While cyber security is a major concern for a wide range of industries and a large swath of society in general, the real estate sector plays host to several specific circumstances that make it an attractive target for cybercriminals. Routinely large transactions, sometimes freely exchanged personal information, parties to transactions that are often new to one another, and many other unique risk factors significantly broaden the attack surface for fraudsters determined to focus on this field. We've compiled this list of real estate cyber security best practices that you can put into place to help protect both your customers and your business.
Commercial Real Estate
Commercial real estate businesses have unique cybersecurity concerns that warrant a breakdown. Whether your enterprise focuses on commercial spaces or residential units, you likely rely on some level of automation or other software to manage your portfolio by collecting rent, paying or managing vendor services, or many other tasks. While this streamlines your process and helps your staff remain available for more labor-intensive duties, it also leaves you open to attack if certain vulnerabilities need to be addressed. Therefore, you must follow real estate cyber security best practices to protect your organization from cyber threats.
Spend Time Training Employees on Phishing
Among the most common social engineering attacks, phishing targets your staff, tricking them into revealing information that allows criminals to access your systems, directly transfer money, or perform numerous other tasks. Enabling your employees to recognize the major hallmarks of a phishing attempt is the best way to protect your sensitive information.
Red flags like poor spelling and grammar in emails, look-alike domains where similar characters are swapped out, and attempts to get the recipient to click on links within the email are all very common in phishing attacks. Avoid clicking on links in any email unless you were expecting to be sent that specific link, and you should be sure to read the email sender's domain carefully. Keep in mind that it is always possible to spoof links and domains so that what is displayed is only sometimes accurate.
Another dangerous tactic that is more difficult to detect is business email compromise. If a vendor, customer, or client falls victim to a cyber attack, the criminals may control their own email directly. Make it a policy to verify any email requesting payment or other transaction changes by phone, and you should never use the contact information provided in that email. Always look up phone numbers from a different source to make sure that you don't end up reaching back out to the attackers.
Solidify Your Access Control Procedures
There are many ways to restrict access to your sensitive data, and you should carefully consider who truly needs access to it to accomplish their daily work. Implementing firewalls, multi-factor authentication, and ensuring that business-owned devices are up to date with their operating systems, antivirus software, and all applications are integral to a successful cyber security stance for a real estate business.
You should also make a point to avoid interchangeably conducting business with personal and work email accounts. At the same time, strengthening your password policies can add a strong layer of security even with limited resources for other cybersecurity initiatives. Longer passwords or passphrases that integrate upper and lower case letters, special characters, and numbers and mandating different passwords for each application can substantially enhance your risk management and cyber security posture.
Cyber Security for Real Estate Agents
Real estate organizations are just some of the potential targets of cybercriminals. Realtors themselves can be attractive due to the number of hats they wear during a real estate transaction and the amount of information they have access to. As such, we've put together some additional agent-specific real estate cybersecurity best practices.
Separate Personal and Work Accounts
We mentioned not mixing personal and work emails in one account just before. Still, there are more steps that you can take to separate your work-related activities and increase your security appropriately.
Regarding social media, it can be tempting for real estate agents to tap into existing personal accounts, especially if they have a significant reach or many followers. Unfortunately, the quantity of personal information that you display or have previously shared on your personal social media pages can make it easier for an attacker to guess your account recovery security questions or even your password directly. As a best practice, you should create a stand-alone business social media account, and you should refrain from sharing that page's posts with your personal account as it can result in the compromise of the same information.
Don't Use Public WiFi Networks
It's almost a matter of routine to hop on the free WiFi at a coffee shop, public library, or even in a shopping mall to get some quick business done while you're on the go. The problem is that this leaves you open to man-in-the-middle attacks, and you can compromise otherwise secure systems and accounts by accessing them through an unsecured WiFi network. Many people believe that using a VPN will sufficiently mask their data enough to protect them when on a public network, but that's not the case. A VPN is a valuable tool, and you should be using one anyway. Still, cybercriminals have even been known to set up completely fake open WiFi networks to steal sensitive information by masquerading as a legitimate business network.
If you plan on working away from home, either use your mobile device over its own data network with a VPN or purchase a mobile hotspot to connect laptops and other devices without their own data line through your cellular provider. It's always best to rely on something other than others' network security, as it's likely that you'll be disappointed by only accessing secure networks and applications through networks that you or your company control; you ensure that you have the final say on the cyber security measures in place.
Implement Standard Wire Transfer Protocols
One of real estate transactions' most common attack vectors is fraudulent wire transfer requests. Customers, financial institutions, lawyers, title agencies, and others can all fall victim to this scam. That is why real estate organizations should follow real estate cyber security best practices by being proactive in establishing ground rules for the transactions they will be parties to.
The National Association of Realtors has developed a template that can serve as a guideline for establishing these SOPs, along with recommendations from your legal counsel. Still, the most important distinction is that no changes to scheduled wire transfers will occur without strict adherence to the policy. It is much easier to confirm wire transfer changes through direct contacts like voice or video calls than it is to attempt to recover funds that have been lost and likely sent overseas by the time the fraud has been discovered.
At Venture Lynk Risk Management, we specialize in cyber security for many high-risk industries. We have the industry experts to help protect your enterprise from those who may be targeting real estate businesses. From vendor risk assessments to ongoing cyber security monitoring, we offer a vast tool kit of resources and services that we can provide to harden your security posture. Contact us to see what we can do for your unique set of circumstances today.