Cyber and wire transfer fraud are not normally covered on an E&O policy. But we can get you covered! Click here for an application.
From a presentation by Rachel Ryckman, White and Steele
There is so much exchange of data between our mobile devices and our computers, on the Internet and in the cloud. The challenge is in preventing unauthorized users from accessing, hacking into, or intercepting that information.
Cybersecurity can include everything from putting a security password on your cell phone to installing antivirus software to having a firewall protection on your network at your office.
Think this is just the concern of your broker or office manager or IT person? Cybersecurity is the concern of EVERYONE that has any access to your clients’ data. Because all it takes is one weak link to wreak havoc for your business.
One of these big risks affects you, and one could affect your clients.
Cyberattack #1: Hacking
Hacking, or gaining unlawful access to data, is what happened with Equifax. In that case, 143 million consumers had their social security number, date of birth, and other personal information potentially stolen. Hackers found a way into the Equifax network, through their online portal where consumers submit complaints. There are a number of ways you can be vulnerable.
Wherever content can be added to your website, there is potential vulnerability. If you have a blog that allows comments, do you have a good spam checker on those comments? Do you carefully review every comment before posting, and remove any links those comments may contain?
What about your password to access your website? Is it a hard password for someone to guess? Hackers scour social media sites like Facebook, gathering related family names (so they can guess at things like your mother’s maiden name), current and past addresses, pet’s names and other personal information that you may use to create a password. Change your passwords often – and include some capital letters, some numbers, and some other symbols that make it more difficult to guess.
If you have a WordPress website, you especially need a difficult-to-guess password. There are software programs running 24/7, just trying to guess passwords for WordPress sites.
Sadly, the most common password in the United States is some variation of “password1234”. Be creative in developing your passwords. Don’t write them down and put them right on your computer — where everyone from cleaning staff to visitors can potentially see them.
When you’re in a public Wi-Fi area, always use a VPN to encrypt your activities. It is very easy for others to hack in and see what you’re doing when you’re on a public server.
Another option is to encrypt things. If you’re sending documents that have a lot of confidential information, you can encrypt them, so the recipient will have to enter a password in order to open them.
Real estate offices and agents are frequently the targets of wire fraud. Hackers seek to install a virus on your computer that will allow them to access your email. It can come into your computer in a simple phishing email, or via a thumb drive that may be left as a “gift” to agents in your office.
You click the link in the email or load the thumb drive into your computer, and you’ve basically installed a virus. That virus can then identify emails referencing money transfers, and send fake emails to either you or your clients changing wire instructions. Wire fraud frequently happens with wire transfers of closing costs or down payments.
We recently had a call through Risk Management where the brokers sent out the email with the wire instructions from the title company. The client then got a second email from the broker – but the broker’s email had been hacked, and this second email provided alternate wire instructions. Unfortunately, the client followed the alternate instructions and transferred money through a Citibank account, which seemed legitimate. There went $70,000 they weren’t able to recover.
Most E&O policies don’t include coverage for wire fraud, even if they include some cybersecurity coverage. (You can add coverage for wire fraud through an additional cybersecurity policy.)
There are many red flags that should alert you before you click on any email link or attachment.
- Scrutinize the emails carefully, especially the “from” address. Does it look fishy?
- Are you expecting email from that individual or company?
- Are you expecting attachments?
- Are you expecting a document you need to be signing?
We had a case where someone sent an email from an entity that at first glance, looked like bankofamerica.com. Instead of “America” with an M they put an R-N – bankofarnerica.com. Breezing through emails, it’s so close and so similar that you really can’t see the difference unless you really pay attention.
Hover over the “from” and “reply to” addresses. If the address doesn’t match what the address says on the email, that’s a sure sign that it’s probably fraud. If you see contact information in the email, manually type in the website URL of the company on a separate browser, don’t click in the email. Check their contact information — is the address the same, is the phone number the same, etc.
Be very cautious whenever you receive an email with an attachment. Make sure that your assistants and people you’re working with are also adequately trained in what to look for and what to avoid.
One last thing on emails – beware of “scammer grammar.” If you see weird typos and weird grammar and wording, that’s a sure sign there’s a problem. We all have typos or grammatical errors in our emails occasionally. But if you see something really off, don’t click on it.
Cyberattack #2: Ransomware
You may have experienced the horrifying notice on your computer screen. “Your computer has experienced a security problem. Please call xxx-xxx-xxxx to regain access for $300.” Sometimes the message looks like it’s from Microsoft. NEVER call any numbers like that that appear on your computer screen.
This is “ransomware.” Someone has gained access to your computer or a function on your computer. It happens when you inadvertently click on a link somewhere on the Internet. It could be a notice that advises “Upgrade to the latest (version of some software).” It could be some other deceptive type of link that you click on.
Clicking on one of those links causes the specific function (sometimes Google Chrome) or your entire computer to be locked. You see the “ransom note,” a request asking you to pay a certain amount of money to return your access.
The first action to take is to try to minimize or exit the specific function. Sometimes just minimizing or exiting your Internet browser will allow you to then shut off your computer. When you restart the computer, the problem may be gone.
In the case of locking your entire computer, you may be out of luck. In most cases, shutting off the computer and restarting it won’t help.
There was recently a global ransomware cyberattack called Peyta. The scam required you to pay $300 in bitcoin to get your access back. They were attacking small vendors all the way up to large banks.
ALWAYS think twice before clicking on anything. Mouse over the link to see where it goes first.
A Cybersecurity Tip for Your Sellers
Your sellers will have high volumes of traffic walk through their house. Do they have Post-it notes with passwords visible? If they have passwords posted everywhere for their network, for their computers, for their back accounts, etc., point out the danger before any showings or open houses.
The Aftermath of a Cybersecurity Problem
Lawsuits may be filed against you if you’re not taking the right precautions or putting the right protections on confidential client data. Your state real estate commission could perceive it under the auspices of competence of a broker, in terms of whether or not you’re effectively using the technology in your business and putting in appropriate safeguards.
Also, the cost to a business to repair and recover from a cybersecurity problem can be high. Recovering from what might seem like a simple ransomware attack can be costly. Your entire business and access to emails and documents may be down for a period of time. During that down-time, you may have pending offers or counter-offers, transactions closing, or transactions in progress. Clients will expect prompt answers to their emails. You may also need to spend money with an IT consultant to get it solved.
Once your systems are back up and running, you’ll need to spend time changing all of your passwords, potentially apologizing to customers, and catching up on everything that happened or should have happened while you were off-line.
There’s also reputation management to consider. If a breach does happen, you should have a plan in place to notify clients who may have been affected. You have potential harm to your reputation and future business. (Note that all CRES individual real estate E&O policies now include $50,000 in Cyber coverage for client notification costs due to a data/security breach. This coverage is an option on company policies. In addition, coverage for cyber damages and defense can also be added to either an individual or company policy.)
Preventative Steps for Your Office
In addition to the tips listed above, there are other ways you can prevent people from intruding into your systems and networks. You can hire an IT consultant to test out and try to hack your system to identify any vulnerabilities you have.
You can make sure your devices and computers have password protections using strong passwords. And you can banish the practice of using Post-it notes on computers to display passwords.
There are 4,000 cyberattacks a day and 75 million phishing scam emails sent out a day. Don’t become the next victim.
Download our flyer: 9 Tips to Help Prevent Real Estate Cyber Scams