In May 2019, the real estate industry in Baltimore was in for a shock. The industry experienced an 18 percent decline in home sales. A ransomware attack hacked the computer systems belonging to the Baltimore City Government. Since many of these computers store and process data on property deals, which involve real estate agents, buyers, sellers, and other relevant stakeholders, the real estate industry was paralyzed at the busiest time of the year. The attack was not an anomaly: it was a grim reminder of a trend that has become all too clear in the past few years. So why does cybersecurity in the real estate industry require awareness?
Why Do Cybercriminals Love the Real Estate Industry?
For cybercriminals, real estate transactions appear as the lowest-hanging fruit. Unlike the earlier days of lone hackers, today, sophisticated groups coordinate cyberattacks. It may seem puzzling to many, but these groups perform extensive research on their targets. Their research culminates in attacks on companies that are most vulnerable, who fail to modernize their cybersecurity policies and strategies in line with the latest security standards. On a broad scale, the entities in the real estate industry are not too savvy about cybersecurity, thus receiving a barrage of cyberattacks that often succeed.
Other than finding a weak IT infrastructure, there is another primary target the hackers look for, the most priceless asset in today’s digital world: data. Personally identifiable and financially sensitive data are a gold mine for cybercriminals. They can use it to engage in a wide range of crimes such as blackmailing, extortion, and identity theft.
Lenders, real estate lawyers, title companies, and escrow agencies are rich sources of such data. They store and exchange both personal and financial data, including social security numbers, name, addresses, bank accounts, and credit card numbers. As a result, cybercriminals end up with large amounts of profit with only a handful of successful attacks.
Lastly, huge fund transfers are processed every second in the real estate sector. Therefore, hackers find it tempting to invade their systems and divert the destination of these funds to their own accounts.
How Are Attacks Carried Out?
The real estate and title escrow sector must keep a tab on the usual suspects – the most prevalent types of malware that have ravaged the industry. Two of them are listed below:
Business Email Compromise (BEC)
The voluminous amounts of NPI (non-public information) in the real estate industry have lured malicious third parties to initiate BEC attacks. Business email compromise attacks (BEC) is a form of cyber crime which uses email fraud to attack commercial, Government and non-profit organizations to achieve a specific outcome which negatively impacts the targets organization. Examples of common BEC attacks include invoice scams and spear phishing spoof attacks which are designed to gather data for other criminal activities. Often consumer privacy breaches occur as a results of a BEC attack.
You can also come across BEC attacks on the web, where they are referred to as CEO frauds, spear-phishing, and whaling. The foundation of these attacks lies in the use of social engineering – a nefarious practice in which cybercriminals exploit their victims through an extensive range of deceptive tricks to steal their personal and sensitive information. In the real estate industry, they rely on social engineering as a means of masquerading as senior executives in a company and deceiving their victims into initiating a transfer of funds on an urgent basis.
Ransomware is not merely a cyberattack. It is a full-fledged dark industry that has the potential to not only sabotage the real estate industry, but also bring the entire world to its knees. Ransomware is a type of malware from cryptovirology that threatens to publish the victim’s data or perpetually block access to it unless a ransom is paid. In a ransomware attack, a cybercriminal group gains illegal access to the private digital network of a company via an attack vector. Subsequently, the malware takes control of the operating system, disables anti-malware tools, and scrambles all the data stored in the hard disk. The victim is then asked to pay a ransom for unscrambling the data. In 2017, WannaCry – a global ransomware strain – managed to compromise private and public systems in 150 countries! Whether it was UK’s public-owned NHS or the French private automobile giant Renault – many renowned names were affected.
With the many companies running outdated systems with known security holes, it is no surprise that the industry is a frequent target of ransomware attacks. Worst of all, because ransomware is run by criminals, even if you pay the ransom there is no guarantee you’ll get your data back.
If the recent attacks on the real estate sector are plotted on a graph, it is apparent that these hackers are not going to stop anytime soon and are going to raise their game to a new level. During the cyber invasion of a company, the impact does not only break their financial back, but it also damages their reputation. Therefore, stakeholders in the real estate industry must take matters into their hands, protecting themselves before the inevitable attack comes.
For starters, awareness is necessary on the subject. Here, the industry leaders can play a crucial role. They can get everyone on board and discuss industry-wide cybersecurity policies and guidelines that can prevent the likelihood of these attacks.
On an independent level, companies must upgrade their IT infrastructure by staying up to date with the latest versions of the operating systems and application software. Similarly, they must embrace modern cybersecurity measures like two-factor authentication, encryption, etc.
Lastly, we must focus on the softest target: employees – they can be easily tricked by cybercriminals if they aren’t prepared. Organizations must hold awareness and training sessions pertaining to cybersecurity in the real estate industry so these non-tech-savvy workers can improve their digital hygiene and transform themselves into the fiercest resistance against cyberattacks. At JetClosing, we incorporate Security Awareness training in our new employee on-boarding process and the required annual curriculum refresher training for all employees.