Tips on Protecting Your CRE Firm From a Cyberthreat

Real estate appeals to cyberattackers because transactions entail a lot of personal information, according to Troy Hawes and Kelvin Teltz of Moss Adams.

While real estate firms aren’t often in the headlines for cyberattacks, they’re equally at risk for data breaches, ransomware and other online security threats. In fact, industry observers report that real estate firms account for a significant amount of cyber-attacks.

These risks increased in the past year. There was an uptick in significant technology-vendor and off-the-shelf software breaches—including breaches of major global IT companies—and increased threats based on remote work due to the COVID-19 pandemic.

However, taking the time to study prominent cyberthreats and adopt effective cyberattack prevention strategies can make the difference between important data getting stolen, and successfully preventing an attack.

Below, gain insight into four of the most common threats your firm should be aware of as well as cyberthreat prevention strategies to bolster your internal controls against an attack.

Why do hackers target real estate firms? 

The real estate industry appeals to cyberattackers because transactions contain significant amounts of personal information, such as Social Security numbers, financial data and more. Vendors are an appealing target as well since they process this information.  

First American Financial Corp. is a good example. Between 2003 and 2019, more than 885 million records were stolen from the real estate title insurance company’s website due to an insecure web application.

Middle-market and smaller companies may think they’re less of a target for cyberthreats, but they’re also at risk. Attackers are increasingly going after smaller firms due to their lack of sophisticated security controls.  

4 most common cyberthreats 

Before exploring prevention strategies for cyberthreats, it’s important to understand what they are and how they play out for a typical real estate firm, or any business. The four most common cyberthreats are:

  • Ransomware
  • Email phishing
  • Businesses email compromises
  • Insider threats

Ransomware: In ransomware, an attacker implants malware onto a victim’s system via a phishing or an infected website. This locks or encrypts a victim’s data until a payment is made.

Ransomware has become one the biggest threats organizations face. A company will fall victim to an attack every 11 seconds in 2021, according to statistics from Cyber Security Ventures.

There’s a lot of debate circling the central question of a ransomware attack—if you get hit, should you pay? 

According to Coveware’s Q4 2020 report, the average ransom payment was $154,108 with email phishing being the top attack vector for compromise. The report also identified smaller-sized companies being victimized the most, with a median size of 234 employees. The victims experienced an average of 21 days of downtime and business interruptions due to an attack.

The FBI doesn’t support paying a ransom. However, an organization has to weigh the costs and benefits of how much money they lose each day they’re locked out of their systems. They also have to decide whether they’ll become the target of additional attacks if cybercriminals learn they’re willing to pay.

It isn’t just the ransom payment that can be costly. In a recent study by Kaspersky, 17 percent of respondents that paid stated they didn’t get all of their data back. The study also noted that 71 percent of the organizations that chose not to pay weren’t able to recover all of their data.

Regardless of whether or not a company pays the ransom, the amount of time and money it takes to recover from these attacks can greatly hinder operations and growth prospects.

Email Phishing: One of the main delivery methods of ransomware is email phishing. This social engineering technique uses email to deceive end users into providing sensitive information, such as:

  • Passwords
  • Social Security numbers
  • Payment card information

A phishing email will typically use a Microsoft Word or Excel, or PDF attachment to carry the ransomware program; once opened, it infects the target’s computer. Ransomware variants, such as WannaCry and Petya, can infect multiple systems at once and disable operations for days or weeks.

Business email compromise: Business email compromise is a specific corollary of phishing. This heightened level of deception involves impersonation. The attacker uses artificial intelligence to create behavioral profiles of key executives and mimic their email behavior.

An employee will receive an email that asks for sensitive information, like a request to switch account numbers or move funds from one bank to another. However, the attacker will make the email look as though it’s directly from a C-level executive, which is why these attacks have also become known as CEO fraud.

In September 2019, the FBI posted a public service announcement noting a significant increase in the number of scams. These were reported in all 50 states and 177 countries. Fraudulent transfers were sent to at least 140 countries, netting the scammers $26 billion between 2016 and 2019.

