Nothing seemed unusual about a transaction Bill Soffel’s agent was involved in. The agent was representing the buyer, and it appeared to be a logical step when the seller’s attorney emailed the buyer’s attorney, asking that the money to close be wired to a specific account. The buyer’s attorney complied. But it was soon found out that the email was fraudulent—and the sender, a hacker, absconded with $175,000.
Sometime during the deal, the hacker got ahold of someone’s email account who was involved in the transaction and monitored it as the details unfolded. The hacker then created a fake email address, mimicking that of the seller’s attorney, that fooled everyone involved. Now the seller doesn’t have the money to pay off the remainder of the mortgage, and the agents involved won’t earn commission. The insurance companies for the two attorneys involved are looking into whether their errors and omissions policy will cover the loss.
When Soffel, broker-owner and CEO of ERA Real Estate Team VP in Chautauqua, N.Y., shared this story with a room of about 40 other brokers attending an ERA business forum, he asked how many people had also experienced similar wire fraud or knew someone who had—and nearly half the attendees raised their hands.
“It’s clearly happening often,” Soffel says. Indeed, according to the FBI, there was a 136 percent increase between December 2016 and May 2018 in financial losses globally due to business email accounts being compromised, including sophisticated scams targeting both businesses and individuals performing wire transfer payments.
Scams specifically directed at the real estate sector rose 1,100 percent from 2015 to 2017. From June 2016 to May 2018, FBI data shows there was a loss of more than $1.6 billion in the U.S. alone. What’s more, cybersecurity company eSentire reported in October that real estate was the second highest industry hit with malware events in the second quarter of 2018.
The Quiet Email Hack
One of the reasons wire fraud via email phishing has become a serious issue in real estate is because there are several vulnerable targets: attorneys, mortgage lenders, title companies, buyers, sellers, and real estate agents. The perpetrator somehow gains access to an email account, usually through a phishing scheme like a fake Office 365 password reset request, a phony email sign-in page, or trojan horse malware that comes from an infected attachment and captures your sensitive data. (Yes, smartphones are at risk, too.) “Most of us brokers have a lot of catching up to do to make sure we’re secure,” Soffel says.
Dan Maier, vice president of Cyren, a cybersecurity company in Sunnyvale, Calif., says email phishing is the most problematic cyberthreat today. Unlike a virus in an attachment or link, once scammers gain access to your email account, they use sophisticated psychological methods to trick people into disclosing data, such as language that sounds legitimate and email signatures matching someone involved in the transaction.
“By making everything digital, we’ve also made things vulnerable to these attacks,” Maier says. Agents and brokers need to be aware of how they’re handling critical information and that email is the key component in this scam. Brokers need to tighten up their process in working with buyers and sellers, including what’s shared over email, Maier says.
Steps for Making Email Safer
The advantage of using a cloud-based security system for a real estate company’s network is that software is easier to deploy, and all inbound and outbound email will go through the security cloud, which scans for possible cyber threats and spam. The Cyren cloud processes more than 25 billion security transactions every day, and the company uses those insights to protect all the clients who use their services. “When we detect a threat anywhere in that ecosystem, we block it for everybody,” Maier says.
Keyes Company, a real estate firm based in Miami, is one of Cyren’s clients. When phishing scams going after agents’ email passwords started to become a major problem for the brokerage five years ago, it developed a company policy that wiring instructions should never be emailed. Then, Keyes added that policy to its client contracts three years ago.
Wendi Iglesias, Keyes’ chief information officer, says the firm went from 1,100 support tickets per month, with about 25 percent related to phish scam attacks, to fewer than 600 tickets a month, with about 5 percent to 7 percent involving phishing, after enlisting Cyren’s services. “The security has gone to great lengths to protect us. Now a lot of it doesn’t even make it into agents’ inboxes,” Iglesias says. For corporate computers, the brokerage runs tight firewalls across a private network, with antivirus and antimalware software on all systems.
“We make sure all agents and customers are on alert, and we have an in-office support team for agents. If they have a question or something doesn’t look legit in their email, we have our support team give it a second look,” Iglesias says.
ERA Real Estate has launched a cybersecurity and wire fraud awareness campaign to educate their affiliated brokers and agents. “We tell our agents that their consumers should always pick up the phone to verify changes in [wiring] instructions,” says ERA CEO Sue Yannaconne. ERA is also recommending that clients consider using a cashier’s check instead of a wire transfer, and they’re asking affiliate brokers to beef up email security around the systems they’re using.
However, Maier says, no security system is foolproof, and people still have to be vigilant, “which is hard because agents are on the road, they’re working on their smartphone, and they might not get the visual clues that something is off.” Sometimes, just making a phone call to confirm instructions with everyone involved makes all the difference, he says.
“These are well-organized criminal gangs—networks of people all over the world,” Maier says. “We’ve seen a rise in phishing as a service.” People use phishing kits offered by gangs, which include customer support by testing to see if messages are getting through security systems. They take a percent of the money stolen through phishing schemes, Maier explains, and the money goes to financial institutions around the globe.
Soffel reiterates the importance of educating clients and leveraging informational materials on phishing and wire fraud to communicate the threat. Brokers should make sure staff and transition coordinators are extra diligent about scrutinizing emails. “It’s easy with these types of things to think it could never happen to me,” he says. “You have to realize that you have high vulnerability as a real estate brokerage.”