The devastating news hit Memphis, Tenn., real estate professional Pam Beall hard and fast: Her client’s home sale had fallen apart because of a single, devastating email. A few days before the scheduled closing in late December, the buyer had responded to a genuine-looking request to send the full amount of the purchase price—$203,000—to a scammer posing as a rep for the title company. Now, the money was gone, wired to a bank account controlled by an invisible thief.
The home was soon relisted by another brokerage, but that was the least of Beall’s concerns. The Crye-Leike agent remains shell-shocked about how the deal was hijacked by a cybercriminal. “That was the last thing I thought would ever happen,” says Beall. “I went into panic mode, and since that day I’ve been warning every buyer and seller I come into contact with” about the risks that come with moving money online.
Money wiring scams are not new to the real estate industry, but their frequency, aggressiveness, and success have spiked in recent years. The Washington Post reported, based on FBI data, that in fiscal year 2017, $969 million was “diverted or attempted to be diverted” from real estate purchase transactions and wired to “criminally controlled” accounts.
Typically, a cybercriminal will infiltrate an email account of one party in a transaction as a way of collecting details about the deal, then use that information to send bogus instructions to transfer funds that sound believable. Once the money is wired to the thief’s account, recovering it is often impossible.
The FBI’s Internet Crime Complaint Center refers to these scams as business email compromise, or BEC. In real estate transactions, title companies are the primary target, but BEC scammers have targeted all parties in a transaction, including agents, sellers, buyers, and attorneys. In 2016 alone, the number of wire fraud cases reported by title companies jumped 480 percent, according to the FBI.
Beall’s brokerage is taking proactive steps to strike back. Crye-Leike, which has more than 3,200 agents working out of 120 offices in nine states across the Southeast and in Puerto Rico, has established a task force of senior executives that springs into action when a scammer strikes, says Steve Brown, the company’s president of residential sales.
In fact, Crye-Leike has become an industry leader of sorts in the way it handles scams. Among the steps the company takes when a suspected cyberattack occurs is contacting the FBI and allowing its computer experts to examine devices that may have handled information pertaining to the deal, Brown says. In addition, Crye-Leike agreed to have the FBI monitor its server traffic for 90 days last year in a proactive move to thwart scammers.
By acting fast, Crye-Leike has had some success in mitigating the damage caused by scammers, sometimes even getting portions of the stolen funds returned, Brown says. But the primary aim is to figure out what went wrong and taking preventive action for the future. “We don’t anticipate getting money back. If we do, that’s just a bonus,” Brown says.
Armed with information from Crye-Leike and the company’s agents, the government has been able to track down suspected cybercriminals operating in Canada, Ghana, and Nigeria and issue warrants for their arrest and extradition, Brown says. This positive development is an important, but still relatively rare, inroad against the legions of scammers who seem to have an upper hand in this vexing battle.
“We focus on educating people about the problem, because it never ends,” Brown says. “We may be taking a few players out of the equation, but we’re just one source” for the FBI.
And wire scams are just one popular fraud. Another successful tactic cybercriminals employ is spreading software, known as malware, that allows them to remotely monitor activities on, or even control, another person’s computer or other device. One way they place malware on devices is by convincing people to click on links or attachments in emails that appear to come from a trusted source.
Some 66 percent of malware installed last year arrived via malicious emails, and 95 percent of so-called phishing attacks—which entice email recipients to turn over sensitive information, such as passwords—led to the installation of malicious software, Verizon says. Malware can also make its way onto a computer through web ads that contain infected code.
Considering the stakes in real estate, it’s critical to raise your guard during transactions and take an active role in informing clients about online risks. It’s equally important to pay attention to how you conduct your own operations and interactions with customers.
“If you are engaged online, you have to realize that the data you have is valuable,” says Eva Velasquez, president and CEO of the Identity Theft Resource Center, a nonprofit organization based in San Diego that educates the public about cybercrime. “The optics of a data breach can have a reputational impact, and even be a business-ending event.”
Adds cybersecurity expert Adam Levin, co-founder of credit.com and chairman of CyberScout, a Providence, R.I., firm that provides cybersecurity services to businesses and individuals: “No business is too small to become a target of a hacker.”
Scammers exploit the fact that many people do a poor job of protecting themselves online, Velasquez says. A central issue is that many computer users have weak passwords for their email accounts, which has fueled a surge in online crimes that use fraudulent messages to coerce people into divulging sensitive information or, as Beall’s witnessed, sending funds. If even one party to a transaction doesn’t practice what experts call good “online hygiene,” everybody involved is at risk.
