All Articles

CyberSecurity: Simple Steps to Protect Your Firm, Your Brokers, Your Clients and Yourself

Across the nation, cybercrimes claim victims daily. Washington State is ranked number six in the FBI’s ranking of states with the most number of victims. In 2018, Washington had nearly 11,000 individual victims of cybercrime with losses totaling over 60 billion dollars. Among all the cyber crimes perpetrated, crimes involving real estate transactions rank number five in the amount of financial loss. Unfortunately, at the heart of many real estate related cybercrimes, is a real estate broker who unwittingly allowed a consumer’s information to be exposed.

Consider a recent court decision from Virginia. The Virginia broker communicated, via email, with buyers who lived in San Francisco and were relocating to Virginia. The buyers sent financial and other personal information to the broker, including a prequalification letter and other general information about their financial responsibilities. The buyers found a house and executed a purchase agreement. 

Thereafter, the escrow company contacted the buyers and emailed wire instructions from a title company email address. Days later, and a week prior to closing, the buyers received a second email, seemingly from the same escrow officer, except that it came from a Gmail address. The email gave the buyers different wire instructions and advised the buyers to send the closing funds immediately. The buyers complied and wired more than $100,000 to hackers in Africa. It was eventually discovered that the hackers obtained the buyers’ contact information and other information relating to the transaction by hacking into the broker’s personal email.

It is believed that the broker’s email was hacked when she received an email from a California real estate agent explaining that the California agent wanted to refer a client to the Virginia broker. The Virginia broker conducted an internet search and confirmed that there was a California real estate agent with the name given in the email. The Virginia broker called the phone number provided in the email and left a message encouraging the referral. When the Virginia broker received a follow up email from the California agent, she clicked an attachment that purportedly contained a list of properties in which the referred buyers were interested. To open the attachment, the Virginia broker entered the username and password for her personal email. The Virginia broker did not have antivirus/malware protection software on her computer. 

Fast forward to a lawsuit where buyers sued both the broker and her firm. The buyers’ allegations focused on the broker’s actions that lead to exposure of the buyers’ information and the lack of protective measures associated with broker’s computer use. As mentioned, the broker had no antivirus or malware protection software on her computer and the court ultimately concluded that the firm failed to conduct training and testing of broker computer practices and failed to mandate use of two-factor authentication measures. The broker settled with the buyers prior to trial and the firm defended on the basis that the broker was an independent contractor and thus, the firm could not dictate broker’s computer practices or require broker to maintain certain software on her personal computer. The court rejected the firm’s defense and found in favor of the buyers. The jury awarded damages and attorney fees to the buyer at three times the amount of money the buyers lost.

While there is no guaranteed way to stop cyber crime from impacting consumers, there is a simple step that all brokers can take to educate consumers about these risks and empower consumers to protect themselves. Surely, had the Virginia broker done this, her buyers would not have made the mistake of wiring funds to a hacker. But, if they did, the broker and her firm would have had a much better defense.

The broker should have given her client a simple one-page flyer that explains the expected actions of hackers and instructs the client to ALWAYS call the escrow company’s known phone number to confirm wire instructions prior to wiring. A flyer that accomplishes this is available from Washington REALTORS® (https://www.warealtor.org/resources/member-resources/wire-fraud-alert) and from the National Association of REALTORS® (https://www.nar.realtor/law-and-ethics/wire-fraud-email-notice-template). Broker should present the flyer along with an explanation of the risks associated with cyber fraud and the general principle that the consumer should always call the known escrow phone number to confirm wire instructions prior to wiring. Broker should retain proof, in her firm’s transaction folder, that this information was presented to the client.

Brokers and firms should consider the safety measures employed in their computer systems and practices. NAR recently announced that they are working closely with CyberPolicy® to build an NAR member-only cyber-liability insurance program to protect your real estate business. As a member benefit, REALTORS® and REALTOR®-firms may receive exclusive savings and enhanced coverage options. Stay tuned for more information.

Individuals can employ certain practices to help protect sensitive client data and personal information. During the annual conference in November, NAR invited cybersecurity expert Robert Siciliano to speak to members about defending against data breaches, spyware, malware, ransomware and keyloggers.

Siciliano offered some simple, easy-to-implement advice for members...

Employ Layers

There is no one tool to prevent your identity or sensitive information from being compromised. Add layers of protection to safeguard yourself against cybercriminals. 

Freeze Your Credit

By freezing your credit with all three bureaus, this all but stops 'new account fraud' in its tracks. Freezing your credit does not harm your credit score in any way and gives you control over what accounts are opened in your name. You can freeze, pause and unfreeze your credit any time by contacting the credit bureaus individually.

Identity Theft Protection 

These programs are not free but usually offer some kind of immediate support in the first 24-48 hours after being compromised. Many offer ongoing support with restoration operations to help you salvage your professional reputation, recoup lost income and pay for ongoing legal defense.

Password Manager

Password managers have high encryption protection and will keep you more safe than you trying to remember all of your passwords or you using the same password over and over again. If just one of your accounts is compromised, then hackers have at least one password combination. Many will then run scripts to try to log in with your credentials on all the major email providers and other popular accounts and occasionally, will get a hit. Your best bet is to use a password manager that will allow you to use more secure passwords. 

Assume Your Information is Already Out There

Billions of accounts (including email and password combos) have already been compromised over the last 5-6 years. There is nothing you can do at this point about information already exposed except to add layers of protection to yourself now. Check your email address on the website: https://haveibeenpwned.com/. You have probably been compromised in at least one breach at some point. If so, change passwords for all your accounts—even better, implement a password manager.

Add Log in Security

Set up two-factor authentication on all your accounts so you always get a text code to log in. 

USB Drops

Never pick up an abandoned thumb drive. 'USB Drops' (hackers install viruses and malware on thumb drives and leave them in highly trafficked areas like office parking lots) are still common. Most people don't intentionally plug a dropped thumbdrive in their computer. They usually pick it up, thinking it belongs to a collegue, and then forget about it...until later, when they need a thumbdrive and don't remember that it was the one that they picked up in the parking lot.

USB Keylogger

These devices are easy to obtain— anyone can buy them on Amazon.com. If someone has access to your keyboard with a USB drive, they can plug a keylogger in and record all of your keystrokes. Vulnerabilities include public internet access spaces and any others who access your work space when you're not around. 

Free Isn't Always Better

Don’t function on free antivirus in perpetuity. You can always try a free version of antivirus but never continue to use the free version. You get what you pay for.

Credit Cards

Set up text alerts for all charges. You are more likely to gloss over a charge at the end of the cycle statement than you would be if you got a real time text alerting you to a charge. 

According to Siciliano, real estate agents are one of the top targets for phishing on hackers' radar. Firms, should employ good policies to protect the brokerage and individuals should employ layers of protection to safeguard personal and client information.