The Real Estate market is still hot, how to make sure you don’t get burned.
Don’t think you could fall for a social engineering attack?
98% of cyber-attacks rely on that human element (Social Engineer) in some way to carry out the attack. For industries that heavily rely on human interaction, such as Real Estate, the human element is usually the most vulnerable component.
New research by Zillow puts the total value of every home in the U.S. at $33.6 trillion, nearly as much as the GDP of the two largest global economies combines – the U.S. ($20.5 trillion) and China ($13.6 trillion)[1]. New homes in the country were 43.2 percent up in 2020, the highest since 2020[2]. Moves to the suburbs add to house buying pressures, while shifts to lower-tax locations and continued low-interest rates result in the ongoing U.S housing boom. With the increasing market value of real estate investment, coupled with lax security in the chain of business involved in the sector, there is a potential for a large payoff for bad actors.
How does it work?
In most cases, these attacks rely on some form of impersonation. Whether it is in person, over the phone, via text, or email (the most prevalent), the goal for the attacker is to make someone believe they are corresponding with a trusted or legitimate source (business or person). Bad actors will use stolen or false identities to gain information about a business or property to conduct a larger attack. In some cases, they do this just to rent the unit and stop paying. In other cases, they will re-rent the unit to collect the rent but then not pay the rental company/owner. After collecting information from an initial impersonation, the criminals will even pose as vendors to request renewal of service or update payment information.
Wire Fraud surrounding real estate transactions is becoming a bigger problem as the closing process becomes more electronic. This threat can present itself as a well-timed email (or snail mail) near the closing date with all the expected information of the title company and the correct amounts of the transaction. The correct information could have resulted from a previous attack on the Real Estate Agency or the Title Company, which was just a fact-finding mission to gather the necessary information for the wire fraud attack. Then this is sent to the buyer as a phishing attack. But this isn't your normal phishing attack where you click the link. Instead, it is one where the attached pdf contains all the relevant information that leads to you transferring the down payment and closing cost to a criminal's account, but the funds are virtually unrecoverable.
A more general social engineering attack is just to learn personal information about someone to leverage it somehow. One way that applies to anyone is to crack or guess their password or security questions to reset their password. There are many common names, words, numbers, symbols used in passwords that contain personal information. Because we are human, we are predictable. So with a little personal information and some knowledge of how most people create a password, an attacker can reverse engineer a password. Since most use the same password for multiple accounts, many other emails, work, and banking accounts can be compromised.
What can I do?
There is much you can do to look out for this along the way and processes that you can have in place to help catch these kinds of attacks. For instance, you can do background checks and actually call references to be aware of excessive questions before giving out any specific information about the business or processes, especially security details (cameras or other technical security measures).
Fortunately, there are several practices you can follow to protect yourself from social engineering attacks:
1. Be Vigilant
Part of security hygiene involves starting with a protocol for opening attachments and clicking links on emails. If you get a file or a message and do not know the sender or you were not expecting the email, the safest course of action is to delete the message. In the case of links, you can hold the cursor over the URL and look at the popup text showing the location the link redirects to. Most importantly, please do not click the link until you have verified it is not malicious.
As for the wire fraud attack, try calling a number that you know is trusted, such as your Real Estate Agent or the Title Company from "the yellow pages" (and NOT the number they provided in the email) to confirm the source of the transmission of the email and especially the account information. And to all the ways to mitigate these risks, we say remove the human element as much as possible and use technology to your advantage as much as the criminals have.
For instance, one of the best things you can do when presented with these situations is to request that all the correspondence is sent in email. This practice forces the attacker to do more work, which they are averse to doing. It also removes some of the human interaction and allows technology to work in your favor. Removing the human element will help eradicate the emotional component, which is what criminals use as leverage. Of course, this assumes that your company has a mitigation system for phishing attacks, such as KnowBe4, BrandShield, or RSA FraudAction, and other technical security measures to prevent or reduce the risk that these attacks are caught before the damage has been done.
2. Multi-Factor Authentication
Some online accounts, such as bank self-service portals, offer extra security by requiring more than one credential to access your account. The additional credentials may be something you know (password or PIN), something you have (a passcode sent via an authentication app or a security key), or something you are (fingerprint, face, or retina scan). For instance, a common MFA factor is a one-time password (OTP), which features a 4-8-digit code that systems send via email, SMS, or an authentication app. With OTP, a new code is generated periodically, mainly every time you submit an authentication request. Applying MFA in your real estate transactions makes it harder for scammers to access your accounts even if they steal your user credentials.
3.User Identity Verification Tools
Tools like Trust Swiftly, can help you identify individual buyers/sellers information (ID, documents, and SSN) to ensure your actually dealing with the person they claim to be. They can verify ownership of email, phone SMS, Paypal, Banking accounts, and more. To protect your passwords, the easiest and most reliable way to do this is with a password manager such as Keeper, Dashlane, or LastPass. These password managers create complex passwords and store them for you, so you don't need to remember each one. You only need to know one master password to access the others.
Want more info or help putting any of these solutions into practice?
Please fill out our contact form to see how we can help.