About 80 percent of hacking-related breaches last year took advantage of stolen passwords or passwords that were easy to guess, according to the 2017 Data Breach Investigations Report from Verizon. (Discover the worst passwords of 2017 here.)
The human frailties that allow scammers to succeed mean anyone can fall for cyberscams, says Steven J. Spano, president and chief operating officer of the Center for Internet Security, a nonprofit group focused on cyber defense. The tools used for stealing information are easier than ever for scammers to acquire, and online thieves have learned to develop fraudulent emails virtually indistinguishable from legitimate messages, he says. “If you don’t understand that the threats are out there and they’re real, you’ll get sloppy until it happens to you,” Spano says.
Speed Versus Safety
In one case, the chief financial officer of a large corporation nearly authorized a $750,000 transfer to a scammer after receiving what he thought was a legitimate email from the company’s CEO, Spano says. Only after realizing that his boss never signed emails the way the bogus message ended did he halt the payment.
People are naturally inclined to follow instructions from those they trust—or think they should trust—even when a great deal of money is involved, Spano says. That’s why, in real estate, BEC crimes typically hit title companies or mortgage brokers since buyers would expect to receive instructions from those parties about where to direct funds, The peril is compounded by the fact that buyers may be excited about the prospect of closing on a home and feel that if they delay, they could lose out, he adds.
As a conscientious real estate professional, you, too, may prioritize speed and agility. Robust security procedures take time to follow, says Chris DeRosa, managing director of financial information systems at the National Association of REALTORS®. Hackers may prey on your desire to respond to requests for help quickly, but resist that urge if something seems off. “We trust and we want to help. They’re good traits, and they’re great in real estate professionals,” DeRosa says. “It may be what makes real estate unique—along with having a lot of valuable information—but it also makes us a vulnerable industry.”
Target on Your Back
Real estate professionals need to remember that they, too—not just their clients—are in the crosshairs of online criminals, says Mary Ellen Seale, a federal government IT veteran who is CEO of the National Cybersecurity Society, based in Washington. “We talk to small businesses, and they say, ‘I’m too small and have nothing to steal. It will happen to someone else,’ ” Seale says—but that is simply not the case. To the contrary, cybercriminals prey on independent contractors like real estate professionals who typically do not have access to the countermeasures large organizations can marshal, she says.
Among the dangers that small businesses face are ransomware attacks, which involve malware that makes your data unreadable unless you pay the criminal a fee. These kinds of attacks are growing in popularity among hackers, and have become the fifth most common form of malware, according to Verizon. Three years ago, they were at number 22 on the list. Website hacks that can bombard your visitors with malicious software and subject them to offensive content are also a problem.
The good news is that fending off these threats isn’t as daunting as it sounds, Seale says. Simply making sure that the devices you use—including computers, mobile devices, routers, and anything else that is linked online—have the latest patches and secure passwords is a good start. “When you get a notice that says you have an update ready, don’t flick it away,” says Levin.
Backing up your data regularly on separate devices is also critical, as is protecting the back end of your website with strong security measures.
On top of the damage caused by hackers, there are potential liability issues for brokers. NAR’s legal team warns that, when clients fall prey to fraud through phishing, brokers could be legally liable if they failed to provide appropriate warnings. So make it part of your standard operating procedures to apprise clients to be on the lookout for suspicious emails. Cyber insurance can add a layer of protection against damaging consequences. Brokers should examine existing policies to determine what coverage they have for cybercrime events and then check with their insurance provider about whether additional coverage is warranted.
It’s essential for brokers to make cybersecurity central to the way you run your business. Let agents and colleagues know you welcome their efforts to identify vulnerabilities in your systems. Have a policy that agents need to inform you, without repercussion, about mistakes handling data. Such policies can go a long way toward fostering a sense of trust among everyone who plays a role in your transactions. “Create a culture [built around] cybersecurity,” Velasquez says.
Brown says Crye-Leike has come to terms with the fact that cybercrime is an ever-present danger in real estate, and that the best way to combat the problem is to preach awareness. The company makes it a practice to teach agents that deflecting cybercrime starts with making sure clients understand they will never receive instructions via email to wire funds or to provide private information that could put their money or identity at risk of being stolen. The company asks agents to inform clients that they should verify by phone—using a trusted number, not one in a suspicious email—any such instructions that appear to come from the title company or any other party to the transaction, Brown adds.
Agents should get a written acknowledgment that the client understands these instructions. “Having a document about fraud should be on every agent’s checklist, on both the buy and sell side,” Brown says. “Every agent thinks [cybercrime] ‘won’t happen to me’—and then it happens. You can never keep yourself 100 percent safe, but you can change the odds.”