Personal information about buyers, sellers and tenants—which is included in rental applications, credit reports, leases and rental agreements—is the lifeblood of cyber schemes. This information includes names, Social Security numbers, birth dates, addresses and driver’s license numbers. Some commercial real estate companies are also vulnerable to attack because they maintain large amounts of cash on their balance sheets to acquire and finance real estate properties.
“It is critical that real estate companies implement cybersecurity tools and employee training, continually update antivirus software and properly monitor their systems to remain resilient, vigilant and secure,” said Al Brooks, Head of Commercial Real Estate for Commercial Banking.
A major concern about cyberattacks on real estate firms is the fact that criminals can access an entire network’s data for thousands of clients from around the country and the globe. “Hackers can use many different entry points to access a company’s system, gather information and then use it to steal data and money,” said Mike Kelly, Business Information Security Officer for Commercial Banking.
In one type of scheme, criminals target real estate companies through phishing attacks. Hackers obtain sign-in credentials by tricking employees into typing their credentials into a fake transaction management website and then immediately forwarding them to the real website where their credentials work. However, the hacker now has their login information and can access the system to review transactions.
If the employee uses the same password for email, the criminals can direct emails to bypass the employee’s inbox and go directly to them. At that point, criminals can send spoof emails to request wire transfers to bank accounts they control.
Criminals are expanding their targets using business email compromise, a scheme where criminals create a fake look-alike email domain. For example, criminals may use email@example.com to target the legitimate email domain firstname.lastname@example.org.
By sending phishing emails pretending to be from company executives or vendors, criminals can fool employees who don’t notice the change in the email address or authenticate the transaction request before making the wire transfer. Additionally, cyber criminals can modify how their name initially appears in emails. If an email seems suspicious, hover over the sender’s name to display the actual address.
Cyber criminals can modify how their name initially appears in emails. If an email seems suspicious, hover over the sender’s name to display the real address from which the email was sent.
Many real estate companies are unprepared for a cyberattack and do not have internal controls and procedures in place to help stop or prevent one.
However, with stronger controls and security measures, they can mitigate the risk to themselves, their employees and their clients by implementing these practices:
Each company or organization must determine how to best protect itself against cyberfraud activities and select the cybersecurity best practices most appropriate to its needs.
“There’s a lot that can be done to prevent or detect cyberattacks to eliminate or minimize the damage caused,” Brooks said. “It’s important that companies are proactive and prepared in order to protect themselves and their clients.”