cyber security for realtors

CYBER CRIME:  PROTECTING YOUR FIRM AND YOUR CLIENTS

As the world evolves, so does the real estate profession.  These changes are sometimes a double-edged sword.  The internet, apps, tablets, etc. improve communication with clients and provide new ways to market properties, but also provide criminals new opportunities to prey on the profession and its clients.  In today’s environment of transmitting information and money at the touch of a button, criminals can create ways to intercept that information and money to you and your clients’ determinant.

This page is a compilation of information designed to assist you in protecting your office and clients from cyber criminals.  Additional references are provided below if you wish to learn more about this subject.


The first step in combating cybercriminals is making sure you have a sound data security plan in place.  The Federal Trade Commission states that a sound data security plan is built on five key principles:[1]

ONE: Take stock

  • At minimum, know what information, particularly personal identifying or identifiable information (PII), you have in your files and on your computers. Know how it is received, if it is stored, where it is stored, who has access to it, etc.
  • Traditionally PII includes a name, date of birth, Social Security number or anything that contains identifying information for a person. However, the Federal Trade Commission now regards data as personally identifiable if it can be reasonably linked to a person, computer, or device.  In many instances, device identifiers, MAC addresses, static ID addresses, and retail loyalty cards can reasonably link PII to a person, computer, or device.[2]
  • Louisiana’s “Database Security Breach Notification Law” defines “personal information” as an individual's first name or first initial and last name in combination with any one or more of the following data elements, when the name or the data element is not encrypted or redacted: Social security number, driver's license number, account number, credit or debit card number, in combination with any required security code, access code, or password that would permit access to an individual's financial account. "Personal information" does not include publicly available information that is lawfully made available to the general public from federal, state, or local government records.[3] 

TWO: Scale down.

  • Keep only what you need for your business. Do not collect sensitive or personal identifying information or customer financial information unless you need it.  Dispose of this information as soon as federal and state law allow or, if not applicable, as long as you have a business need for it.
  • Do not utilize Social Security Numbers as employee or customer identification numbers.
  • Each employee should only have access to the resources and information necessary to do their job
  • If you do need to keep this information for business or legal purposes, make sure to have a records retention policy covering what information must be kept, how to secure it, how long to keep it, and how to dispose of it properly. REMEMBER: Louisiana Real Estate Commission rules require you keep records for five years.[4]

THREE: Lock it to protect the information that you do keep.

  • The most effective data security plans have four key elements: physical security, electronic security, employee training, and the security practices of contractors and service providers.
  • The most effective defense is often a locked door or an alert employee.
  • Computer security is not just the realm of your IT staff.
  • Make sure employees regularly run up-to-date anti-malware programs on individual computers and on servers on your network.
  • Caution employees against transmitting PII via e-mail. Unencrypted email is not a secure way to transmit information.  However, when you must receive or transmit financial information via email, use Transport Layer Security (TLS) encryption or another secure connection that protects the information in transit.
    • Gnu Privacy Guard will prevent some hacking threats.[5]
    • Milvelope will also work to encrypt messages on Web mail providers such as Yahoo, Gmail, Outlook, and others.[6]
    • For a small monthly fee, you can use a Virtual Private Network, which makes sure that all your communications are automatically encrypted and tunnel through a protected network instead of through the services accessible to hackers.[7]
  • Control access to sensitive information by requiring that employees use strong passwords. Require password changes when appropriate – for example, following a breach.
  • Restrict the use of laptops to those who need them to perform their jobs. Consider allowing laptop users to only access sensitive information, but not to store the information on their laptops. 
  • Use a firewall to protect your computer from hacker attacks while it is connected to a network, especially the Internet.
  • Your information security plan should cover the digital copiers your company uses. The hard drive in a digital copier stores data about the documents it copies, prints, scans, faxes, or emails.
  • Your data security plan is only as strong as the employees who implement it. Make sure you explain the rules to your staff and train them to spot security weak spots.  A well-trained work force is the best defense against cybercrime.
  • Ask every employee and agent to sign an agreement to follow your company’s confidentiality and security standards.
  • Know which employees have access to clients’ PII.
  • Train employees to recognize threats.
  • Teach employees and agents about the dangers of spear phishing – emails containing information that makes the emails look legitimate. Make it office policy to independently verify any emails requesting sensitive information.  When verifying, do not reply to the email and do not use links, phone numbers, or websites contained in the e-mail.
  • Warn employees about phone phishing. Train them to be suspicious of unknown callers claiming to need account numbers to process an order or asking for customer or employee contact information.  Make it office policy to double-check by contacting the company using a phone number you know is genuine.
  • Require employees to notify you immediately if there is a potential security breach, such as a lost or stolen laptop
  • Before you outsource any of your business functions – payroll, web hosting, call center operations, data processing, etc. – investigate the company’s data security practices and compare their standards to yours.
  • Put your security expectations in writing in contracts without security providers.
  • Insist that your service providers notify you of any security incidents they experience, even if the incidents may not have led to an actual compromise of your data.

