Cyber security is a real and increasing issue for the real estate industry. Because you manage transactions that typically involve hundreds of thousands to millions of dollars, you are a key cyber fraud target.
It’s easy to brush it off as something that you hear about but that wouldn’t happen to you. It’s easy to imagine nobody would target you. But realistically, do you have a specific plan?
All real estate professionals need to have a cyber security plan in place. We aren’t talking about an “on paper” plan. Your plan needs to be active, and you must be diligent about paying attention.
We understand the risk first-hand – because CRES recently thwarted a cyber security attack to our company. Here’s what happened: We received an email that appeared as if it was coming from an internal address, requesting a larger sum of money to be wire transferred. The recipient frequently handles wire transfers, and the email appeared to be from a company executive authorized to request these transfers.
Fortunately, our cyber security protocols allowed us to quickly identify this activity as fraud.
As a result of our security protocols, no wire transfer was mistakenly processed. The threat was averted.
How Do Cyber Attacks on Real Estate Offices Typically Happen?
Real estate professionals are at risk for data breach and wire fraud in multiple ways with each transaction. Here are some common ways that cyber attacks are currently happening:
Flash drives with software viruses are frequently being left outside of real estate offices, in the hopes your agents will use them. Once the drive is in one of your computers, that computer can then be hacked and your emails monitored (especially those that include anything about “wire transfers”).
Email accounts are being hacked through virus-laden email messages or attachments. The hackers are then able to monitor your emails, looking for opportunities to send fraudulent wire transfer requests from your accounts. If the hacker is able to steal funds in this way, you can then become liable because you didn’t adequately provide protection on your email accounts. The email addresses most at risk are the “free” ones like Yahoo, Google, etc.
VoIP. Some criminals are even accessing company phone systems and making outgoing calls to Title/Escrow to verbally confirm a wire change request.
So what can you do? Two tips that helped CRES avoid a recent threat:
Look for Inconsistencies. Whenever you or your agents respond to an email from a client, escrow agent, or another broker or agent, check the email address. Does it match the one you have for that individual?
A Minute to Verify Can Save a Thousand (or a Million) Heartaches. Do any details of the email appear even a little off – especially bank account details and wire transfer instructions? If so, be sure to verify with your client or other party OUTSIDE OF EMAIL. The best practice is to take a minute to call the individual, and then follow up with a confirmation via fax (so you’ll have a written record). These simple extra steps will take you only a minute, but it could save you and your firm hundreds of thousands, or millions, of lost dollars.
Learn more about how real estate professionals are being targeted for cyber attacks and how to set up your own cyber security protocols from Rinat B. Klier-Erlich, a professional liability defense attorney specializing in defending real estate professionals.
Your Clients Are at Risk Too
Sophisticated international crime syndicates have not limited themselves to targeting real estate agents—they are targeting your clients as well. Here is how it works:
A criminal will hack into an email account (it could be yours or your client’s), watch the conversations that take place between you and your client, and when the time is right, swoop in and send an email asking for a down payment. The client will think it is you and send their money to the account that they are given. And just like that, thousands of dollars are lost. And while the Federal Trade Commission has been warning consumers about this type of wire fraud, national regulation for this problem has not yet been released.
As your client’s Realtor®, it falls on you to both protect your client’s data and advise them on what they can do to better protect themselves. Free email accounts, such as Yahoo, are easy marks for hackers, which can then provide an access point to your email system. While you cannot ask your clients to acquire a more secure email service, you can do the following:
Never conduct business using public Wi-Fi.
Use a two-step authentication email service that checks the identity of your password in addition to a text or phone message verification.
Use a secure email account.
Use secure technology to send documents, such as DocuSign.
When in doubt, pick up the phone and never rely on phone numbers in email signatures since hackers can change those as well,
Advise your client that these are your security best practices to protect their data as well as their money and ask them to use caution throughout the buying or selling process.
Get Coverage for Cyber Liability Damages
In addition to having a system to help safeguard your and your clients’ data and to protect you from wire fraud, you also need insurance coverage, should the unthinkable happen. CRES typically includes coverage for data breach notification in our real estate E&O insurance policies. We also encourage you to purchase additional coverage for Cyber Liability Damages — losses resulting from data breach that you could end up responsible for.
Cyber threats in real estate are serious. If you aren’t vigilant and don’t have security practices in place, you could mistakenly act on a fraudulent request, resulting in the loss of hundreds of thousands of dollars or personal data loss. Cyber security breaches are damaging to your clients and to your business. Now is the time to get protocols in place, know what to watch for, and get covered for damages.
Editor’s Note: This post was originally published November 2016 and updated April 2017 for accuracy and freshness.
This blog/website is made available by CRES Insurance Services for educational purposes to give you general information and understanding of legal risks and insurance options, not to provide specific legal advice. This blog/website should not be used as a substitute for competent legal advice from a licensed professional attorney in your state. Claims examples are for illustrative purposes only. Read your policy for a complete description of what is covered and excluded.
Real estate professionals, are you not physically meeting with some or all of your clients right now? Here are some… https://t.co/QIfoErdsNLWhat can you do to protect yourself from liability in your real estate business? Here’s your Real Estate Insurance… https://t.co/UkJ5KoPnlQ