Chairman’s Message: The Cyber Crime Target on Real Estate’s Back

Quincy Virgilio: MLSListings Inc 2015 Chairman

Quincy Virgilio
2017 Chairman, MLSListings

Until a year ago, it was easy to dismiss high-profile cyber attacks when they were hitting Hollywood studios, large corporations, and foreign entities. But with the recent Equifax hack affecting 143 million regular citizens, this issue may have finally captured the attention of individuals and businesses storing and sharing personal, or confidential, information. Data is the primary currency for cybercriminals because of the broad extortion and manipulation opportunities it provides for revenue generation.

Cyber crime is big business and it operates with traditional operating structures like company org charts and call centers for collecting payments from victims of ransomware and other hacking crimes. Real estate brokerages, and even agents themselves maintain and share highly confidential client information through mortgage applications, offer submissions, credit reports, sales contracts, leases and rental agreements, and so much more. This is precisely the type of information targeted by cybercriminals.

Types of Hacks

To protect yourself and your business, you must first understand the types of cybercrimes and your points of vulnerability. Today, ransomware is far and away the number one threat to both individuals and businesses. In this situation, a hacker gains access to your computer – often through breaking your password – and installs software that damages or disables your computer. A ransom is demanded to restore access to your computer and all your files and data stored there. Last year, the average ransom paid was $1,017, up 270%, according to Symantec’s 2017 Internet Security Threat Report.

Phishing is one of the oldest scams, which dupes you into revealing personal information that can then be leveraged for fraud or extortion. These typically come in the form of emails that appear to be from a familiar source, like your bank or a vendor you do business with, and they request that you contact them or provide personal information to win something, correct something or even, ironically, to ensure that your personal information isn’t exposed to hackers.

For businesses, this can be particularly problematic because an email can be received from what appears to be a trusted source, with a request to click a link to gain access to documents that the sender appears to need to share with you. Too often, people are moving quickly through their emails and automatically click the links to see what their “client” or “mortgage lender” has sent. This results in the automatic downloading of malware on your computer, leaving you exposed to more theft of data. According to Symantec, one in 131 emails contained this type of malware threat.

Now, this hack has become more prevalent on social media, where it is known as “spear phishing.” When you participate in social media games or surveys, maybe listing your favorite bands, this information is used by a hacker to create duplicate sites that appear to be your own. From there, the phisher can pose as you and gain access to your friends’ information.

Passwords are the most vulnerable point of entry to your computer, so it’s the first place hackers target. In fact, 90% of hacking attempts begin with breaking your password. Once a hacker breaks your password, he or she has free access to everything on your computer and the ability to take it over for more devastating purposes like ransomware.

The Vulnerabilities for Real Estate Professionals

Technology has transformed the real estate industry, making it easier for agents to stay connected while out in the field, but it also places a significant burden on them in terms of security. There are several key points of vulnerability:

  • Email Correspondence – Sending and receiving contracts, applications and other files with sensitive data can be intercepted by hackers with disastrous results.
  • Stored Documents and Data – It’s typical to store contracts and applications, property videos, client data, and other information on your computer but this makes them vulnerable to anyone who can gain access through your password or more sophisticated hacking that can occur with cloud-based storage systems like Dropbox or Box – all of which have experienced hacking attacks.
  • Public WiFi – If you tend to work at a coffee shop, the airport, or other places where public WiFi is offered, you expose your laptop or phone to hackers because of the nature of this Internet portal.
  • Social Media – A vital marketing tool for real estate professionals, but one where agents and brokers can find themselves dealing with a crisis. Online scammers can gain access to your social media accounts and replicate them, then reach out to your clients and other visitors to your sites and execute phishing scams aimed at them, as well, posing as you.

Fighting Back

While many people play the odds that they won’t become a target for hackers, this strategy is no longer viable. Equifax proved that: those whose identities were stolen are now at greater risk of exploitation and extortion. For cybercriminals, it’s a numbers game and they do not single out someone because of their personal profile.

As real estate professionals, we should worry not only about our own information and data, but that of our clients. Today’s clients are asking their agents and brokers what is being done specifically to protect their personal and financial information. It’s important to have real solutions in place. The National Association of REALTORS® provides a helpful checklist that are viewed as best practices for real estate professionals:

Email and Password Hygiene

  • Never click on unknown attachments or links, as doing so can download malware onto your device.
  • Use encrypted email, a transaction management platform, or a document-sharing program to share sensitive information.
  • Regularly purge your email account, and archive important emails in a secure location.
  • Use long, complicated passwords such as phrases or a combination of letters, numbers, symbols.
  • Do not use the same password for multiple accounts.
  • Use two-factor authentication whenever it is available.
  • Avoid doing business over unsecured WiFi.

 Other IT-Based Security Measures

  • Keep antivirus software and firewalls active and up-to-date.
  • Keep your operating system and programs patched and up-to-date.
  • Regularly back up critical data, applications, and systems, and keep backed up data separate from online systems.
  • Don’t download apps without verifying that they are legitimate and won’t install malware or breach privacy.
  • Don’t click on links in texts from unknown senders.
  • Prior to engaging any outside IT provider, review the applicable privacy policies and contracts with your attorney.

 Law, Policy, and Insurance Considerations

  • In collaboration with your attorney, develop a written disclosure warning clients of the possibility of transaction-related cybercrime. Recommend in the disclosure that buyers never wire money without first confirming the wiring instructions via a phone call to the intended recipient.
  • Stay up-to-date on your state’s laws regarding personally identifiable information, the development and maintenance of cyber and data-related business policies, and other legally required security-related business practices.
  • Develop and implement the following policies:
    1. Document Retention and Destruction Policy
    2. Cyber and Data Security Policy
    3. Breach Response and Breach Notification Policy
  • Ensure that your staff and licensees have reviewed and are following all implemented policies.
  • Review your current insurance coverage, and ask your insurance agent about cyber insurance and the availability and applicability of products such as social engineering fraud endorsements and computer & electronic crime riders.

The Costs

You can no longer gamble that you won’t be a victim of a cyberattack. There’s too much at stake when it comes to your business, and the costs can be catastrophic – even putting you out of business.

  1. Financial Costs: hacking can hit your pocketbook with no recourse for recovering that money. For example, with ransomware you are locked out of your computer and the only way to get access to your files is to pay a ransom – and there are no guarantees that the hacker will release your computer. The police and FBI are little help because of their caseloads and prioritization of larger cyber crimes.
  1. Time: Your time is money, particularly as a real estate professional, and the lost time trying to recover your files, clean up malware, deal with fraud and other identity theft issues, reload programs or set up a new computer takes time away from your real work.
  1. Emotional Distress: Just like a robbery of your home or theft of personal items, hacking takes an emotional toll on the victim.  It is an invasion of your privacy and you are left wondering what a hacker might do with the information he or she now has in their possession. There are real fears of future attacks by these unknown criminals and you have no idea when or how you might be victimized again.
  1. Reputational Harm: When a hacker gains access to your personal information through your computer, there is the risk of exposure that may cause damage to your reputation, or that of your business.  Private photos can be made public, confidential emails can be revealed to others, and client files can be released and leveraged in ways that can harm their company.  Your reputation can be destroyed in an instant and when client work is exposed, it can ruin your company’s client relationships and result in a loss of business – or even shut down your business because of this security lapse.

Final Thoughts

As a real estate professional, you can’t afford to maintain a casual attitude about cybersecurity, or be lax in how you handle business and client information when operating online. Hackers may appear to have the upper hand these days, but there are things you can do to make it more difficult to become a victim.


Comments are closed.