Then came 2020 and the COVID-19 pandemic, which has resulted in a 300 percent increase in the number of scams being reported daily, according to the FBI. These increased attacks will require organizations adopt a more thorough risk management strategy.

Insider Threats: Most cybersecurity breaches come from inside the company. In these cases, an employee with network access could acquire sensitive customer data and attempt to profit from its sale to cybercriminals.

The 2020 Cost of Insider Threats Global Report study from Ponemon Institute reveals the number of annual insider threats has increased 47 percent, from 3,200 in 2018 to 4,716 in 2020. The cost of these incidents has surged 31 percent, from $8.8 million in 2018 to $11.5 million in 2020.

While careless or negligent employees make up 62 percent of incidents, costing businesses an average of $307,111 per breach, insider threats bear a higher price tag of $871,686. The cost per incident is also influenced by company size and industry.

In March 2020, an employee who was terminated from a medical device packaging company accessed a package shipping system and deleted the records, causing the delay of personal protective equipment to health-care providers during the pandemic. The individual had created a fake user account while previously employed with the company and used it to gain access to the system and edit and delete records.

That said, insider breaches sometimes aren’t intentional, so it’s important for professionals to have adequate training to prevent actions that lead to these kinds of attacks.

Vishing and emerging threats

Kelvin Tetz

Hackers are always developing new ways to access and steal company data.

In July 2020, another type of attack called “vishing,” or voice phishing, took place against Twitter. The cybercriminals gathered information on key employees working from home and called them, impersonating Twitter IT administrators. During these calls, they successfully persuaded some employees to disclose their account credentials.

Using this information, the cybercriminals logged into Twitter’s admin tools, changed the passwords of a number of high-profile accounts and used them to conduct a Bitcoin scam.

This type of attack reinforces the need to apply the same level of cybersecurity protection to all employees, whether they’re working on your premises or in their own homes.

Cybersecurity threat prevention strategies

The main reason cyberattacks are so prevalent and successful is because end users lack education about cyberawareness, making them the weakest link in any security program. An action as simple as clicking on an unknown website or email attachment could provide a crucial attack point.

So how do individuals and organizations protect themselves? The answer is: part training and part technology.

Cybersecurity Awareness Training: Awareness training is a necessary first step in any cybersecurity program, yet many organizations don’t take it. This is often because it requires time and resources to establish and commit to a training program. Backing from an organization’s governing body, management, human resources department and IT may also be needed—which can sometimes overwhelm organizations.

That said, organizations should consider providing security awareness training for every new hire and instituting an annual refresher course for all employees. It’s imperative that they also employ other methods, such as monthly email reminders or awareness posters, to frequently remind end users about safe computing habits.

Technology procedures and improvements: Adequate technology is another key starting point for an organization’s security.

Organizations must work to verify their IT systems are current and include rigorous protections to deter and detect attacks, such as:

  • Network infrastructure design and perimeter protections
  • Antimalware and data leakage strategy
  • Security information and event management logging
  • Incident response procedures
  • Backup and restoration processes

Once these systems are in place, organizations can benefit from annual testing by an independent and qualified third party to help verify they’re implemented properly.

Also, in light of COVID-19 and its impacts, it’s increasingly important to implement controls to protect data accessed by remote personnel.

It takes time and commitment to provide the training and technology to protect an organization, but, when done properly, it can greatly reduce the risk of a cybersecurity breach.


Troy Hawes, senior director of cybersecurity at Moss Adams, has over 25 years of IT experience and serves clients in a variety of industries. He manages and leads cybersecurity and compliance assessments to determine areas of risk and develop practical corrective action plans. He can be reached at (206)302-6529 or [email protected].

Kelvin Tetz, partner at Moss Adams, leads the real estate practice and has practiced public accounting since 1998. He provides audit and advisory services to real estate and hospitality clients, including single and multifamily residential land developers; core, opportunity, value-added real estate equity funds; public nontraded REITs; and property management companies for all property types. He can be reached at (415)677-8351 or [email protected].

You May Also Like