Crye-Leike, based in Memphis, Tennessee, describes itself as the #3 real estate service in the United States. Recently it was the target of an attempt to breach its computer systems. It seems to have done everything right, and there’s no indication that the attempt was successful. Crye-Leike notified the FBI and shut down some internal systems as a precaution. This followed a similar attempt earlier in 2018, which resulted in the arrest of eight people in July. That one was also unsuccessful.
News reports say that the business had solid protection in place. Its systems were backed up, and it had installed multiple layers of protection. A team of security experts came in to assess the situation and mitigate any damage. The attack may have been a two-pronged one. Reports mention not only attempts to get at internal systems, but deceptive email messages attempting to redirect payments.
The situation could have been much worse. Data breaches can expose real estate businesses to liability for negligence. They can be forced to rebuild their systems, interrupting business for days or weeks. Some businesses have had to shut down permanently as a result of online attacks.
The risks to real estate businesses
The security breaches that make headlines are the ones that hit the very biggest companies, hospitals, and government agencies. However, they represent just a small fraction of the ongoing attacks on cybersecurity. Smaller businesses are typically more vulnerable, since they don’t have a large, dedicated computer security staff.
Agencies, title companies, lenders, and real estate lawyers all face these risks. They handle personally identifiable information, which identity thieves would love to get their hands on. When people apply for loans or make payments, they supply Social Security numbers, bank account information, and credit card numbers. Commercial transactions can involve many millions of dollars. The price of a home may not be huge on a global scale, but it’s often more than all the buyer’s assets put together. Fraud is personally ruinous in those cases.
The professional’s responsibility
All professionals who handle money and financial information have a legal responsibility to be careful with it. Brokers, when acting as their clients’ agents, have a fiduciary responsibility toward their clients. The legal details vary between states, but in general they have to protect confidential information and guard the client’s bargaining position. Negligence that results in financial harm could lead to a ruling that forfeits the agent’s commission or awards payment for damages. Protection of confidential information includes adequate data security measures.
The danger of email scams
The attack on Crye-Leike included an attempted email scam. The scheme was based in Africa and involved individuals from several countries, including the United States. The scam stole $15 million from businesses and individuals in transactions related to real estate.
The technique is more formally known as business email compromise, or BEC. Another term is “spearphishing,” which means the use of personally targeted email to trick people into diverting money or giving valuable information to the perpetrator.
Spearphishers often use personal details to impersonate a trusted person and give instructions to take certain actions. The mail will say something like, “Please take care of this right away. I’ve just had to change my bank account information. Here’s where the payment for the property at 1 Main Street should go …” It will include exact details about the seller, buyer, and property and convey a sense of urgency.
If the recipient makes the change, the money will go to the scammer’s account in another country, and it will be permanently gone before there’s a chance to fix the mistake.
The FBI warns that BEC scams have heavily gone after real estate businesses. The most common version is the redirection of funds to a fraudulent account. Sometimes a message asks for W-2 forms or other personally identifiable information. Victims in the U.S. lost $2.9 billion to these tricks between October 2018 and May 2018. Unreported losses undoubtedly push the total even higher. Buyers, sellers, title companies, real estate lawyers, and agents have all reported attempts to trick them this way.
The growth in email scams directed at the real estate business has been huge. The FBI reports that the number of victims reporting them grew by a factor of 11 between 2015 and 2017. The monetary losses grew by a factor of 22.
Email isn’t a trustworthy medium. It’s extremely easy to forge someone else’s email address. Publicly available information lets forgers give plausible details. Whenever an email message makes an unusual request that would be hard to reverse, the smartest reaction is to confirm it by another channel, such as a phone call. If the email says that the person won’t be reachable in time, that’s just one more reason to be wary.
The need for constant caution
Cybersecurity is an important concern for any business. Criminals target anyone who might have something they want. Real estate businesses aren’t specialists in IT or online security, so they may seem like easy targets. With proper planning for security, though, they can greatly reduce their risks.
Spam filtering protects against email scams. Anyone can have lapses of caution, but people can’t respond to messages they never see. Filters won’t catch everything, but they’ll block a great many messages that come from dubious sources or have suspicious features. Setting up SPF record checking helps to catch forged messages.
Everyone needs to develop security awareness. Real estate people have to choose strong passwords for their accounts and protect them carefully. They have to develop a skeptical attitude about their email. If something looks wrong, it may be wrong.
Real estate brokerages don’t usually have their own IT departments unless they’re very large, but someone needs to take responsibility for minimizing online risks. Accounts shouldn’t be handed out too freely. Cloud software packages allow tailored assignment of roles to users, so that they can do only the tasks they need to do. If someone steals the password for an account, it will do less damage if the account can perform only limited actions.
Two-factor authentication gives extra protection against stolen passwords. If people have to confirm their logins with a code sent to their cell phones, that’s a slight inconvenience, but it can prevent a major loss.
The security you need
A partnership with Kraft Technology Group can give your real estate business the level of security it needs. We’ll perform a security assessment, address any existing problems, and set up security measures and monitoring to keep your systems safe. Get in touch with us to find out about all the advantages we offer.
Brian Gray, MCP, is the President at Kraft Technology Group, LLC (KTG), an affiliate of KraftCPAs PLLC. Within his role, Brian is responsible for all aspects of service delivery to our clients. Brian has a decade of experience working for managed service providers. He has worked with clients in a variety of industries, including financial services, accounting, legal, healthcare, manufacturing, and retail.