Cybersecurity and Fraud Protection
Managing Cyber Risk in Commercial Real Estate
Commercial real estate investors and companies, as well as brokers and agents, are prime targets for cyber criminals looking for treasure troves of valuable information. Learn how to help protect your business.
Personal information about buyers, sellers and tenants—which is included in rental applications, credit reports, leases and rental agreements—is the lifeblood of cyber schemes. This information includes names, Social Security numbers, birth dates, addresses and driver’s license numbers. Some commercial real estate companies are also vulnerable to attack because they maintain large amounts of cash on their balance sheets to acquire and finance real estate properties.
“It is critical that real estate companies implement cybersecurity tools and employee training, continually update antivirus software and properly monitor their systems to remain resilient, vigilant and secure,” said Al Brooks, Head of Commercial Real Estate for Commercial Banking.
A major concern about cyberattacks on real estate firms is the fact that criminals can access an entire network’s data for thousands of clients from around the country and the globe. “Hackers can use many different entry points to access a company’s system, gather information and then use it to steal data and money,” said Mike Kelly, Business Information Security Officer for Commercial Banking.
Increasing Sophistication and Complexity
In one type of scheme, criminals target real estate companies through phishing attacks. Hackers obtain sign-in credentials by tricking employees into typing their credentials into a fake transaction management website and then immediately forwarding them to the real website where their credentials work. However, the hacker now has their login information and can access the system to review transactions.
If the employee uses the same password for email, the criminals can direct emails to bypass the employee’s inbox and go directly to them. At that point, criminals can send spoof emails to request wire transfers to bank accounts they control.
Criminals are expanding their targets using business email compromise, a scheme where criminals create a fake look-alike email domain. For example, criminals may use email@example.com to target the legitimate email domain firstname.lastname@example.org.
By sending phishing emails pretending to be from company executives or vendors, criminals can fool employees who don’t notice the change in the email address or authenticate the transaction request before making the wire transfer. Additionally, cyber criminals can modify how their name initially appears in emails. If an email seems suspicious, hover over the sender’s name to display the actual address.
Cyber criminals can modify how their name initially appears in emails. If an email seems suspicious, hover over the sender’s name to display the real address from which the email was sent.
What Can Be Done?
Many real estate companies are unprepared for a cyberattack and do not have internal controls and procedures in place to help stop or prevent one.
However, with stronger controls and security measures, they can mitigate the risk to themselves, their employees and their clients by implementing these practices:
- Conduct cybersecurity training for all employees, especially for those who have authorized access to payment controls.
- Install and maintain up-to-date security and firewall protection on all company computers and laptops.
- Test employees using different cyberfraud scenarios and find out if they’re able to detect suspected phishing emails or other cyberattacks. This will help determine if additional training, new systems and protocols need to be established.
- Ensure employees create strong passwords using special characters, symbols and upper and lowercase letters. These passwords should be different for email and transaction systems and should not be linked.
- Avoid using public Wi-Fi connections for personal or professional business, especially on a laptop that stores or has access to sensitive information.
- Train employees to be the first line of defense to protect companies from cyberattacks. If something feels wrong, employees should be empowered to escalate to a manager and take precautions to verify that the request is legitimate.
Each company or organization must determine how to best protect itself against cyberfraud activities and select the cybersecurity best practices most appropriate to its needs.
“There’s a lot that can be done to prevent or detect cyberattacks to eliminate or minimize the damage caused,” Brooks said. “It’s important that companies are proactive and prepared in order to protect themselves and their clients.”