FOUR: Properly dispose of what you no longer need.

  • Implement information disposal practices that are reasonable and appropriate to prevent unauthorized access to – or use of – personally identifying information.
  • REMEMBER: Louisiana Real Estate Commission rules require you keep records for five years.[8]
  • Have a policy in place to ensure that sensitive paperwork is unreadable before you throw it away.
  • Burn it, shred it, pulverize it to make sure identity thieves can’t steal it from your trash.
  • When disposing of old computers and portable storage devices, use software for securely erasing data, usually called wipe utility programs.

See “Destroy to Protect: Consumer Information and Data Security”, Risk Management Report by Patricia B. McMurray and Rebecca S. Helveston, for more information regarding REALTOR® responsibilities pertaining to retention and disposal.

FIVE: Plan ahead and create a plan for responding to security incidents.

  • Designate a person in your organization to coordinate and implement a response plan.
  • If a computer is compromised, disconnect it immediately from your network.
  • Investigate security incidents immediately and take steps to close off existing vulnerabilities or threat to personal information.
  • Consider whom to notify in the event of an incident, both inside and outside your organization.
  • Consult your attorney to assist and guide you through your response to security incidents.

 

[1] “Protecting Personal Information:  A Guide for Business”, Federal Trade Commission, https://www.ftc.gov/tips-advice/business-center/guidance/protecting-personal-information-guide-business

[2] Federal Trade Commission Chairwoman Edith Ramirez, https://www.fedscoop.com/edith-ramirez-ftc-aspen-institute-august-2016/

[3] La. R.S. 51:3073.

[4] LAC 46:LXVII:1803.

[5] “9 Ways to Keep Data Secure”, REALTOR Magazine, Lee Nelson, August 2015, http://realtormag.realtor.org/for-brokers/network/article/2015/08/9-ways-keep-data-secure.

[6] Id.

[7] Id.

[8] LAC 46:LXVII:1803.


  • Cybercriminals Targeting the Real Estate Transaction to Commit Wire Fraud

Real estate professionals should be aware of fraudulent wiring instructions. Cybercriminals are increasingly sending false messages on behalf of home sellers, home buyers or borrowers, real estate brokers, title companies, and lenders, regarding the transfer of funds associated with a real estate transaction. 


According to new data provided by the FBI, in fiscal year 2017, nearly $1 billion ($969 million) was “diverted or attempted to be diverted” from real estate purchase transactions, and wired to “criminally controlled” accounts. That figure is up from fiscal 2016, when the FBI counted $19 million in wire transfer frauds affecting homebuyers. The FBI describes the growth rate of this type of theft as “steep,” though the sharp statistical rise may be partially attributable to increased reporting of such hacks by consumers, banks and real estate industry participants.[1]





  • Cybercriminal Wire Fraud Cautionary Tale:  Candace Butcher and James Butcher v. Land Title Guarantee Co.; Envoy Mortgage; Well Fargo Bank; Kentwood Real Estate Services LLC; and Karen Porras, D 162011 CV 1959, District Ct. Denver County, Co.


In mid-January 2017, Candace and James Butcher hired a real estate agent to assist them in locating and purchasing a new and final home in Colorado.   When the agent and the Butchers found this home, they began negotiations with the seller and agreed upon a $540,000 sales price.  The Butchers informed the agent that they had approximately $267,000 in cash and that they wanted to obtain a mortgage to pay any balance above that amount.


The agent advised the Butchers to utilize the services a specific mortgage broker to obtain their mortgage loan.  The Butchers took the agent’s advice and went with that mortgage broker.


Unfortunately, a series of terribly unfortunate events allegedly followed.  These events resulted in the Butchers filing suit alleging a series of fraudulent events committed by the mortgage broker, title firm, the financial institution, and also the agent.  Additionally, the Butchers now state that they are living in their son’s basement.To date, no resolution has been come to and the case is on-going.


So, how did this allegedly happen?  


As often occurs, the agent emailed the Butchers notifying them that they would be receiving wiring instructions from Shannon at the title company prior to closing.  


