Cybercriminals find the real estate industry a rewarding target. Speedy, last-minute transfers of large amounts of money are an opportunity for fraud to win big.
In Manhattan, a brokerage lost over $1 million. An agent clicked on an email with a malicious link, which allowed the criminals to gain access to their email account. The criminals then monitored past and current emails, learning when a large commercial closing was to occur and with whom. Using the compromised account, they diverted the transfer of funds to accounts they controlled.
Clients are also targets. Criminals pay attention to sales, using the public nature of the web and savvy intelligence gathering (called open source intelligence). They can learn when a closing is going to occur and create an email that appears like it’s coming from the title company with fraudulent wire transfer instructions.
Some research has shown that as many as half of real estate transactions show signs of potential wire and transfer fraud, and half of real estate professionals encountered seller impersonation fraud attempts. One in two.
What is the fix? Or rather, how can I protect myself and my clients better?
What you can do
Education can apply to both the professional and the client. As a professional, spend time with your client and lay out exactly how and with whom monetary transfers will be conducted. Implement a protocol on the day of the transfer, where you are with them every step of the way, or at least provide a trusted alternative. Confirm all the details of the transfer verbally before pressing send.
Where possible, use secure portals to send wire transfers, and not through email. Implement controls, such as validating identities, and even have two people verify all transactions.
For professionals, learning to identify phishing scams is a must. There are many videos on the internet with tips and tricks on how to spot a scam.
All of this training emphasizes the importance of being vigilant when encountering requests to click or download a link in a financial context. An example of this could be an email from your manager stating that escrow account transfer details have changed. In cases like this, use a different form of communication, like a phone call, to confirm the request.
What about deepfakes?
Criminals are using AI tools to create “deepfakes.” This technology can be used to generate realistic audio or video of people while on a remote call.
In Florida, a title company avoided being scammed when it asked a prospective buyer on a video call to raise its hand. It couldn’t do so, which confirmed their suspicions that the call was a deepfake.
Using alternate channels to communicate and verifying identities using requests that non-humans would struggle with are some simple ways to detect these tactics.
Two-factor authentication should be enabled on all accounts, including email. Email uses various factors to detect if you are the one signing into your own account. If these checks fail partially, then a code will be sent to your phone or authenticator to confirm the login.
Lastly, assume the worst is going to happen and plan for it. This could mean checking your insurance coverage, whose policies often don’t cover wire fraud losses. In cybersecurity, there is a mantra that it is not if you will be hit, but when. Ensure that you have commercial crime or cyber liability insurance and that it includes wire fraud coverage.
Also, spend some time planning your behavior when this does happen. What are the specific steps you will take when you learn that criminals are involved in your business and deals? Who will you alert first, and then next? This will no doubt involve company management, financial institutions, and law enforcement.
If you are able to, reach out to a cyber professional to assist your brokerage. They can provide some tips on implementing secure strategies. They can also help run awareness training and assist with creating an incident response plan, which is the actions to take when you encounter fraud or any other cyber incident.
It’s easy to feel overwhelmed by all the steps involved with staying protected. But peace of mind doesn’t have to take days of work and break the budget. By spending a little time beforehand, you and the people you work with can dramatically reduce the threat of fraud.
Ryan Thompson is a cybersecurity professional with over five years of experience. Specializing in awareness and offensive security, he has worked with governments, big companies and charities. He hopes to engage with small businesses to ready them against cyber threats.
Interesting read. “Some research shows”- it would be most helpful if this research could be referenced and whether there is any Canadian specific information.
What role do lawyers representing our clients play.