In June 2018, the Memphis-based real estate company Crye-Leike found itself embroiled in an international online fraud scheme. Eight people were caught stealing nearly $15 million from the firm. Evidence later emerged linking them to phishing scams.
Crye-Leike is not alone. In 2017, the FBI warned of a large spike in cyberattacks specifically targeting real estate companies. They noted that fraudulent real estate transactions jumped 5,000%, from $19 million in 2016 to nearly $1 billion (US $969M) in 2017.
The FBI also saw inbound complaints of cyberattacks related to real estate jump 480% between 2016 and 2017.
What makes real estate so alluring and easy to hack?
In 2017 Zillow valued the U.S. real estate market at $31.8 trillion (1.5x the value of the nation's GDP). Real estate tech is also one of the fastest growing tech sectors. High-value areas often draw criminals.
(Source)
With real estate in particular, no federal law mandates that businesses have to implement information-security programs (like banks and hospitals do). This has resulted in companies with exceptionally vulnerable systems.
A recent survey showed that 50 percent of real estate companies do not have sufficient resources to prevent or even mitigate a cyberattack. The industry has fallen behind.
This piece will break down ways that real estate firms can come up the curve and protect their sensitive information.
3 Ways To Brace Your Team Against Cybercrime
1.) Invest in cybersecurity insurance.
The average cost of a data breach topped $3.8 million in 2018—and small businesses remain particularly vulnerable. While many real estate companies are large corporations, others are still local and family-run and have been working with the same systems for generations.
Costs to recover from a breach (e.g., additional PR for damage control, IT spending, and nonfinancial damages like decreased brand reputation or having to fire an executive) are often more than companies can handle.
Real estate teams have insurance for natural disasters — why not for cyber disasters?
Cybersecurity insurance (or cyber liability insurance) is stand-alone coverage that helps mitigate loss from a security incident. With the number of breaches and the volume of exposed personal records escalating every year, no organization is safe.
With cybersecurity insurance, many major providers, like AIG and Chubb, can help reduce the effects of the following:
- Damaged or stolen data and software
- First-party costs, such as event management, data restoration, and network interruption
- Lost business opportunities
- Extortion (in the event a hacker holds data for ransom)
- Money stolen through false requests or other methods
Nearly all insurance plans are customizable and offer options to further insure the customers or vendors whose information was exposed or taken.
A data breach never looks good, but being able to reimburse your customers will go a long way toward maintaining their trust and retaining them going forward.
2.) Never conduct and confirm wire transfers by email.
Business email compromise (what Crye-Leike sustained in 2018) is a common method for hackers targeting realtors.
In 2017, one couple in Washington, DC, lost $1.5 million in such a scam. They received a request to wire the title company money for their home at a different address. After re-directing the funds, the couple learned that the company didn't even know about this new request. It was a false organization.
Business email compromise in the form of a bucket brigade attack, also known as man-in-the-middle (MITM) attack, is often very difficult to detect. If they're well designed, they're nearly indistinguishable from routine forms:
(Source)
This DocuSign spam email is formatted to look legitimate and includes correct names and dates for context. If an employee is in a rush, it's easy to simply sign without careful scrutiny.
Recently, hackers have been gaining illegal access to real estate professionals’ email accounts to get information about impending transactions, according to reporting from WAMU. If a deal has closed, the hackers often reach out to the buyers while impersonating the real estate company and request that they wire funds to a new address—a similar pattern to what the couple in DC suffered. Buyers end up sending down payments to fraudulent accounts.
To stay safe from phishing scams, tell your customers that they should never wire funds through email. If they have questions, have them reach out to you directly.
3.) Use a cloud security platform.
While a subset of the real estate industry (tech firms like Homespotter, Redfin, and Cadre) is already digital, many traditional shops still rely on printed paper, physical filing systems, and outdated hard drives. This leaves critical data ripe for theft or vulnerable to simply being lost or damaged.
Moving your data to the cloud brings numerous advantages, such as the following:
- Distribution (no single point of potential failure)
- A more stable back end, with multiple backups
- Greater capacity for insight into irregular behaviors
Teams across the board, whether in real estate or other sectors, like retail, media, and finance, are dealing with larger volumes of customer information. Names, email and physical addresses, phone numbers, genders, locations, devices, and even race and religion are valuable in creating more-targeted marketing materials and personalized communications. As teams collect and process more of this data, their repositories are ripe for theft if they don't have the proper security.
Some digital security teams deliver robust identity management solutions that make sure you know who's working within your system at any time. Auth0, for example, provides a dashboard that allows users to monitor customers logged into their accounts, consultants authorized by a company, and even its own employees. You never know when a hacker is impersonating a user you know and attempting to access sensitive data.
Even teams that operate digitally can be scattered, with data in many different locations—not to mention a mobile workforce logging in from all over the world on various devices. The dashboard allows admins a centralized view to better understand what's happening across the board. You can view current and new active users, compare their current and historical behaviors, and even use the tool to quickly block or communicate with users you think are out of line.
Shifting to a cloud security platform will open up a range of new possibilities for organization and security.
There's No Better Time to Improve Real Estate Security
You can't control hackers' behavior. Even the largest corporations with the most robust security systems are vulnerable. But you can control your own security plan. Investing in cybersecurity insurance, educating your employees about email scams, and bolstering your digital and identity-management infrastructure are all important steps you can take to ensure that you and your customers will be able to recover if a breach occurs.
About Auth0
Auth0 by Okta takes a modern approach to customer identity and enables organizations to provide secure access to any application, for any user. Auth0 is a highly customizable platform that is as simple as development teams want, and as flexible as they need. Safeguarding billions of login transactions each month, Auth0 delivers convenience, privacy, and security so customers can focus on innovation. For more information, visit https://auth0.com.