Keeping Real Estate Transactions Safe — Cybersecurity Best Practices and Wire Fraud Prevention

By Margaret T. Ling, ESQ., NYS Agency Business Development & Underwriting Counsel, AmTrust Title Insurance Company

I. Why Cybersecurity is So Important in real Estate Transactions

The real estate industry has faced the reality of suffering damages and losses from cybersecurity breaches. These breaches can occur at any time of the real estate transaction, however, prove to be most significant when they surface in the funding stage, when money is disbursed.

With technology driving how we process our transactions, it is imperative to practice good cybersecurity hygiene.

Cybercriminals have prevailed in many instances. Wire fraud is rampant, and it is too common that money is stolen from a closing, with the proceeds diverted from the rightful owners. In some of these cases, sellers never got their sale proceeds from the purchaser, a bank didn't get their mortgage payoff, or the creditor of a judgment had their payoff funds diverted to the cybercriminal.

The real estate industry has suffered billions of dollars in loss from real estate wire fraud.

II. Why Real Estate is the Target of Cybercriminals

Cybercriminals go after real estate transactions for many reasons.

1. Real estate transactions involve large sums of money that pass between parties in a one-time event in a reasonably short amount of time.
2. All parties exchange very sensitive personal information, such as Social Security numbers, phone and email information; dates of birth, bank account information, address information; work history; other people's information when references are required; and rental and home addresses.
3. If parties are in a hurry to close and eager to complete the transaction, less due diligence may be used, and cybercriminals can take advantage of this and intercept confidential information.
4. A real estate transaction involves multiple individual parties exchanging information freely among one another. Cybercriminals easily slip in between the cracks and get information.
5. The use of email in real estate transactions is the target for cybercriminals. They use another person's identity via email and get an innocent party to send funds to the cybercriminal.

III. Phishing and How the Cybercriminals Get Your Personal Information

Phishing is social engineering through the practice of sending fraudulent communications that appear to be coming from a legitimate and reputable source.

Phishing is usually executed via email and text messaging. Most of us move quickly, given the number of emails and texts we receive on a daily basis. One quick click, and we can fall prey to a cyber hacker. The cyber attacker's goal is to divert and steal money, gain access to sensitive data and login information, or install malware on the victim's device.

There are four types of phishing:

1. Spear Phishing

Spear phishing targets specific groups, individuals, business roles in an organization. It is highly personalized and the attacker will use detailed personal information to establish trust with the victim. They will pose as legitimate friends or contacts who the victims may know. They will then proceed to trick the victims into divulging sensitive, confidential information which may include financial information and authorizing payments from their bank accounts to the attackers. The attacker may further convince the victims to download malware into their computers so that they may gain access to all protected confidential information.

2. Whaling

Whaling is where the target is a high-level individual in the office, such as the CEO or CFO, who holds delicate and high-level information, including tax ID and bank account information and access codes.

3. Smishing

Smishing is where the attack is sent to your cell phone via text messaging or short message service (SMS), often with a clickable link.

In the most common smishing attack, you get an SMS message that your bank account is compromised and that you must click on the link to confirm and provide your confidential bank information. Once you click and provide the information, the cybercriminal gets access to your accounts.

For example, in a smishing attack targeting the real estate industry, potential homebuyers or sellers might receive text messages purportedly from legitimate real estate agencies or agents, offering exclusive deals or urgent updates about property listings. These messages could contain links to fake websites or prompts to reply with personal information under the guise of verifying identity or expediting the transaction process.

Unsuspecting recipients, eager to seize, what appears to be, a time-sensitive opportunity, may unwittingly disclose sensitive details like their financial information or login credentials, falling victim to identity theft or financial fraud. With the growing reliance on mobile communication in real estate transactions, smishing presents a stealthy yet potent threat, undermining trust and jeopardizing the security of both clients and industry professionals.

4. Vishing

Vishing is where your personal and confidential information is being targeted through a voice call on your phone.

An example would be "Microsoft" calling to help you update your computer or fix a virus. They will ask for credit card info and passwords to resolve the issue. The cybercriminal then has your personal information, and you have given them access to your computer to install malware. In some cases, the cybercriminal may install a bot, which is software that can command and control your computer.

