How big of a problem is cybercrime in real estate? According to the FBI Internet Crime Report (IC3), there were $2.4 billion in losses spread across nearly 20,000 complaints in business email fraud alone in 2021.
The financial sector, which includes real estate, is a common target of cyberattacks. In 2022, data breaches in the financial industry worldwide cost on average $6 million in 2022, ranking second behind healthcare.
The consequences of a breach can be devastating with some businesses potentially losing everything and a consumer losing a significant portion of their personal savings. It can happen in the flash of a few moments – and according to Arnie Juliano, Senior Security Engineer, Zillow Group – all it takes is one legit-looking phishing email.
How Cybercriminals Can Target Real Estate Agents and Their Customers
Here’s how the scenario might occur: You as an agent open a fake email and unsuspectingly click a link that brings you to a fake login page where the bad actor then grabs your credentials, logs into your account, emails a bank about a current transaction and changes the wire account number to their own, making off with some, or even all, of your funds.
If successful, Juliano says, cybercriminals, many of whom are masters at counterfeiting emails, can view your emails containing sensitive customer information, templates and contact lists, take note of how you correspond, grab your signature and use all of the above to make your emails look authentic.
An attacker can also target an agent’s platform to leverage valuable information like a property address, closing date, name of the title company and agent names to launch a persuasive, well-timed email to the consumer. The email might prompt the consumer to send wire instructions, which would, in turn, direct funds to the attacker.
When the agent’s customer receives that email, it’s “no longer a spoofed email,” Juliano says, “it appears as the agent sending that email.”
Perhaps the worst part, all of this can occur in the few moments it would have taken the agent to have taken an extra security measure like validating his log-in credentials with a two-factor authentication, also known as MFA (Multi-factor Authentication).
Why Cybercriminals Target Real Estate
While cybersecurity technology is constantly improving, so are the skills of bad actors, who constantly adapt with industry trends and often set their marks on real estate agents, says Joshua McKiddy, Principal Security Architect at Zillow Group.
Most breaches come from external sources, with stolen credentials as the most-used entry point, according to Verizon’s 2022 Data Breach Investigations Report.
In Q3 2022, Phishing Activities Trends reported the average wire transfer amount resulting from an account takeover totaling $93,881.
Because agents market themselves to help grow their spheres and commonly handle valuable customer data and financial assets, they have become ideal targets for cybercrime.
“It’s a hustle sales business,” says Juliano. ”If time kills all deals, [agents] are always in a rush to close so they may not take the time to validate.”
Unfortunately, those few extra moments gained can equate into more loss that can’t always be reclaimed, including large sums of money and customer trust.
5 Ways Real Estate Agents Can Help Safeguard Themselves and Their Customers Against Cybercrime
According to Juliano, a real estate attack typically starts with a phishing email.
“From there, the cybercriminal may create a credential harvesting web page that looks like a common web page the agent goes to often,” he says. Some can appear quite authentic and often coax the target into logging in to “validate” their account.
“The criminal can then log in to the platform or agent’s email to see what their target’s email signatures look like, the deals they’re working on, all their customer data and might even respond to those emails or place rules in the inbox to further hide their activity,” says Juliano.
A fraudulent email can reflect authenticity once the bad actor has all the inside information, including the name of the person at the bank, the wire instructions and the bank account number swapped with their own. “Because the bank knows they’re getting ready to close on a deal,” he says, “they may slip by unnoticed.”
Large brokerages, lenders and title companies are also targets. “Many times,” Juliano says, “the criminals are doing reconnaissance and trying to figure out the best way to monetize the situation – ransomware or to have the target send a wire.”
Fortunately, there are safeguards you as a real estate professional can take to safeguard your business and your customers’ most valuable assets:
A Microsoft study found that 99.9% of compromised accounts did not use Multi-factor Authentication (MFA). Simply put, by not using MFA, you’re making it that much easier for someone to access your account with all of your customer data.
