Cybercriminals see real estate firms as profitable

For the last two to three years, stories about real estate hacking and particularly phishing have appeared with increasing frequency in newspaper and blog headlines. Take for example the cybercriminals who stole client contact information from a DC-area real estate company, and then created a “business email compromise” (BEC) scam, which resulted in $1.5 million being stolen in a phishing/wire fraud scheme from a couple about to close on a home. 

The increase in these types of real estate-focused threats is not merely anecdotal. In 2017, the FBI warned of the dramatic increase in cyberattacks specifically targeting real estate companies. According to the agency, fraudulent real estate transactions as a result of cybercrime increased from $19 million in 2016 to almost $1 billion (US $969M) in 2017. The number of inbound complaints to the FBI on the topic of cyber attacks against real estate companies also grew between 2016 and 2017 by 480% 

Criminals are after two things—information and…money (not necessarily in that order)

The type of attack most commonly targeted at real companies is phishing, typically business email compromise (BEC) or imposter email attacks. These types of phishing attacks can take several forms. In the simplest rendition, the hacker may be after internal corporate data. So, they will send an email pretending to be someone that the recipient knows, such as a trusted partner or vendor, or even someone that works at the same real estate company. The perpetrator may request user names and passwords to corporate networks, a list of employee W2s or email addresses, the names and email addresses for current clients, or even proprietary data, such as competitive market research. Often this type of information can be sold on the black market or used as a starting point for additional phishing attacks

When money is at stake, particularly the large sums often seen during real estate transactions, hackers turn to more insidious criminal tactics. If the criminal has obtained the user name and password for the real estate agent’s email (through an earlier phishing or malware attack), they may engage in a BEC scam, whereby they send an email directly from the agent’s account to a current customer about to close on a property. Pretending to be the agent, the criminal provides closing instructions, including fraudulent wire transfer details. The customer, not suspecting anything, transmits the money to the criminal’s account. Unfortunately, in many instance these large sums of money, often down payments, are lost forever unless the scam is discovered quickly enough to halt the wire transfer. In a similar version, the criminal may pretend to be someone from the settlement company or the seller’s agent/representative, and send a phishing email directly to the buyer’s agent. As in the other scenario, this email includes closing instructions, including fraudulent wire transfer details, which the buyer’s agent may then pass along to the home buyers.

That “ounce of prevention” could be worth a lot

Cybercriminals already know that the real estate industry is the primary facilitator for high volume, high dollar figure wire transfers, as well as being the owner of a vast amount of highly sensitive personal information, such as customer names, addresses, emails, social security numbers, and banking data. Couple this with the fact that real estate agents often work in highly dispersed locations, such as their car or a café, using unprotected smart phones to connect to corporate networks, and you have the makings of an almost perfect crime. That’s why advanced cybersecurity protection is so critical.

You don’t get protection from browsers, email clients, and online “freebie” security solutions

The recent story of the massive Target Corporation breach is one that most people have heard of. What is less well known is that the malicious email at the source of this highly destructive attack came from one of Target’s small business partners—an HVAC company—and it probably would’ve been blocked had the HVAC vendor been using an effective email security service, instead of a downloaded ‘freebie’ security tool (that did not include real-time updates) to protect its entire system, including access to all the passwords and portals for its various large clients.

Free downloadable security tools are designed for individual consumers, and do not offer the type of protection businesses need. Since threats are evolving constantly, real-time security updates are key. Once a threat has been launched, a business only has seconds to block it. If your security tools, or email client (such as Gmail or Office 365), or browser aren’t updated constantly—in real-time—then the protection simply isn’t there.

Training alone isn’t the answer

Email threats come in a variety of different shapes and sizes. Some are relatively easy to spot, others are highly curated so they appear entirely legitimate—for example, imposter emails. If a fake email arrives in your accounting department, pretending to be from your CEO with wire transfer directions, how much time do you think your accounting manager is going to take investigating and confirming the authenticity of the email. Chances are, if the email appears to come from the CEO or another high level executive, the target employee will ‘get right on the task’ and transfer the money. In these instances, training your employees to spot fake or dangerous emails may simply be asking too much.

Since operational activities with most real estate companies today take place in the cloud, an automated, systematic approach to security is key—one in which threats are evaluated and blocked in real-time, without relying on the ‘human factor’.

Be prepared

With the operational and transactional components of real estate growing by leaps and bounds in an online cloud environment—and cyberattacks growing at an even faster rate—no real estate business wants to be at the center of a data breach that costs a customer their entire life savings and dreams for the future. Real estate businesses need to view cyberattacks as a critical business risk.