The phishing emails many REALTORS® and homebuyers receive with generic messages, suspicious attachments, or other telltale signs that something is wrong are the low-tech, low-effort segment of a $1 billion problem in real estate: wire fraud.
But as awareness about wire fraud scams increases and companies take steps to secure their networks—and educate their agents and staff about the latest threats—cybercriminals are becoming more sophisticated.
The National Association of REALTORS® provides a Data Security and Privacy Toolkit you can download with information about how to protect your business.
“There’s not much of a limit on the creativity of scammers,” says Brad Schuelke, senior assistant attorney general in the technology division of the Texas Attorney General’s Office. “Any story they can come up with that might convince someone to send money through a relatively untraceable source … they’ll come up with it.”
Criminals will scour social media or other sources for information that makes their scams more convincing and likelier to deceive or manipulate, a practice known as social engineering. And as individuals and companies take steps to protect themselves, criminals go to greater lengths to steal passwords and personal information, trick people into sending them money, and break into individuals’ and companies’ computer systems.
“A lot of companies don’t recognize they need to secure their networks better,” says FBI Supervisory Special Agent Matthew Perry, who works on cybercrime.
The Federal Communications Commission (FCC) and Better Business Bureau (BBB) offer cybersecurity checklists you can complete to gauge your vulnerability. Go to “BBB 5 Steps to Better Business Cybersecurity” and “FCC Cybersecurity for Small Business.”
After gaining access to someone’s email account or computer, or breaching a business’s network, criminals may take the time to conduct surveillance on how a company operates to make an attack more effective. “They’ll snag the email signatures, how they’re talking—they’ll copy the verbiage from an email,” Perry says. With this information, the fraudulent email with new wiring instructions sounds familiar and believable when sent to a real estate agent
“We’re constantly seeing instances where people are losing money,” Perry says.
A simple phone call and you’ve defeated them.
FBI Supervisory Special Agent Matthew Perry
Report fraud early and address best practices
In an instance of attempted or successful wire fraud, it’s important to report the incident to your local FBI office and the parties involved as soon as possible. The quicker this happens, the more likely it is that the money can be stopped before it disappears. In some regions, including parts of Texas, there are mechanisms in place at the FBI’s Internet Crime Complaint Center (IC3) at ic3.gov to immediately contact the banks involved when fraud is reported. When Perry spoke to Texas REALTOR®, he said early fraud reporting had stopped the transfer of money twice that week.
The bulk of successful attacks can be thwarted by employing “cyber hygiene” best practices, says Mike Spanbauer, vice president of research strategy at cybersecurity firm NSS Labs.
One best practice is to utilize better password hygiene. “Folks use the same password for most if not all accounts,” Spanbauer says. Criminals who steal passwords exposed in major data breaches (such as from Yahoo, Target, Home Depot, and Equifax) can then access users’ accounts for other services and websites.
Where to report wire fraud? Successful or attempted wire fraud should be reported as soon as possible to your local FBI office, banks or lenders involved, and at ic3.gov, the FBI’s Internet Crime Complaint Center. Reports through ic3.gov can be made by the victim or a third party.
Another best practice is to exercise caution when clicking links, opening email attachments, and visiting websites. Criminals can use malicious software known as malware to lock you out of your own system unless you pay a ransom. In addition to the steps individuals can take to prevent ransomware attacks, businesses can guard against and lessen the effects of these attacks by keeping good data backups, limiting who has administrative access to systems, and only using a login with admin access when you need it.
After you understand basic best practices, there are a variety of ways to secure your network. Spanbauer recommends all businesses install a firewall and endpoint technology, which protects all connections to the company network—including remote connections, such as a VPN, and wireless connections. To maintain the efficacy of these protective systems, always install updates and patches.
The next step to protect your data is to find firms that specialize in cybersecurity, such as managed security service providers (MSSPs). MSSPs handle many aspects of cybersecurity through a subscription model, saving businesses the cost and difficulty of adding specialized staff. Internet service providers like Verizon and AT&T offer managed security services, as do local and regional firms that partner with security technology companies such as SonicWall to install and administer their solutions.
Choosing a security firm can be challenging. “Ask for references and speak to other clients,” Spanbauer advises, including asking about how responsive the company has been and whether security is its main service or only ancillary to its business.
Call a known phone number
Phone numbers can be spoofed so that the incoming number that shows up on your phone is not the caller’s real number. Email accounts can be hacked, which means that an email from a client’s or colleague’s email address may actually have been sent by a criminal who gained access to that person’s account. Cyber thieves also create email accounts that appear to be ones you trust. Most people don’t look closely enough at a sender’s email address to detect that a lowercase “l” has been switched to a number “1,” for example. The best course of action when receiving any kind of communication regarding new wiring instructions or bank routing information is to call a phone number you know, Perry says. “A simple phone call and you’ve defeated them.”
“It’s really a matter of verifying, verifying, verifying,” Schuelke says. “When I’m contacting consumers and I tell them I’m with the Texas Attorney General’s Office, I suggest they look me up, call the toll free number, and get routed the long way to confirm.”
Criminals go where the money is—the path of least resistance, Spanbauer says. Perry adds a note of caution for Texas REALTORS®: “Business email compromise, for real estate, is where the money is at.”
More ways you’re a target
While wire fraud remains a top threat to the real estate industry, Texas REALTORS® and your clients may be the targets of many different types of scams—related to a real estate transaction or not.
Learn to recognize the following common scams:
The lead scam. REALTORS® are receiving text messages claiming to be from Redfin, realtor.com, or another real estate company or website claiming to have qualified leads in exchange for a small payment (such as $10). Redfin and realtor.com have stated they do not send these types of messages.
The grandparent scam. An imposter armed with some personal information claims to be a relative or friend who’s injured or in the hospital and needs money. This scam often targets seniors, asking them to wire money to a hurt grandchild.
The association email. In April, NAR warned members of a spam email with the subject line “ANNUAL REPORT TO ALL MEMBERS OF NATIONAL ASSOCIATION OF REALTOR (NAR)” from the address firstname.lastname@example.org. NAR emails will always come from realtor.org addresses.
Catfishing. This deceptive practice can take many forms but typically involves a fake profile on a social media or dating website. The individual behind a fake profile may try to gain material that eventually can be used as blackmail and to ask for money in ways that are hard to trace, such as gift cards.
Find out more about common scams at the Texas Attorney General’s Office website texasattorneygeneral.gov.