Two days prior to closing, the Butchers received an email from a Shannon Ryon at the title company requesting that they wire $272.535.96 cash to close and requested that they reply to email to confirm the receipt.  The email listed the name “Shannon Ryan” and did not identify the domain name of the sender (the information that goes after the @ symbol), a common feature for email programs utilized in the United States.  


Within a half an hour from the e-mail allegedly from the title company, the mortgage broker allegedly emailed the Butchers a final closing disclosure stating that the Butchers would need to wire the same amount to close on the property. 


The Butchers replied to confirm the e-mail from “Shannon Ryon” and were sent wire instructions which they followed.  The next day the Wells Fargo Fraud Transaction Department informed the Butchers that the wire transfer was fraudulent.From there, the Butchers allege that they were informed that the legal and wire fraud groups at the financial institution were actively handling the matter and trying to retain the funds, it would take 2 to 3 hours to recall their funds and later were told it would take up to six weeks, and the financial institution had a policy of not contacting the Federal Bureau of Investigation in these types of situations.


Eventually, the Butchers allegedly determined that there was NOT a wire fraud claim number assigned as previously told and that only the local branch had been working on the wire transfer matter.  At that time, after much work on behalf of the Butchers, the financial institution’s customer care, a district manager and investigator became involved.


The Butchers then determined to take matters into their own hands and contacted the FBI.  An agent soon called the Butchers and along with the Butchers began what was a fruitless series of phone calls with multiple entities within the financial institution.  Each person that the Butchers and the FBI agent spoke to could not find their claim number, their claim, or SWIFT recall number, stated they were the wrong entity to speck with, and that the proper entity to speak with could not be reached.After this, the agent allegedly informed the Butchers that if he had obtained either the (1) SWIFT recall number, or (2) confirmation regarding the transmission of funds out of the beneficiary account, he could have exercised jurisdiction and initiated a “Financial Fraud Kill Chain.” 


Eventually, the Butchers received notification from their agent that they would not be closing and that the sellers were not willing to extend the contract any further, causing them to lose out on what was going to be their final home.


The Butchers allege that wire fraud was well-known in the real estate and financial industries long before they became victims and easily preventable. 


In their petition, the Butchers claim negligence, breach of fiduciary duty, negligent misrepresentation, breach of the duty of good faith and fair dealing, violation of the Colorado Consumer Protection Act, fraud based on nondisclosure or concealment, bailment, vicarious liability under the Doctrine of Apparent Authority, against their real estate agent amongst other claims against other parties.


The Butchers have requested that the Court award the following relief:


  • Economic damages, including not limited to consequential and special damages;
  • Non-economic damages; including but not limited to inconvenience, emotional distress, frustration, and inconvenience;
  • Attorney fees as allowed by law or contract;
  • Pre and Post-judgement interest; and
  • Other and further equitable relief as the Court deems just and proper.


To date, no resolution has been come to and the case is on-going. 


The allegations the Butchers make in their petition are a cautionary tale for all those involved in real estate transactions because the series of events leading up to the wire fraud are commonly engaged in by real estate industry professionals.  This case highlights that wire fraud can happen to anyone at any time and that being vigilant against the threat of wire fraud is the best defense.








  • Precautionary Procedures to Take to Avoid Wire Fraud[2]


  • Be Mindful of Links and Attachments. Cyber criminals use attachments and links to gain access to emails and other login credentials, along with your other personal information. Beware of phishing emails embedded with links and attachments from unknown addresses.
  • Review Emails and Verify Instructions. If wire Instructions are received via email, mail or phone, you should always verify you are speaking with the right party by meeting in person or utilizing a call back procedure using a phone number from a third-party (independent) source. This call back practice will ensure you are confirming with the correct individual and proper information. If wiring Instructions are ever changed, you should presume the change to be fraudulent (better to act with caution than without). Review the modified instructions in detail for any inconsistencies and always follow a call back procedure for independent verification purposes. 


  • Keep a record of websites that hold your financial information. Before providing financial information to others, confirm that the websites in which you input and retrieve your financial information are secure. Look for URLs that start with HTTPS, the “S” stands for secure. 


  • Update your computer. Always keep your operating system, browser and security software up-to-date. Make sure that your email is protected. Change your password regularly and do not use “simple” passwords.


  • Communicate with Your Team and Clients. Precautions serve no purpose if the necessary people aren't informed. Communicate to your employees, clients, and business partners about this industry threat. The reason for any such protocols is to safeguard client funds.





  • Red Flags Specific to Wire Fraud[3]


  • Using unsecure email to change Wiring Instructions – always confirm by calling a verified and known phone number and presume the email is fraudulent. 


