4 cybersecurity best practices for commercial real estate

Most modern commercial real estate businesses use technology to help collect rent, pay vendors and manage their portfolios. While automation provides benefits, it also brings the risk of cybercrime. Protecting your business starts with educating and training your workforce—they’ll likely be the first to experience a phishing attempt or other attack.

It’s important to instill a culture of good real estate cybersecurity hygiene from the top down. Here are a few key ways you can help strengthen the cyber readiness of your staff and business:

1. Ensure employees can recognize phishing

Criminals can trick even the most experienced employees with phishing tactics, typically via email. These attempts can be quite convincing and may even come from a trusted account that’s been compromised. Train your employees to:

• Be on the lookout for red flags. Poor grammar and spelling, urgent language, hyperlinks or attachments, fake logos, and missing or vague contact information.
• Spot look-alike email domains. These are email addresses that are spoofed by a cybercriminal to resemble trusted accounts—like using “rn” to look like an “m”.
• Always call back to a verified phone number when they receive payment instructions through email. Business email compromise (BEC) is a multibillion dollar problem. In this scheme, cybercriminals might use a hacked email of one of your building service vendors to request money. The message will look authentic in every way, so the only solution is to have comprehensive callback procedures—including never using a phone number provided in an email.
• Be cautious of clicking on links or opening attachments sent in emails. It may be wise to conduct quarterly phishing tests by sending a fake email to employees and assessing whether they report the attempt or fall for the deception. These may be messages about job offers, packages waiting for pickup or invitations to meetings.

2. Be aware of ransomware risks

A ransomware attack occurs when hackers use malware to invade your network and compromise your data, demanding a ransom payment in exchange for information they stole. Many companies think it could never happen to them either because of their industry—like real estate—or business size. But cybercriminals do not discriminate, regularly targeting small companies in hopes they have weak protections or low awareness. It’s up to business leaders to ensure the rest of the workforce is aware of how ransomware unfolds and knows the property fraud prevention steps to take.

• Consider conducting tabletop exercises and attack simulations that drill employees on incident response.
• Keep IT employees up to date on the latest types of ransomware, as schemes change and cybercriminals target new vulnerabilities.
• Have an incident response plan for escalation in case of an attack.

3. Improve access control

Hackers can gain access to your accounts by attacking weak points and exploiting lax cybersecurity. It’s important your business do everything to protect vulnerabilities and restrict access. This includes a mix of utilizing email-provider security features and implementing internal policy safeguards. Require that employees:

• Never use business and personal email interchangeably.
• Enable multifactor authentication when working remotely.
• Use an email encryption tool when transmitting sensitive information.
• Adhere to mobile phone cybersecurity best practices—such as regular operating system updates and data backups.
• Review personal and professional apps and the data collected and shared; disable phones and apps from tracking location when not in use.
• Install anti-virus and anti-malware software on personal devices used to access work materials.

4. Don’t overshare on social media

Personal information on employees’ social media accounts can be used for social engineering attacks. For example, fraudsters can guess certain authentication questions for online accounts by gleaning personal details from social updates. Caution employees to:

• Limit the amount of information published on social media, such as the names of children, pets or schools attended.
• Report any suspicious activity or spam, which can come in the form of a post, message, email or friend request.
• Describe job responsibilities generally, never referring to specific projects.

_{© 2022 JPMorgan Chase & Co. All rights reserved. JPMorgan Chase Bank, N.A. Member FDIC. Visit jpmorgan.com/cb-disclaimer for disclosures and disclaimers related to this content.}