Apart from digging a hole in your back yard, throwing your computer in, dousing it with gasoline, and lighting it on fire, there's no foolproof way to protect yourself from cybercrime, said National Association of REALTORS® Associate Counsel Jessica Edgerton.
Since few if any brokers and agents would work without a computer or smartphone, industry pros need to address the threat head-on, Edgerton said, speaking at the Emerging Business Issues & Technology Forum at the REALTORS® Legislative Meetings in Washington, D.C. She offered warning signs and practical strategies for warding off cybercriminals.
“Cybercrime is a global problem," Edgerton said, one that's becoming more prevalent and more urgent. According to Juniper Research, the annual cost of data breaches through cybercrime is expected to reach $2.1 trillion globally by 2019. And it’s not just government agencies or large multinational corporations that are targets. Smaller and midsized real estate companies—where transactions involve multiple players and large sums of money—are an ideal target for criminals, Edgerton said. Among small businesses victimized by a successful cybersecurity breach, she said, 60 percent go out of business within six months.
The Problem: Email Attacks
Hackers can gain access to email accounts through simple schemes. It took Edgerton a five-minute Google search to learn how to hack an email herself. Hacking can come in the form of an infected attachment or link that appears to come from a benign sender. “Clicking is something that’s deadly dangerous,” Edgerton says. Her motto: “Think before you click.”
Opening a bad link or attachment can trigger a key logger, which is malware that reads keystrokes to capture your passwords. It can also open ransomware, a wicked malware that will encrypt everything on your system it can reach, including connected drives and networks. Just in the past week, a global attack with ransomware known as WannaCry, hit dozens of entities.
“It’s insidious and powerful,” she said. You’ll see a pop-up window that notifies you that your files have been encrypted. To remove the encryption, you'll be asked to pay the ransom in bitcoin, a currency that virtually untraceable. Generally, if you don’t pay, you’re not getting your computer back.
If you're hit with a ransomware attack, disconnect your computer immediately. Talk to your IT people, report the hack to the FBI, and decide if you want to pay the ransom.
Another way hackers gain entry is through brute force attack on your email password. If you use a simple password, hackers have software that can usually crack it in seconds. Hackers may also be stalking your online profiles and social media accounts, looking for names and dates that are meaningful to you that you may also be using in your passwords. “They’re exploiting you and how you work online,” Edgerton said.
Once hackers capture your email password, they can search for messages related to real estate transactions, Edgerton said. They can then send a spoof email to a buyer that looks virtually identical an email from your account providing “new wiring instructions" that will divert funds to the hacker's account. If a buyer takes the bait, the funds are usually gone for good.
- Keep your operating systems up to date. A simple way to protect your devices from hackers and malware is by updating your operating system when you’re prompted to. “Don’t ignore those notifications just because you’re busy,” Edgerton said.
- Check your social media privacy settings. Don’t allow identifiable information such as your birth date be viewable by the public.
- Develop good email hygiene. Use complex passwords, and change your passwords on a regular basis. Consider using a password manager, such as 1password, and two-step verification.
- Check your email settings. Hackers can put a rule in your settings that will forward certain emails to their account.
- Avoid sending sensitive information via email when possible. Attaching forms, financials, and confidential files to an email is an efficient way to communicate, and criminals are taking advantage of that, Edgerton said. Encrypted email is a good practice, but that generally means it’s encrypted in transit only, a legal requirement in some states. Be aware of your state laws are, Edgerton said. She recommended using a secure document-sharing platforms.
- Warn clients. Educate your clients on the prevalence of wire fraud, and advise them to pick up the phone and verify information before they wire funds. Also, they should be careful about what number they're calling; scammers will sometimes spoof a signature box, replacing the phone number with their own. To ensure they're reaching the right person, buyers should contact you (and other real estate service providers) using numbers provided in advance.
- Don't hold on to personally identifiable information. Know your state’s definition of personally identifiable information (PII). Usually that's first and last name, Social Security number, state ID or driver’s license number, and credit card information. Then, take stock of what client PII is kept in your office, on your computer, in your desk drawers, and in your email. Don’t keep PII any longer than you need to. Create a document retention policy with specific instructions on how to store and dispose of files.
- Don't use your email as a data repository. Once criminals are in, they can go back and pull data from years ago. Don’t keep anything you don’t need. Do regular backups of your critical data and keep it in a separate, secure area. Brokers should consider hiring a third party to conduct an IT audit to figure out their company's cyber weaknesses.
- Don’t forget your phone and tablet. Be aware of what you’re downloading and what your kids are downloading. Be leery of text messages with links in them; phones are just as susceptible to ransomware as computers. Call your provider to find out if it includes data encryption. If not, look into it.
State law may require you to have a data protection policy. In addition, you may be required by law to notify clients if a breach of PII does occur. Currently, 22 states require you to notify the state attorney general of a breach. If you fail to take the appropriate steps under state law, Edgerton said, you can be fined and may also lose your license.