers used their account to send more phishing attacks.
Another vulnerability of the real estate industry is urgency—urgent requests and moving quickly aren’t out of the ordinary, especially if you’re in market where houses move quickly. Preying on your sense of urgency is a common tactic used by cybercriminals. Some of the most commonly used words in the subject line of phishing attacks are “urgent,” “attention,” “important,” and “immediate response.”
A lot of times, these tactics are combined and used against you. Let’s look at a potential scenario: A real estate agent gets an email from a mortgage company with a link to access closing documents. He clicks on the link and gets taken to a log in screen. He logs in with his company email and password, but nothing happens. He assumes there is something wrong with the site, but he is about to leave his office to go to a showing, so he decides to worry about it later.
A few weeks later, a buyer he is working with mentions she wired the down payment money to the account he sent – except he never sent any account information. Turns out, that email from the mortgage company was a phishing email and the login that didn’t work was actually a fake login used to steal his credentials. Cybercriminals got access to his account, and sat quietly waiting for the right time to strike.
They sent an email to his buyer from his real email with the information to wire money to their account. His buyer’s money is gone, the sale falls through, and he has lost the trust of a buyer—and anyone she tells about her experience.
But that could be just the tip of the iceberg. How many other people did the cybercriminal send emails to from his account? What information did the cybercriminal have access to when in his email? Was it only his email that was compromised? Or did they get into his file storage account, too? The list of questions goes on.
This scenario isn’t theoretical – it can and has happened.
So, what should you do? Typically, the first thing we recommend to any company is comprehensive cybersecurity training for all employees. Knowing what to look for can stop many attacks in their tracks – and often it’s the only way to stop a wire transfer scam.
But for the real estate industry, training alone is just not going be enough (that doesn’t mean you shouldn’t do it, though!). Prevention is key. Investing in services that can scan your email for malicious links and attachments before they hit your email in the first place can reduce the number of attacks you see in the first place.
You should also add Multifactor Authentication or two-step verification on any account possible, especially email. These protect you even if a cybercriminal does get your password, by requiring a second form of authentication when you log in. Without that second authentication, they can’t get into your account.
It may also mean you need to change some processes, particularly around wire transfers. Wire transfers should never be sent only with an email request. This should be clearly communicated to everyone in your office, as well as anyone else you work with (including both buyers and sellers!).
Solid cybersecurity training, particularly around phishing emails, and preventive measures will go along way to keeping you—and your clients—safe.