May 18, 2015– In recent months, real estate professionals have reported an upswing in a particularly insidious wire scam. A hacker will break into a licensee’s email account to obtain information about upcoming real estate transactions. After monitoring the account to determine the likely timing of a close, the hacker will send an email to the buyer, posing either as the title company representative or as the licensee. The fraudulent email will contain new wiring instructions or routing information, and will request that the buyer send transaction-related funds accordingly. Unfortunately, some buyers have fallen for this scheme, and have lost money.
A possible red flag to be aware of, and to alert clients to, is any reference to a “SWIFT wire” transaction, a term that indicates an overseas destination for the funds. However, unlike many other email-based “phishing” schemes, this particular manifestation appears to be more sophisticated and less recognizable as fraud. The communications do not contain the typical grammatical or stylistic oddities that are often present in scam emails. In addition, because the perpetrator has been monitoring the licensee’s email account, the fraudulent communication may include detailed and accurate information pertaining to the real estate transaction, including existing wire and banking information, file numbers, and key dates, names, and addresses. Finally, the emails may come from what appears to be a legitimate email address, either because the thief has successfully created a sham account containing a legitimate business’s name, or because he or she is sending the email from a truly legitimate – albeit hacked – account.
Be aware, also, that this particular scheme is only one of many forms of online fraud being perpetrated against real estate licensees and their clients. In protecting all parties to a real estate transaction from cybercrime, real estate professionals should consider the following guidance:
The best line of defense against fraudsters is to make sure that all parties involved in a real estate transaction implement security measures before a cyberattack occurs. These measures include:
- Never send wire transfer information via email. For that matter, never send any sensitive information via email, including banking information, routing numbers, PINS, or any other financial information.
- Inform clients from day one about your email and communication practices, and alert them to the possibility of fraudulent activity. Explain that you will never send, or request that they send, sensitive information via email.
- Prior to wiring any funds, the wirer should contact the intended recipient via a verified telephone number and confirm that the wiring information is accurate. Do not rely on telephone numbers or website addresses provided within an unverified email, as fraudsters often provide their own contact information and set up convincing fake websites in furtherance of their scheme.
- If a situation arises in which you have no choice but to send information about a transaction via email, make sure to use encrypted email.
- Security experts often recommend “going with your gut.” Tell clients that if an email or a telephone call ever seems suspicious or “off,” that they should refrain from taking any action until the communication has been independently verified as legitimate. When it comes to safety and cybersecurity, always err on the side of being overly cautious.
- If you receive a suspicious email, do not open it. If you have already opened it, do not click on any links contained in the email. Do not open any attachments. Do not call any numbers listed in the email. Do not reply to the email.
- Clean out your email account on a regular basis. Your emails may establish patterns in your business practice over time that hackers can use against you. In addition, a longstanding backlog of emails may contain sensitive information from months or years past. You can always save important emails in a secure location on your internal system or hard drive.
- Change your usernames and passwords on a regular basis, and make sure your employees and licensees do the same.
- Never use usernames or passwords that are easy to guess. Never, ever use the password “password.”
- Make sure to implement the most up-to-date firewall and anti-virus technologies in your business.
2. Damage Control
If you believe your email or any other account has been hacked, you should take the following steps:
- Immediately change all usernames and passwords associated with any account that you believe may have been compromised or otherwise made vulnerable by the attack.
- Contact any clients or other parties who may have been exposed during the attack so that they take appropriate action. Remind them not to comply with any requests from an unverified source.
- Report any fraudulent activity to the Federal Bureau of Investigations via their Internet Crime Complaint Center. More information can be found here: http://www.fbi.gov/scams-safety/e-scams
- Brokers should report any fraudulent activity to their state or local REALTOR® association so that the associations can send out alerts or take other appropriate action, including contacting NAR.
This advice is not all-inclusive, and real estate practitioners should work with IT and cybersecurity professionals to ensure that their email accounts, online systems, and business practices are as secure and up-to-date as possible.
For more information on this and other cyberscams, as well as further information on cybersecurity best practices, visit: