In recent months, real estate professionals have reported an upswing in a particularly insidious wire scam. A hacker will break into a licensee’s e-mail account to obtain information about upcoming real estate transactions. After monitoring the account to determine the likely timing of a close, the hacker will send an e-mail to the buyer, posing either as the title company representative or as the licensee. The fraudulent e-mail will contain new wiring instructions or routing information, and will request that the buyer send transaction-related funds accordingly. Unfortunately, some buyers have fallen for this scheme, and have lost money.
A possible red flag to be aware of, and to alert clients to, is any reference to a “SWIFT wire” transaction, a term that indicates an overseas destination for the funds. However, unlike many other e-mail-based “phishing” schemes, this particular manifestation appears to be more sophisticated and less recognizable as fraud. The communications do not contain the typical grammatical or stylistic oddities that are often present in scam e-mails. In addition, because the perpetrator has been monitoring the licensee’s e-mail account, the fraudulent communication may include detailed and accurate information pertaining to the real estate transaction, including existing wire and banking information, file numbers, and key dates, names, and addresses. Finally, the e-mails may come from what appears to be a legitimate e-mail address, either because the thief has successfully created a sham account containing a legitimate business’s name, or because he or she is sending the e-mail from a truly legitimate—albeit hacked––account.
Be aware, also, that this particular scheme is only one of many forms of online fraud being perpetrated against real estate licensees and their clients. In protecting all parties to a real estate transaction from cybercrime, real estate professionals should consider the following guidance:
The best line of defense against fraudsters is to make sure that all parties involved in a real estate transaction implement security measures before a cyberattack occurs. These measures include the following:
- Never send wire transfer information via e-mail. For that matter, never send any sensitive information via e-mail, including banking information, routing numbers, PINS, or any other financial information.
- Inform clients from day one about your email and communication practices, and alert them to the possibility of fraudulent activity. Explain that you will never send, or request that they send, sensitive information via email.
- Prior to wiring any funds, the wirer should contact the intended recipient via a verified telephone number and confirm that the wiring information is accurate. Do not rely on telephone numbers or website addresses provided within an unverified e-mail, as fraudsters often provide their own contact information and set up convincing fake websites in furtherance of their schemes.
- If a situation arises in which you have no choice but to send information about a transaction via email, make sure to use encrypted e-mail.
- Security experts often recommend “going with your gut.” Tell clients that if an e-mail or a telephone call ever seems suspicious or “off,” that they should refrain from taking any action until the communication has been independently verified as legitimate. When it comes to safety and cybersecurity, always err on the side of being overly cautious.
- If you receive a suspicious e-mail, do not open it. If you have already opened it, do not click on any links contained in the e-mail. Do not open any attachments. Do not call any numbers listed in the e-mail. Do not reply to the e-mail.
- Clean out your e-mail account on a regular basis. Your e-mails may establish patterns in your business practice over time that hackers can use against you. In addition, a longstanding backlog of e-mails may contain sensitive information from months or years past. You can always save important e-mails in a secure location on your internal system or hard drive.
- Change your usernames and passwords on a regular basis, and make sure your employees and licensees do the same.
- Never use usernames or passwords that are easy to guess. Never, ever use the password “password.”
- Make sure to implement the most up-to-date firewall and anti-virus technologies in your business.
2. Damage Control.
If you believe your e-mail or any other account has been hacked, you should take the following steps:
- Immediately change all usernames and passwords associated with any account that you believe may have been compromised or otherwise made vulnerable by the attack.
- Contact any clients or other parties who may have been exposed during the attack so that they take appropriate action. Remind them not to comply with any requests from an unverified source.
- Report any fraudulent activity to the Federal Bureau of Investigations via their Internet Crime Complaint Center. More information can be found here: http://www.fbi.gov/scams-safety/e-scams
- Brokers should report any fraudulent activity to their state or local REALTOR® association so that the associations can send out alerts or take other appropriate action, including contacting NAR.
This advice is not all-inclusive, and real estate practitioners should work with Information Technology and cybersecurity professionals to ensure that their e-mail accounts, online systems, and business practices are as secure and up-to-date as possible.