Managing Cyber Risk in Commercial Real Estate

By Dan Maier

While there’s no doubt that technology has made real estate transactions faster, more streamlined and more user friendly for today’s real estate buyers, sellers and professionals, it has also made these same audiences more vulnerable to cyber criminals who are looking to cash-in. Earlier this year, the FBI reported that nearly $1 billion had been stolen from buyers in real estate transactions in 2017 and a 480 percent increase in inbound complaints—establishing the real estate industry as one of the fastest-growing targets for cyber attacks.

While a number of the headlines have focused on residential real estate targets, commercial real estate is also a hot target. Unlike the high profile financial services, healthcare and retail industry victims that have traditionally been targeted, the real estate industry is perceived as far easier to crack. And commercial real estate transactions include high value information about companies, employees and partners where large financial transactions are the norm. As a result, cyber attacks are increasingly sophisticated and designed to take advantage of a highly distributed and mobile workforce that transacts with speed—all it takes is a single human error. Intercepting just one individual transaction can represent a huge pay day—and issues can blossom if they are able to successfully access an entire network’s data center for client and partner emails.

Criminals are after two things: Information and money

Commercial real estate transactions frequently include rich information for cyber attackers. Personal information about buyers, sellers and tenants—included in rental applications, credit reports, leases and rental agreements—contain valuable personal information, including names, birth dates, social security numbers, addresses and driver’s license numbers. If accessed, it can be used to access personal accounts and can also be sold on the dark-web to other cyber criminals.

But, commercial real estate firms are also heavy targets because they includes large sums of cash on their balance sheets to acquire or finance real estate properties. Cyber criminals employ increasingly sophisticated techniques to trick well-meaning employees into providing access to this information.

In both of the above scenarios, the most common and effective attack is found in phishing—a cyber attack strategy that can take several forms. Below are three of the most prevalent:

Financial Phishing

In the simplest form, a hacker may be after personal financial data. These kinds of attacks generally try to trick the victim into disclosing their username and password for online financial services like banks or other lending institutions. These attacks usually target the customer who is “holding the money” for a pending financial transaction—but targets can also include finance department employees who have direct responsibility with banking accounts. Attackers may also use this approach to obtain network access—where they can then obtain data on clients, partners and more to facilitate other criminal activity.

Business Email Compromise Phishing/Wire Fraud

Business Email Compromise (BEC), also known as “cyber-enabled financial fraud,” is a sophisticated scam that targets individuals involved in performing wire transfers. And while any business is vulnerable to a BEC attack, the FBI has specifically explained that the BEC scam “targets all participants in real estate transactions.” In this approach, cyber criminals send spoofed emails that may appear to be from an escrow agent or a contractor who recently completed contractor or tenant improvement work, with urgent requests for wire transfers or other critical information. In reality, these messages are actually from criminals trying to trick the real estate business into sending a wire transfer to the wrong account.

Account Takeover Phishing/Wire Fraud

A more sophisticated version of phishing involves a two-stage “account takeover” that takes advantage of the trust relationships that the agent has. The initial stage of the attack steals an agent’s email account credentials, then in the second stage uses the email account to defraud buyers, sellers, banks, and other parties in the real estate ecosystem.

Cybersecurity makes good business sense

There have been some misleading headlines that say that successful cyber attacks “are due to human error and not inadequate security.” While this is partially true, it is misleading on a number of levels. Threats come in a variety of shapes and sizes—while some are easy to spot, others are highly curated to appear entirely legitimate. For example, if an “imposter” email pretending to be your CEO is sent to someone on your accounts payable team, they will likely handle the request quickly. After all, that’s how a conscientious employee behaves. In these cases, training an employee to spot a fake email is not likely to help.

10 steps to improve cybersecurity

To combat cyber crime, a more sophisticated approach is needed—one that includes training, but does not rely upon it exclusively. Here’s a better approach:

There are two levels of cyber security to consider—security “best practices” to follow as an individual broker or agent, and business-wide security defenses and policies that you can put in place for your entire organization. 

How to protect yourself:

One of the keys to preventing cyber crime is to raise your security awareness and adopt more secure communications practices. A bit of paranoia would not be a bad thing—rather than thinking you’ll never be a target, start by assuming that hackers are already in your systems.

Change your passwords: One of the simplest approaches to upgrade your personal security is to change your passwords (and do so on a regular basis). This one action by itself can defeat Account Takeover attacks. Using a random password generator to create a strong password is helpful as well—it may not keep out a persistent criminal, but, at least it won’t be easy for him.

Be suspicious of changes or urgent requests for information: There should not be any significant changes in a transaction. The title company should not change, the wire instructions shouldn’t change, there shouldn’t be any new people introduced. If there are, the information must be verified.

Don’t email personal or financial information: Do not send banking information, your buyer’s Social Security number, or anything else that could be used to comprise someone’s identity over email. If you absolutely must send personal or sensitive information via email, only use encrypted email.

Avoid clicking on links: If you do not recognize the name or email address of the sender, do not open the email. And beware of any links, attachments or downloadable files from unknown email addresses; they can contain viruses or provide a way for a hacker to access your computer.

Beware of open and public WiFi connections: It’s almost trivial for a hacker to gain access to your phone or laptop on an insecure connection. Under no circumstance should you transmit sensitive information from a public IP address —in particular, that means don’t log in to systems like your wire transfer portal or bank account from the WiFi at Starbucks. 

How to protect your organization:

All the parties in a real estate transaction need to take responsibility for protecting customers by putting in place better security products and policies for their employees. Here are some specific steps organizations can take:

Use an email security gateway: Ninety percent of sophisticated cyber attacks target people via email, according to Gartner analysts. Stopping these attacks using an email security gateway that can filter out malicious email is a critical step in improving your security posture. And no, freebie security from browsers, email clients and online “freeware” security does not work.

Use a web security gateway: The Internet is a critical conduit for cyber criminals to capture the information they need to commit financial fraud, whether it’s a phishing attack bringing a user to a spoofed website to capture email or banking credentials, or a virus sending out stolen password information to a command and control server. A web security gateway can identify and block these sites and activities, even after your employee’s computer has been compromised.

Use endpoint security: Once a piece of malware has made it to your employee’s computer, endpoint security is your best shot at stopping it. Next-generation endpoint protection solutions that use machine learning and behavioral analysis in addition to malware signatures are your best bet here.

Check your security hygiene: Hardening your perimeter is beyond the scope of this article, but in general looking at things like identifying critical assets, enforcing regular password changes, two-factor authentication for critical systems, and segmenting the network are security hygiene activities that will significantly improve your security posture.

Train your users/security testing: If cyber criminals make it past your defenses, your employees themselves need to be aware and educated enough about threats to identify and stop them. There are a number of services offering tests with fake phishing attacks, so you can measure and reinforce their security awareness. That said, only depending on your users will NEVER be enough to avoid data breaches—even the best experts get fooled by today’s sophisticated phishing attacks.

Dan Maier is a vice president at Cyren. Powered by the world’s largest security cloud, Cyren delivers fast time to protection from cyber threats with award-winning security-as-a-service solutions.