REALTOR® associations and MLSs are among cyber criminals’ latest targets. Recently, fraudsters used a spoofed email address to send fake invoices that so closely resembled a vendor’s that several REALTOR® associations fell prey to the scam, losing tens of thousands of dollars.
A record number of internet crime complaints were filed in 2020, the FBI says, with reported losses exceeding $4.1 billion nationwide. Business email compromises accounted for 43% of the losses, and they included compromises of personal and company emails and requests for W-2 information. “Phishing” scams in which cyber criminals try to trick victims into giving away confidential information, such as bank account details and login credentials, are also common.
The continuing rise in internet crime emphasizes the importance of remaining vigilant and training staff to spot red flags. Be suspicious when receiving unusual requests, links, and attachments, and always verify that you’re transacting business with a trusted vendor.
One of the best tools to combat internet fraud is at your fingertips: the telephone. Whenever an external email requesting payment is received (especially when there’s a change in payment instructions), the request should be verified using a known phone number for the vendor.
This simple step can help avoid devastating scenarios like a recent instance in which a staff member thought she was emailing her association’s CEO for approval of a large invoice, but she instead emailed the hacker, who, of course, approved the payment.
An association may also consider hiring an outside firm to conduct phishing awareness training.
Not only is it smart for businesses to exercise prudence and safeguard against scams, the courts expect them to do so. Last year, in Jetcrete North America LP v. Austin Truck & Equipment Ltd., 484 F. Supp.3d 915 (D. Nev. 2020), the U.S. District Court ruled against a customer who fell victim to fraudulent wiring instructions and lost hundreds of thousands of dollars, even though the vendor’s system had been hacked.
The court found that the vendor had taken reasonable steps to protect its email system, and that the customer also had a responsibility to use reasonable care, especially when red flags such as last-minute wiring instructions and poorly written emails should have alerted the customer to verify the transaction. The court noted that a simple phone call would have uncovered the fraud.
If you discover that your association has fallen victim to a cybercrime even after taking all reasonable precautions, act quickly to mitigate losses and repair the damage by taking the following steps:
- Contact your bank immediately to ask it to recall or stop the payment.
- File a detailed complaint with the FBI’s Internet Crime Complaint Center (ic3.gov), ideally within 72 hours of the loss.
- Report the incident to your local FBI office and local law enforcement.
- Report the incident to Chubb’s cyber hotline (800-817-2665) to be connected with a specialist who can help triage the incident.
The National Association of REALTORS® Insurance Program provides coverage for losses related to cyber incidents such as network breaches, ransomware, and email hacks, subject to a $1 million limit. Payment of a fraudulent invoice in the absence of a covered cyber incident is considered social engineering fraud, subject to a crime loss limit of $10,000. Additional crime loss coverage up to $200,000 to help cover fraudulent payment losses is available through the Excess Insurance Program; associations and MLSs can purchase additional coverage from Jan. 1 to April 1 each year.
Cybercrime is real, and it’s hitting close to home. Knowing the warning signs and remaining vigilant can help your association avoid being a cyber thief’s next victim.