Phishing Scams Are ‘Tip of the Spear’ for Cyber Threats

Scammers often use fake emails and other phishing exploits to launch larger attacks like ransomware. Familiarize yourself with the warning signs.
Phishing email

© sarayut Thaneerat - Moment/Getty Images

In real estate, millions of dollars can change hands in a single transaction, making the industry an attractive target for phishing attacks. This is a type of cybercrime where criminals use fake emails, websites or other communication channels to trick individuals into providing sensitive personal and financial information.

Don’t fall for it.

The vast majority of cybersecurity breaches—more than 80%, according to the Verizon’s 2022 Data Breach Investigations Report—involve human error. Users may unsuspectingly click a malicious link in an email, open a tainted attachment, use weak passwords, lose portable devices with confidential data or be tricked into giving up their passwords through what’s known as “social-engineering attacks.” However, there’s plenty you can do to mitigate financial, operational and reputational risks that may be associated with phishing attacks and other cyberthreats to your real estate business.

8 Steps to Avoid Phishing Scams

Phishing attacks are usually just the tip of the spear for cybercriminals. Hackers leverage phishing exploits to obtain or elevate access to systems, install malware or launch ransomware attacks.

To help protect against these types of threats, real estate industry professionals and other individuals involved in a real estate transaction should consider adopting easy-to-implement practices to reduce the risk of falling victim to phishing scams. Some of these practices include:

  1. Be cautious when receiving unsolicited emails or those that ask for personal or financial information or funds. Avoid clicking on links, opening attachments or providing sensitive information unless you are certain of the sender's identity and have verified the link address is legitimate. (Verify with known phone numbers or contact information, not ones provided in emails.)
  2. Use unique and strong passwords. Passphrases, such as “StrongHorseTable,” are unrelated words that can be strung together and are stronger than passwords. Also, consult these 8 steps to make your remote business hacker-proof.
  3. Use encryption for sensitive communications. Data encryption hides your data so others with access to your computer won’t be able to view it.
  4. Run antivirus software and keep your applications and systems updated with the latest security patches.
  5. Enable two-factor authentication to add an extra layer of security to email and other online accounts. Two-factor authentication requires an additional login credential, such as a code sent via text or email.
  6. Train employees and team members to recognize phishing scams. Some brokers may require agents to ask their clients to call them or the title company on the phone prior to wiring any funds to make sure messages they receive are legitimate. Conduct an internal audit of current procedures. Consider reaching out to a cybersecurity professional for assistance with assessing your risks, training your employees and mitigating vulnerabilities.
  7. Promptly report any suspicious activity. Every minute counts after a scam occurs. For employees, start by reporting any incidents to your employer’s IT department or help desk. For investors or real estate professionals working independently without in-house IT staff, you may want to reach out to a third-party cybersecurity services provider for professional assistance. In some cases, it may be appropriate to contact the FBI or the Federal Trade Commission, which use reported information to help bring cybercriminals and other fraudsters to justice.
  8. Be aware of the latest laws and regulations that apply to phishing scams. The Federal Trade Commission Act prohibits “deceptive conduct” in or affecting commerce, which includes phishing scams. In addition, many states have their own data protection laws with which real estate industry professionals must comply.

Phishing Often Leads to Other Types of Cyberattacks

Besides threats of standalone phishing attacks, phishing also can lead to more sophisticated cyber schemes, such as “man-in-the-middle” (MitM) attacks and business email compromise (BEC) attacks.

  • A man-in-the-middle attack is a type of cyberattack in which hackers intercept communications between two parties to gain access to sensitive information. In real estate or mortgage financing, hackers may use MitM attacks to perpetrate BEC attacks.
  • A business email compromise attack is a type of scam where hackers use email to impersonate a legitimate business or individual in order to trick the recipient into transferring money or providing sensitive information. In the real estate industry, BEC attacks may involve hackers impersonating real estate agents, title companies or mortgage lenders in order to steal down payments, closing costs or other funds.

Hackers may use MitM attacks to perpetrate BEC attacks by intercepting communications between a real estate agent or lender and a home buyer. For example, a hacker may intercept emails and then use that information to impersonate the agent and request a wire transfer of funds for the down payment on the home. The buyer may not realize that the request is not coming from the actual agent and may send the funds to the hacker instead. This type of scam turned one family’s home purchase into a nightmare.

The frequency and sophistication of cyberattacks is increasing—and phishing exploits remain the weapon of choice for cybercriminals. While email and other online forms of communication are key components of real estate transactions, these channels remain largely insecure, leaving the industry exposed to risk of theft, extortion, fraud and other potentially debilitating issues. By paying closer attention and exercising caution when using email and other communication channels, users can improve their security posture and reduce their risk of falling victim to theft and fraud from these attacks.