BY: MARGARET T. LING, ESQ., NYS Agency Business Development & Underwriting Counsel, AmTrust Title Insurance Company
1. Why Cybersecurity Is So Important in Real Estate Transactions
Since the beginning of the COVID-19 pandemic, the real estate industry has been suffering damages and losses from cybersecurity breaches. These breaches can occur at any time of the real estate transaction. More significantly, they surface at the end of the transaction when funds are disbursed.
With technology driving how we process our transactions, it is imperative to practice good cybersecurity hygiene.
Wire fraud is rampant, with money often stolen from a closing with the proceeds diverted from the rightful owners. In some of these cases, sellers never got their sale proceeds from the purchaser, a bank didn't get their mortgage payoff, or the creditor of a judgment had their payoff funds diverted to the cybercriminal.
The real estate industry has suffered billions of dollars in loss from real estate wire fraud.
2. Why Real Estate Is the Target of Cybercriminals
Cybercriminals target real estate transactions for several reasons.
- Real estate transactions involve large sums of money that pass between parties in a one-time event in a reasonably short amount of time.
- All parties exchange sensitive personal information, such as Social Security numbers, phone and email information, dates of birth, bank account information, address information, work history, other people's information when references are required, and rental and home addresses.
- Parties are in a hurry to close and eager to complete the transaction. As a result, less due diligence occurs, and cybercriminals can take advantage of this and intercept confidential information.
- A real estate transaction involves multiple individual parties exchanging information freely among one another. Cybercriminals easily slip between the cracks and get information.
- The use of email in real estate transactions is the target for cybercriminals. They use another person's identity via email and get an innocent party to send funds to the cybercriminal.
3. Phishing and How the Cybercriminals Get Your Personal Information
Phishing is social engineering through the practice of sending fraudulent communications that appear to be coming from a legitimate and reputable source.
Phishing is usually executed via email and text messaging. Most of us move quickly, given the number of emails and texts we receive daily. One quick click, and we can fall prey to a cyber hacker. The cyber attacker's goal is to divert and steal money, gain access to sensitive data and login information, or install malware on the victim's device.
There are four types of phishing:
1. Spear Phishing Spear phishing is when a specific group or individual is targeted.
2. Whaling Whaling is where the target is a high-level individual in the office, such as the CEO or CFO, who holds delicate and high-level information, including tax ID and bank account information and access codes.
3. Smishing Smishing is where the attack is sent to your cell phone via text messaging or short message service (SMS), often with a clickable link.
In the most common smishing attack, you get an SMS message that your bank account is compromised, and you must click on the link to confirm and provide your confidential bank information. Once you click and provide the information, the cybercriminal gets access to your accounts.
4. Vishing Vishing is where your personal and confidential information is targeted through a voice call on your phone.
An example would be "Microsoft" calling to help you update your computer or fix a virus. They will ask for credit card info and passwords to resolve the issue. The cybercriminal then has your personal information, and you have given them access to your computer to install malware. In some cases, the cybercriminal may install a bot, which is software that can command and control your computer.
4. Red Flags to Watch Out For
Below are some red flags to be aware of to protect your real estate transactions from wire fraud:
- A change in the content of a customer's email where it suddenly contains different language, payoff instructions, or doesn't have the same flow as other chains of emails from the individual.
- Transaction instructions originating from an email account that looks very similar to the client's account but has variations. The original email has been altered slightly by adding, changing, or deleting one or more characters. THIS IS A RED FLAG that you are now emailing a cybercriminal who has hacked into your chain of emails.
- Emailed transaction payoff instructions to the original account of the beneficiary payee have been changed and are now different with a new account.
- New email transaction instructions direct wire transfers to a foreign bank account that has been on an alert list as the destination of fraudulent transactions. This should look strange, as the payment is directed to a beneficiary who is new and has no previous business history in the transaction.
- Transaction instructions and email subject line reading: "URGENT," "SECRET," or "CONFIDENTIAL," rushing the funding and disbursement of funds with the hope that the bank won't stop to check and confirm the authenticity of the request.
- Email instructions that come from someone who is new and hasn't handled the wire transactions before.
5. Cybersecurity Hygiene and Best Practices to Prevent Cybersecurity and Wire Fraud
We must slow down and be more vigilant and careful. Cybercriminals are preying on the fact that we are all moving quickly and may miss slight changes in our emails or click on links that can forever divert money to cybercriminals and hackers.
Everyone in a real estate transaction can take precautions to avert cybersecurity hacks and wire fraud:
- From the beginning, confirm all parties to a transaction. Note their emails. If there is a sudden change, make a phone call to confirm it is them.
- Be on the lookout for fraudulent emails. Before you open an email:
- Double-check to confirm the sender is valid. Sometimes, an email is off by just one letter, and you may be communicating with a cybercriminal who has breached your computer.
- Check the "to" and the subject line: If they look suspicious, do not open the email, as it might have a virus that will contaminate your computer.
- Be careful of multiple email addresses on the email, as a non-secure email address can give hackers access to sensitive details of a transaction. The hackers will then do their best to send fraudulent emails to redirect wired funds to them.
- Be careful of urgent words, demanding language, or requests in an email that may not be within normal practice.
- Before opening and downloading files:
- Do not open an email attachment or click on a link in an email unless you are expecting it or trust the sender and recognize the email address. Be aware that it might have a virus or be an attempt to install malware. Instead, call the sender to verify it.
- Remind your teams never to download any software/programs to their computers that are not authorized by the company. They may be downloading malware.
- Change usernames and passwords often. Always:
- Use strong passwords, and do not use the same password for every account.
- Use complicated sequences that are not easy to copy. For example, a strong password must be at least 8 characters. Use a mix of letters and numbers. Mix uppercase and lowercase letters. Add at least one special symbol (! @ # $).
- Apply two-step multiple authentication to log on with a password.
- Use encryption to transfer sensitive personal and financial information. For example, never email or text Social Security numbers or bank account information.
- Never use an unsecured public Wi-Fi network without a VPN.
- Check all URLs and links carefully.
- Read the content carefully. Poor spelling and grammar and odd phrasing in an email are also red flags.
- Maintain up-to-date secured operating systems with antivirus programs and the latest firewalls.
- Back up important data, applications, and systems and keep them separate from online systems.
- Carefully monitor fund wires:
- Before the wires, all parties must confirm their contact information and bank account information.
- Independent phone calls should be made to confirm all payees, payee amounts, and banking account information.
- All wiring instructions should be transferred via secured encrypted emails.
- Question any sudden changes or requests regarding the wiring instructions.
6. What to Do If Wire Fraud Occurs or a Cybercriminal Hacks You
Time is of the essence—take the following steps immediately.
- If you're dealing with wire fraud, contact the bank to issue a fraud wire recall and provide them with a notice of the wire transfer.
- File a complaint with the FBI's Internet Crime Complaint Center at ic3.gov within 24 hours.
- Contact your local FBI office and local District Attorney's office.
- Report the crime to the FTC.
- Inform all parties to the transaction.
- Shut your computers down, as they may have been compromised, and there may be malware in the system.
Real estate cybercrimes are pervasive, but vigilance by all parties involved in the transaction can prevent these crimes from happening.