skip to Main Content
Cyberfraud In Real Estate: Old News; New Rules

Cyberfraud In Real Estate: Old News; New Rules


Asa Fox, Trust Accountant and Compliance Manager

Buying a home is a very big deal and it’s something I never thought I’d do – even after years of being in the Real Estate industry. Once I found my dream home, I was happy to know I’d be safe from fraud, because of my work in Title & Escrow Compliance.  You can bet when it came time to wire in my funds, I quadruple checked those wiring instructions before the money was sent. Imagine my dismay when moments later I received an unencrypted email from my loan officer containing my loan application.  This single document was full of nonpublic personal information and was sent to my Gmail account – completely unprotected. Knowing that the lender had encrypted email at their fingertips, I was shocked that this sensitive information would have been transmitted so openly.

After a few minutes of freaking out and wondering if my data was already being sold on the dark web, I decided to use it as a teaching moment. Even with all the education available to industry professionals, there is still not enough knowledge about cybercrime. And if we’re not fully aware of the risks, surely the consumer is less informed. My hope is that by the time you read to the end of this, you will have an action plan with steps you can take today to protect yourself and your customers against fraud.

This is not your grandpa’s fraud (did he even have to deal with this?).  The industry has changed over the past few years and with it, so have the criminals. I’m sure you’ve heard plenty about email phishing scams attempting to redirect buyer or seller funds, but spotting a fake is not as easy as it used to be. Fraudsters are a lot smarter and have caught on to the workflows we’ve created to protect ourselves. Cybercriminals have educated themselves enough to know our industry lingo. They use apps like Grammarly to help write emails without errors, which leaves us unaware that we are being duped. They also work together, not as individuals, sometimes convincing unsuspecting victims to assist them with their schemes. And once you’ve been identified as a successful target, the cybercriminals spread the word so you can continue to be targeted by other scammers.

So how do they do it? Fraudsters use a particular type of phishing scam called spear-phishing, which are focused attacks targeting specific people or organizations that appear to come from a trusted source. Cybercriminals will monitor real estate listing sites to wait for properties to flip from “listed” to “pending” and that’s when they strike. They scrub websites like LinkedIn and Facebook where we may have public profiles with our names and email addresses. Using the data collected, they send a convincing email with a link that will take you to an incredibly well-spoofed landing page, asking you to log in to your email account. Once you give up your credentials, they move quickly to access your account and setup auto-forward rules so they can continue to monitor your emails, even if you change your password.

Are you scared, yet? This is happening every day across the globe. And people are still falling for it.

So how do we stop them? By being one step ahead and paying close attention to the details. And by not being afraid to talk about it – to your customers, to your co-workers, to anyone in your network. We all must do our part.  Title & escrow professionals, lenders, agents: each of us need to take a few minutes to educate every customer. In many cases this is the only time they will be involved in a real estate transaction. And since it’s likely the biggest investment of their lives, isn’t it important that they are aware of the potential risks?

We should even take it a step further: protect them by protecting yourself. If you’re using webmail to communicate with any party involved in a transaction, you can add a layer of security by turning on two-factor authentication (2FA or MFA). This can be done on most webmail accounts (Gmail, Yahoo, etc.). Enabling 2FA prevents other people from logging in to your account by adding a verification point to a known device in your possession.  You would simply receive a text message with a code to enter as a final step when logging in.   If you receive that code and didn’t attempt to log in, then you know you just stopped a fraudster from gaining access.

To turn your precautions up to 11, take conversations with buyers and sellers out of webmail and use your company’s provided email account. Most companies have firewalls and encryption in place and may even have a team of IT folks that can help if something goes wrong.

So, are you ready to fight cybercrime?  Here’s how to get started:

  • Check your webmail settings to find out how to turn on 2FA (or use a company email account for business communication).
  • Come up with a brief script about cybercrime risks that you can use when speaking with your customers – email phishing, wire fraud, etc. Keep that dialogue going with co-workers and other associates.
  • Stay off public WiFi and use your phone as a hotspot instead. Or set yourself up with a personal VPN, which offers protection through encryption and plans are fairly inexpensive.

Cybercrime is an unfortunate threat to our business – but it doesn’t have to become part of your reality. Let’s work together to keep our customers protected from a potentially devastating loss.

Back To Top