Hackers could be using the global pandemic as an opportunity to target real estate as more transactions and communications are conducted remotely. What’s more, phishing emails may try to use COVID-19 as an excuse for why professionals need to renew login credential or passwords, or hackers may prey on any relaxed online security of the increased numbers of those working from home.
Now more than ever, you need to be on guard, said speakers on Thursday during a National Association of REALTORS®-sponsored virtual session, “Cyber and Data Security,” as part of the Tech Edge series. The warnings by speakers were strong because real estate scams have become a prime focus of hackers in recent years. Last year alone, real estate and rental fraud resulted in $221.3 million in total losses to victims—a 48% increase in monetary loss over the year prior, according to FBI data from the Internet Crime Complaint Center.
“Real estate is a major target that hackers are going after,” said Craig Grant, CEO of the Real Estate Technology Institute. “Be vigilant,” or it can destroy your finances, reputation, and harm your clients.
To protect your business and your clients, “awareness is key,” said Chris DeRosa, NAR's member information and ecommerce product leader, who spoke at the session. “Whatever people tell you, there is no guarantee to keep you safe from data breaches, but awareness can help so you become aware of the threats and how they are getting through so that you can then take more preventative efforts to protect your business.”
After all, real estate scams could trick your clients out of their entire down payment, scar your reputation from clients who accuse you of not doing enough to protect them, and even pose a liability to your business for failing to warn clients of the risks.
Adopt risk management and mitigation strategies to protect yourself and your clients from real estate scams. Here are a few ideas from the Tech Edge session:
1. Ask “Stop, wait, does that make sense?” When you receive an email, take an extra few minutes to question it, even if seemingly from a contact. Ask yourself: Would this person normally email you with that request? Does your bank ask you to send them your password? Does this sound like a client you have been working with? Were you expecting this attachment from your colleague? “It is not bad customer service to add a minute or two before you answer,” DeRosa said. “It will save you a big potential mess on your back end if you are caught by phishing, malware, ransomware, or give out personal data.”
2. Watch the information you share. Avoid sending wire instructions—and any personal or sensitive financial information—over email. Also, watch the information you post on social media. Hackers track MLS sites, looking to identify pending home sales. Once they pinpoint a prime target, they take part in social engineering—profiling you, your clients, title companies, closing attorneys—all whom are involved in the transaction, warned Deanne Rymarowicz, NAR associate counsel. They are scanning your social profiles for information about your transactions and hacking into your emails to start communicating with your clients pretending to be you.
3. Ensure your systems are secure. Check to make sure that your computer and antivirus software are up-to-date, including any privacy tools, add-ons for browsers, router firmware, ransomware protection, and phone apps you use for your business. Activate two-factor authentication when accessing accounts, use encrypted email, and consider using a VPN when accessing public Wi-Fi.
4. Educate your clients. From your initial client meetings to when an offer is accepted, talk to your clients about the dangers of wire fraud scams. Some brokers are even requiring signed disclosures after informing their clients of the dangers. NAR teamed with the American Land Title Association to develop a brochure that warns customers about the dangers of cybersecurity scams, including how to avoid scams and what to do if you suspect one. Customize the brochure with your information. Download it for free at the REALTOR® Store.
5. Use a transaction management platform. The benefit of a transaction management platform is that it can archive all back-and-forth communications with your client over a secure network. Investigate transaction management platforms with safeguards in place for sharing documents and sensitive information.
6. Verify, verify, verify. Tell your clients that they should always confirm all instructions in person or over the phone with a trusted representative. They should never follow emailed instructions, particularly if it involves wire fraud instructions. Also, warn them to always verify information with an independently verified phone number, and never use the contact information they find in an email.
7. Check email addresses closely. One common way that hackers infiltrate transactions is by creating spoof emails that appear nearly identical to real ones. Look closely at all email addresses for subtle differences. For example, “email@example.com” could be spoofed to come from “firstname.lastname@example.org.”
8. Add a disclaimer to your email signature. NAR.realtor offers a sample email template that can be added to the bottom of your emails to warn clients about the dangers of real estate scams. Here’s an example:
IMPORTANT NOTICE: Never trust wiring instructions sent via email. Cyber criminals are hacking email accounts and sending emails with fake wiring instructions. These emails are convincing and sophisticated. Always independently confirm wiring instructions in person or via a telephone call to a trusted and verified phone number. Never wire money without double-checking that the wiring instructions are correct.
9. Don’t click on unsolicited links. Opening a bad link or attachment can prompt a key logger, malware that reads your keystrokes and can then capture your passwords. Bill Lublin, CEO of Century 21 Advantage Gold in Southampton, Pa., said his brokerage has a company policy to never open an unsolicited attachment via email from anyone, even if it seems to come from someone they know. They are instructed to call and verify the legitimacy before opening. Also, if you receive a link in an email, hover over it to see the full link before you click. Be particularly skeptical of shortened URLs that try to mask where the pages are going to, session panelists warned.
10. Consider protection. You may never be able to fully protect your company fully from becoming a victim of a data breach, hack, or system failure from data loss. But insurance may help protect you from financial devastation. The REALTOR Benefits® Program has begun offering a new member benefit of cyber liability insurance, specifically designed for the real estate industry in protecting against scams. The coverage extends beyond just the broker to also include client coverage. Learn more: nar.realtor/cyberpolicy
11. Use a passphrase as your password. Password breaches are a common way for hackers to gain access to accounts. “Using stronger passwords is one of your best defenses against hackers,” said Heather Ozur with the Mallen, Marshall and Ozur Group at Keller Williams in Palm Springs, Calif. “Even though it’s common sense, we see people time and again use weak passwords. That is like an open door for hackers to come in.” Avoid obvious passwords that tie strongly back to you, such as a name of a pet, child, family member, birthdays, anniversaries, phone number, or common keyboard patterns (e.g., 12345) or even reusing the same password on multiple devices. Instead, consider using a “passphrase,” which consists of a sequence of words or text. They tend to be longer and harder for hackers to guess.
Ozur provided some examples:
- Create an acronym from a sentence or sequence, such as “I think that I shall never see / a poem lovely as a tree.” That passcode translates to: lttlsns/Aplaat/ (That would take a hacker 655 million years to guess, Ozur said.)
- Consider a memorable character in a vivid setting doing an imagined action as a basis for your passcode. Use the first two letters to the main word, using this example: “Ben Franklin at the beach playing volleyball on the 4th of July in 1776.” The passcode could be translated to: BeFrBeVo741776 (That would take 98 million years for a hacker to guess, Ozur said.)
12. Use a password vault app. A password management program can help store all of your passwords from your various systems in one protected place. It’s a simple way to access your passwords and remember them, Ozur said. Look for a password management system that includes two-factor authentication or biometric access, such as via fingerprint.
13. If fraud does ever occur, act immediately. If you or your clients become a victim of a scam, time is crucial, the panelists said. “The faster you act, the better chances for recovery,” said Rymarowicz. “Notify all parties involved immediately.” In a wire fraud scam situation, the buyer should contact the bank immediately to ask for a stop, recall, or reverse on the wire. Also, fraud incidents should be reported to ic3.gov, as well as to the local FBI office.