  • Persistent emails - multiple emails being sent minutes apart – trying to create a sense of urgency for last minute changes regarding a real estate closing.


  • Refusing to discuss by phone - criminals sending fraudulent emails will refuse to discuss last minute changes by phone (they make an excuse that they are in meetings and unable to call).


  • Poor grammar and incorrect spelling may help identify a fraudulent email. 


  • Repeated requests to keep the transaction confidential - whenever wire transfer instructions specify to keep the transaction “secret”, you should verify the legitimacy of the source of the request. Speak to the executive or manager requesting the transaction be secret by phone or in person. If you still have doubts, ask to speak to another, more senior executive. 


  • Suspicious looking e-mail addresses or domains – double and triple-check email addresses.  Instead of (or in addition to) hacking an account, a common trick is to masquerade as a party to the transaction by modifying an email address slightly so that the recipient doesn’t notice that they message is from a fraudulent domain.  For example, a hacker may replace a “w” with a double “v” or replace an “L” with a “l” or “1”.


  • Suspicious patterns - fake REALTOR® calls to request information and then exploiting emails with revised Wiring Instructions for transmitting seller’s proceeds or other funds to a bogus bank account. For brokers, review your sent emails to cross-reference replies that you did not send. 


  • The New Deal out of Nowhere – be leery of email contact only out-of-the-blue with a new contract and associated check for earnest money. 


  • Slow down - speed is the fraudster’s ally and your enemy. Fraudsters gain an advantage by pressuring people to take action quickly without independent confirmation of all the facts. Be on high alert for possible fraud anytime wire transfer instructions include tight deadlines or last or last minute changes revolving around a pending real estate transaction.



[1] Harney, Kenneth, 2017, October 31, “FBI: Hackers scam homebuyers out of millions – and it’s getting worse”, The Chicago Tribune, retrieved from http://www.chicagotribune.com/classified/realestate/ct-re-1105-kenneth-harney-20171030-story.html.


[2] (October 22nd,2017) www.titlecorockies.com/pdf/Wire%20Fraud%20Prevention%20Feb%202017.pdf .

[3] (October 22nd,2017) www.titlecorockies.com/pdf/Wire%20Fraud%20Prevention%20Feb%202017.pdf .

REALTORS® may want to consider having their clients sign a document advising them of the potential of wire fraud to ensure that all parties to the real estate transaction are aware of the possibility of this occurring to them. Louisiana REALTORS® was provided with forms currently utilized by REALTORS® in Louisiana and other states and developed a form you may want to consider implementing in your practice. The form is general in nature and can be modified to fit your office’s practices and needs.

 

INSERT LINK TO FORM

 

REALTORS® also may want to consider adding notices about wire fraud to their email signature lines. The National Association of REALTORS provides the language below as an example.  This notice or a similar notice should not serve as a substitute for educating your clients and other participants in your real estate transactions about email wire fraud.

 

IMPORTANT NOTICE:  Never trust wiring instructions sent via email.  Cybercriminals are hacking email accounts and sending emails with fake wiring instructions.  These emails are convincing and sophisticated.  Always independently confirm wiring instructions in person or via a telephone call to a trusted and verified phone number.  Never wire money without double checking that the wiring instructions are correct.[1]

 

[1] https://www.nar.realtor/law-and-ethics/wire-fraud-email-notice-template

The Federal Bureau of Investigation states that the likelihood of recovering funds stolen via wire fraud decreases significantly when the report is received 72 hours after the wire fraud takes place.

The 72-hour window is crucial because that is the time in which the FBI can undertake a “Financial Fraud Kill Chain” to attempt to recover funds lost to wire fraud. This requires the wire transfer amount be $50,000 or more, the bank transfer is sent internationally, the bank issue a recall notice and the FBI is informed of the details within 72 hours.

Therefore, it is critical that you report the crime to the FBI immediately after suspecting that that you are a victim. While not guaranteed, there are mechanisms available to possibly recover funds in limited circumstances.

You should also report suspected and definite wire fraud to local law enforcement, your broker, financial institution, title company, and any other parties to the transaction in which the wire fraud took place.

  • Still an evolving product, but offerings are improving. 
  • Currently not included with state E&O. Review insurance coverage before purchasing anything additional.
  • Be aware of what is NOT covered by cyber policies.
  • Ask about social engineering endorsements and crime coverage.
  • Ask about preventative consultation, post-breach triage services.
  • Review policies regularly.

 

Louisiana REALTORS is in the process of researching available insurance products in order to offer its members coverage against cyber threats STAY TUNED!