IV. Red Flags to Watch Out For Wire Fraud

Below are some red flags to be aware of to protect your real estate transactions from wire fraud:

1. A change in the content of a customer's email where it suddenly contains different language, payoff instructions, or doesn't have the same flow as other chains of emails from the individual.
2. Transaction instructions originating from an email account that looks very similar to the client's account but has variations. The original email has been altered slightly by adding, changing, or deleting one or more characters. THIS IS A RED FLAG that you are now emailing a cybercriminal who has hacked into your chain of emails.
3. Emailed transaction payoff instructions to the original account of the beneficiary payee have been changed and are now different with a new account.
4. New email transaction instructions direct wire transfers to a foreign bank account that has been on an alert list as the destination of fraudulent transactions. This should look strange, as the payment is directed to a beneficiary who is totally new and has no previous business history in the transaction.
5. Transaction instructions and email subject line reading: "URGENT," "SECRET," or "CONFIDENTIAL," rushing the funding and disbursement of funds with the hope that the bank won't stop to check and confirm the authenticity of the request.
6. Email instructions that come from someone who is new and hasn't handled the wire transactions before.

V. Cybersecurity Hygiene and Best Practices

In our busy everyday lives, we must slow down and be more vigilant. Cybercriminals are preying on the fact that we are all moving very rapidly and may miss slight changes in our emails, or click on links that can forever divert money to cybercriminals and hackers.
Everyone in a real estate transaction can take precautions to avert cybersecurity hacks and wire frauds.
From the beginning, always confirm all parties to a transaction. Note their emails. If there is a sudden change, make a phone call to confirm it is them.

Before you open an email:

• Double-check to confirm the sender is valid. Sometimes, an email is off by just one letter, and you may be communicating with a cybercriminal attempting to break your computer.
• Check the email "to" and subject line: If they look suspicious, do not open the email, as it might have a virus that will contaminate your computer. Make a phone call to inform other parties that their email may have been compromised.
• Be careful of multiple email addresses on the email, as a non-secure email address can give hackers access to sensitive details of a transaction. The hackers will then do their best to send fraudulent emails to redirect wired funds to them.
• Be careful of urgent words, demanding language or requests in an email that may not be within normal practice.

Before opening and downloading files:

• Do not open an email attachment or click a link in an email unless you are expecting it, and you trust and recognize the sender. Be aware that it might have a virus or be an attempt to install malware. Instead, call the sender to verify it.
• Remind your teams never to download any software/programs to their computers that are not authorized by the company. They may be downloading malware.

Change usernames and passwords often:

• Use strong passwords, and do not use the same password for every account.
• Use complicated sequences that are not easy to copy. For example: Password must be at least 8 characters. Use a mix of letters and numbers. Mix uppercase and lowercase letters. Add at least one special symbol (!@#$).
• Apply two-step multiple authentication to log on with a password.

General Cyber Hygiene:

• Use encryption to transfer sensitive personal and financial information. For example, never email or text Social Security numbers or bank account information.
• Never use an unsecured public Wi-Fi network without a VPN.
• Check all URLs and links carefully.
• Poor spelling and grammar and odd phrasing in an email are also red flags.
• Maintain up-to-date secured operating systems with antivirus programs and the latest firewalls.
• Back up important data, applications, and systems and keep them separate from online systems.

Carefully monitor fund wires:

• Prior to the wires, all parties must confirm their contact information and bank account information.
• Independent phone calls should be made to confirm all payees, payee amounts and banking account information.
• All wiring instructions should be transferred via secured encrypted emails.
• Question any sudden changes or requests regarding the wiring instructions.

VI. What to Do If Wire Fraud Occurs or a Cybercriminal Hacks You

Realize that time is of the essence. Take the following steps immediately.

• If you're dealing with wire fraud, contact the bank to issue a fraud wire recall and provide them with a notice of the wire transfer.
• File a complaint with the FBI's Internet Crime Complaint Center at ic3.gov within 24 hours.
• Contact your local FBI office and local District Attorney's office.
• Report the crime to the FTC.
• Inform all parties to the transaction.
• Shut your computers down, as they may have been compromised, and there may be malware in the system.

Real estate cybercrimes are definitely pervasive, but vigilance by all parties involved in the transaction can prevent these crimes from happening.