The real estate world is increasingly electronic with email, texts, electronic transaction platforms and electronic transfers of funds. This modern technology creates new opportunities for criminals and thieves. 

The phisherman

It is summertime in Wisconsin, and nothing could be more idyllic than to enjoy some fishing on one of Wisconsin’s countless lakes, streams and rivers. A shady place to sit and a cold beverage round out the picture. “Summertime, and the livin’ is easy, fish are jumpin,’ la la la la.” Oh no, wait! This is about that other kind of “phishing,” which is not so pleasant to think about. 

This kind of phishing is about the “phishermen” who send email and texts and make calls that seem to be from reputable companies you work with or are familiar with. But make no mistake: these phishermen are scammers! They try to trick you into clicking on a link or providing personal information like a password or account number so they can steal your money or identity or gain access to your computer. The message you receive is the bait, and you are the fish! Please do not take the bait!

Phishing emails may look like they’re from a bank, a credit card company, a social networking site, an online payment website or app, or an online store. They often tell a convincing story to trick you into clicking on a link or opening an attachment. They often indicate there is a problem or even an emergency you need to take care of immediately. They may say they’ve noticed some suspicious activity or log-in attempts, claim there’s a problem with your account or your payment information, insist you must confirm some personal information, or say you’re eligible to register for a refund or receive a coupon for free stuff. Make no mistake, the bait appears authentic, at least at first glance.

How to protect yourself from phishing attacks

The first line of defense is your email spam filters, but the phishermen are constantly trying to invent new ways to outsmart the filters. Make sure your computer has good security software that automatically updates to address new threats — same for your mobile phone.

The next recommendation is going to be met with some moans and groans because many think this is a royal pain in the behind, but using two-step authentication for your devices and accounts is very effective. This process requires additional credentials to log in, such as a password you get via text message or an authentication app, or a physical feature like your fingerprint, retina or face. Two-step authentication makes it harder to get into your email or accounts if the scammers already have your username and password. Also use complex passwords and change them periodically.
At the end of the day, everyone needs to be aware and suspicious of unexpected and uninvited emails and texts. Training and reminders to agents and staff are key. Once a hacker infiltrates a company’s email system by one person’s seemingly harmless click, everyone in the system may be compromised, and it may not be immediately detected

Read www.consumer.ftc.gov/articles/how-recognize-and-avoid-phishing-scams to see examples and find out more. For example, see the phony Pizza Hut coupon offer at www.consumer.ftc.gov/blog/2014/11/free-pizza-nope-just-free-malware. 

The extortionist

The extortionist is the criminal who uses ransomware to force victims to pay large sums of money to regain access to their data and their computer systems or servers. Ransomware is software that infiltrates a computer or computer system and blocks a user, often by encrypting the data or locking the screens, until the victim pays a fee to the computer blackmailer.

The computer user victim is typically faced with a locked screen containing instructions to purchase cryptocurrency like Bitcoin for the payment of the ransom. Upon payment of the ransom, the computer user is to receive a decryption key that will presumably decrypt the files and allow access. But the decryption keys are not always successful in restoring full data and access.

The ransomware enters the computer system when a computer system user takes the bait and clicks on a link in a phishing email or via a user with remote desktop access. Attackers may acquire passwords that have been compromised or may brute-force passwords if they are not complex using a computer program designed to crack passwords. Access may come because the user has used the same usernames and passwords across multiple sites or used public Wi-Fi. Once in, the ransomware may spread to the web server, file server, email server, workstations and network-connected devices.

Efforts to prevent these attacks are similar to the steps taken to keep the fish from taking the phishing bait. Educate those who use the system, have current data security programs in place, require remote users to obtain permission from the system administrator before downloading programs, use two-factor authentication, and lock a device or system if there are multiple unsuccessful access attempts.

Ransomware attacks are increasingly common, preying upon computer systems for businesses, both big and small, and even governments. This summer, the government information systems for the city of Baltimore, including all real estate records, as well as the Georgia court systems and Lake City, Florida, have been attacked with ransomware, creating a major dilemma: pay the ransom or lose the data. The Lake City ransom was in the neighborhood of $460,000. Lake City paid its $10,000 deductible, and its insurance policy paid the rest. If the ransom is not paid, the data will be lost at a potentially larger cost involving new equipment and data recreation; the reputation of the business may be severely harmed as well. Baltimore refused to pay a $75,000 ransom, and its restoration process has cost millions of dollars.

Several government agencies, including the FBI, advise against paying the ransom to keep from encouraging the ransomware cycle. It is believed computer ransoms are underreported, which the FBI says only further encourages the extortionists. 

The thief

The story of criminals hacking into the email accounts of real estate agents or other persons involved in transactions and using the information gained from the hack to dupe the buyer into wiring money to the thief is unfortunately familiar. The thief is after the buyer’s money.

A real estate professional, a title company or an attorney has his or her email account compromised. The thief monitors the account waiting for the big pay-off where the buyer is going to wire funds for the real estate closing. As the closing draws near, the thief uses the compromised email account to send a legitimate-looking message to the buyer that looks like it is coming directly from the broker or other service provider in the transaction. There has been a last-minute change in plans: the buyer’s money needs to be wired instead of paid at closing or should be wired to a different account — these are major red flags. 

The new account belongs to the thief and is overseas where recovery of the funds is next to impossible. In some cases, the thieves even follow up with phone calls, purporting to be from a representative for the title company, broker or seller’s attorney, and reassuring them the new wire transfer instructions are real.

Banks rarely are responsible for a wire authorized by the customer, even if the customer was tricked into sending it, so in most cases, the money is gone. 

See “The Risks of Sending Wire Transfer Instructions,” in the October 2017 Wisconsin Real Estate Magazine at www.wra.org/WREM/Oct17/WireTransferFraud. 

Stop the cyber villains

Stop the phisherman, the extortionist and the thief before they can commit their crimes. Imagine the consequences of accidentally exposing clients’ confidential data. Imagine the nightmare if a hacker captures their bank account records, Social Security numbers, credit card information, driver’s license details or other sensitive data. Prevention is the best medicine

1. Establish an ongoing data security policy — consult NAR’s Data Security and Privacy Toolkit at bit.ly/DataSecurityToolkit
2. Carry insurance protecting against cybercrimes.
3. Train your agents regarding various email red flags and data security measures. Humans are the target, and they are the weakest link.
4. Educate buyers about real estate wire fraud so they won’t wire their closing funds to a thief’s offshore account

To learn more, review the National Association of REALTORS^®’ “Window to the Law: Creating a Cybersecurity Program” video at
www.nar.realtor/videos/window-to-the-law/window-to-the-law-creating-a-cybersecurity-program.

Debbi Conrad is Senior Attorney and Director of Legal Affairs for the WRA.