“If there’s a breach,” Juliano says, “how are you going to deal with it as a real estate company and what kind of trust is that going to destroy between you and your customers?”
Multi-factor authentication consists of something you know, like a password, and something you have, like a cell phone, an authenticator app or biometrics, a relatively new method that uses fingerprints or facial recognition.
In the case of MFA using SMS text as the “thing you have,” the user enters a password, which prompts the MFA system to trigger a code sent to the phone number on file, which the agent then validates and inputs into the login field to grant access to the system.
If improved security isn’t enough reason to use MFA, there may be other business implications to consider. According to Juliano, insurance rates on cyber liability are rising while coverage is trending down. “Some well-known insurance companies will not even consider you for coverage if you don’t have MFA on your system,” he says.
Agents who share passwords risk their credentials falling into the wrong hands, be it a co-worker, a client or a past employee, says Juliano. In fact, weak or stolen passwords lead to 80% of hacking-related breaches, according to Verizon’s Data Breach Investigations Report.
Another study by Keeper Security found that to help remember their passwords, many workers share passwords via text or email (62%) and write them on sticky notes (57%). Remote-based workers (66%) reported they’re more likely to write down their work-related passwords, often next to their work devices at home where they can be accessed by anyone within close proximity.
If you’re sharing passwords with colleagues, reusing passwords across personal or work-related accounts, recording passwords in insecure locations, or using simple, easy-to-guess passwords like a child’s name or birthday, you are compromising your credentials, says Juliano and McKiddy.
McKiddy also notes that phishing is the No. 1 attack method cybercriminals use to target real estate professionals and their customers. Their goal is to gain access to compromised credentials. “Being able to gain credentials and spoof them in email is valuable to the cybercriminal and a common method,” he notes.
“If you’re sending emails to customers, you’re already raising your risk of exposure,” says McKiddy. Before clicking on any link, he recommends real estate professionals verify the source and avoid clicking on links they don’t know.
Because real estate agents are constantly trying to get their name out in the community, social media is a great place to pick up leads – but, unfortunately, it’s also become a place for cybercriminals to find their victims.
According to Juliano, there are “definite limitations” on what you should and shouldn’t say on social media channels. Sharing information can be used to attempt an attack on a transaction, such as identifying information about a house that’s approaching a closing.
For McKiddy, “the No. 1 thing real estate agents should do is treat customer data as their own and protect it as you send it.”
For instance, security professionals say implementing best practices like taking the few extra minutes to make a phone call to verify wire transfer instructions can help safeguard customers against fraud.
McKiddy also recommends using a transaction management system like dotloop, with document storage in a digital encrypted portal with MFA to validate password credentials.
“This will help ensure an extra level of trust with us and their data,” says McKiddy, adding the same security protocols should continue downstream during the transaction.
Dotloop transaction management system recently introduced MFA to the login process to further harden the system and add that extra layer of protection.
Security protocols always include using a secure (non-public) Wi-Fi. Also, setting long, complex passwords containing special characters – and not your name – follow best practices.
Password managers are a great option for generating and managing different passwords and can be stored in a web browser to pop up in the login window, allowing easier use of complex passwords while avoiding the risk and inconvenience of having to record or remember them.
“Information Security is not just the responsibility of your cybersecurity team, but is a corporate responsibility that we all share,” says Elena Seiple, VP, Information Security, Zillow Group. “Being diligent in our day to day routines and practices reduces our overall risk.”
By staying vigilant and following best practices, such as logging into your system with MFA and not sharing passwords, you can help to significantly mitigate your risk of cybercrime.
As Juliano notes, “The cybercriminal just has to be right once. We have to be right all the time.”
All information on cybersecurity in this blog is for informational purposes only and does not constitute legal advice by dotloop. Dotloop is not providing any cybersecurity recommendations or advice, and nothing herein is meant or should be construed as an endorsement, recommendation, or referral by dotloop for cybersecurity standards.