Real estate scams and hacks: The move from land-grabbers to cyber space

You’d be shocked what businesses hackers are targeting lately. Not just individuals, or retailers. With strategies that can re-direct wire transfers and hold computer systems in the gut, hackers can easily target any industry, especially for those lagging behind in cybersecurity. Same goes for real estate. Consequently, we find that real estate businesses run on porous systems and can quickly become the target for potential attacks.

The methods of attack vary from:

Business email compromise:

A business email compromise (BEC) is an attack that misleadingly persuades businesses to transfer funds to criminal accounts on the back end by impersonation, posing as business counterparties, such as vendors or real estate sellers. How this works is that the criminals direct an email from a hoaxed account that appears to be from someone within the business, such as the MD or a trusted party, a lawyer, or a trusted party.

It’s all too easy for real estate companies to be targets of BEC, as emails that may appear to be from an agent or a contractor that just completed construction work could actually be criminals trying to trick a real estate business into sending a transfer of funds to the wrong account. The losses can be quite significant.

Ransomware (physical systems):

Ransomware can mark physical devices that are functional by internet, not just personal computers and servers. We are in an age where there’s a huge increase in devices that are internet enabled and powered. This by default comes with the added-on risk that hackers can usurp these systems to their advantage.


Ransomware (operational systems):

Ransomware, a form of malware that encodes data on computers and makes the data inaccessible until a ransom is paid, is becoming increasingly common become and a lucrative method for hackers to attack businesses. Going by statistics, Ransomware remain a favourite choice for cyber criminals. Like most businesses, real estate businesses depend on electronic information and systems to run day-to-day operations. An employee clicking on one malicious email can freeze up the information for the entire company.


Other malware:

There are other types of malware that carry significant risks to real estate businesses by hackers targeting banking identifications or personally identifiable information. Banking Trojans are used by fraudsters to capture a victim’s banking credentials to wipe the bank account clean. Other types of malware can be used to steal personally identifiable information, like employee, clients or land buyers sensitive data that can be used for identity theft purposes. Real estate targets with employee data, client data and significant assets in bank accounts remain possible targets for these attacks.


Cloud storage vendors:

Real estate businesses are joining in in the trend of increasingly trusting cloud computing applications, but those vendors that store information are also vulnerable to cybersecurity mishaps. If a fraudster targets trusted cloud providers and vendors that store other parties’ sensitive information, the trickle-down effect will definitely impact all businesses using said vendor.

Some make the case of an outsourcing scenario by using cloud providers, but still, in case of a hack, the real estate business is in a jam. Why? Clauses in cloud computing agreements often provide minimal protection to customers in the event of a cyber-attack, so customers are often left to deal with most of the liability.


What defences can reduce cyber risk?


Now more than ever before, real estate companies need to intently focus on implementing protections to reduce the chance of becoming a victim of an attack and to improve their real time responses in the case of its occurrence.


Set up a wire policy:

Structure a policy of never sending a wire based solely on an email to avoid falling victim to a BEC scam. A verification of the authenticity of the information in an email should always be carried out by talking to the individual in person, or calling the person on a known phone number, and never by replying to the email or calling a phone number from an email in question. This process is known as two-factor validation.


Training—Inspite of the popular resounding warnings, A huge spectrum of hackers rely continuously on phishing, using deceptive emails to attract and trick people to click on links or open attachments that install malware on the computer, to perpetuate their attacks. Training can be an effective tool for lowering the risk of becoming the victim of an attack. When organizations train their employees, they become less susceptible to becoming a victim of hacking or ransomware. Since individuals within a business are often one of the biggest vulnerabilities for a business, a culture of awareness of cybersecurity issues with employees can be a powerful tool to avoid becoming a victim.


Negotiating information security provisions with counterparties to real estate agreements—A strong possibility is that emails containing new transfer instructions from fraudulent folks originate from valid email addresses, not spoofed email addresses. What has occurred here is that a hacker has gained entry to the email account of a party and is sending other businesses emails from legitimate email accounts. Hence, an unsuspecting person can send a transfer to a criminal bank account based upon wire instructions from a seemingly valid but hacked email address. Now in this situation, who bears the brunt? The company with the hacked email or the company that wired funds to the wrong account?


This is where counterparty provisions in the contract requiring a counterparty to maintain uttermost security comes to play, as a protection to companies wiring funds. As such, if the counterparty is ever hacked, there is a potential cause of action under breach of contract for any indemnities arising from that hack, which could include sending funds to the wrong account based on instructions from a hacker-controlled email account of the counterparty.


System Backup—Systems running without backup suffer the heaviest backlash from ransomware attack. Without adequate backups, an organization may become more tempted to pay a ransom because the data is substantially irreplaceable and more valuable. Having backups of data and the ability to quickly restore the data in real-time makes it easier to overlook the ransom threats, and respond in a way that favours the company.


Provision of supplementary cloud computing agreements—Real estate businesses need to make the effort to negotiate additional protections that are often not included in standard terms and conditions, going by the sensitivity of the information they handle pertaining to real estate projects.


By focusing on adding information security standards and notification requirements in the event of a data breach affecting the cloud provider, as well as extra indemnification for such events and limits of liability that provide meaningful remedies in the event of an attack, a business can obtain better protection in the event a cloud provider is hacked.


The 21st century carries a vast array of new opportunities for the real estate industry to leverage technology to improve experiences for clients while modernizing business operations, but they will also open new opportunities for hackers looking to disrupt those same businesses. It’s very critical that real estate companies take a scrutinized look at their cybersecurity status and cyber-attack readiness and gear up before an attack happens.


Leave a Comment

Call Now Button