The headline’s become all too familiar: “Cyber thief hacks real estate broker’s email, steals retired couple’s nest egg,” or something similar. The past few years have seen a dramatic increase in such incidents, with the FBI reporting ten “hacked real estate broker email” investigations in Tampa in just the past two months.
I’ve handled two such cases recently for real estate buyers tricked into wiring six-figure amounts to hackers’ out-of-state bank accounts. In one case, we were lucky to recover nearly all of the funds for our clients, an about-to-retire couple. The other case remains pending, but we’re hoping for a complete recovery.
Not every cyber-victim is so fortunate. And those who aren’t will be looking for someone to pay for their loss.
The good news is that, with reasonable care and a bit of common sense, cyber fraud can be prevented. But if the theft occurs because you failed to take precautions to protect your email account, it may be time to call your insurer, or your lawyer. Or both.
It usually starts when a cyber thief hacks into the email account of someone involved in a real estate transaction who has failed to take proper precautions to protect the account. It can be anyone involved – real estate broker, closing agent, attorney, mortgage broker, etc.
Unprotected email accounts are a snap for knowledgeable hackers to break into. A $40 device that’s surprisingly easy to find online lets them access any unprotected computers or smart phones on the same wifi network. It could be the guy at the next table at Starbucks, or sitting across from you at the Southwest Air gate. And if you’re unprotected (more on that in a minute) he can see everything you do online, including reading your user names and passwords.
Once he breaks into a real estate broker’s email account, for example, the hacker watches and waits. Then, when an email mentions an upcoming closing, he pounces. He creates a new domain name similar to the closing agent’s, then emails the buyer fake “wire instructions” hoping to fool the buyer into thinking they’re from the closing agent. And it often works. The buyer, expecting just such an email, wires the closing funds to the thief’s account (which is usually overseas somewhere), and the money is lost forever.
This is a foreseeable crime, which can be prevented with a few straightforward precautions. Let it happen on your watch, and you may be liable to the buyers for their loss. Fiduciary duty plus failure to take reasonable precautions just may equal liability.
Here’s how you can prevent it:
- Don’t use free public email services to conduct business. It seems like everybody has an email account with one of the free services like Gmail, Hotmail or Yahoo mail. But these services can be easy to hack into. So don’t use them. Move your email to one of the many private, secure email hosting services out there that are reasonably priced and have strong malware, virus and phishing filters.
- Do not transact business over public wifi unless your device is set up with a virtual private network which encrypts all transmissions, preventing thieves on the network from reading your passwords and invading your email, bank and credit card accounts. There are a number of reasonably priced, yet extremely effective, VPN apps available online for your computer or smart phone, such as Freedome.
- Never, ever wire funds based just on an email. Always call the sender and confirm the email’s authenticity. Read back the routing and account numbers to them and get their verbal confirmation. Follow it up with an email. And make sure your staff does the same.
- Carefully scrutinize email addresses, giving particular attention to domain names. In both of my recent cyber-theft cases, the hackers fooled the buyers by creating email addresses whose domain names were nearly identical to the closing agents’. One spelled the closing agent’s company name with one “t” missing. The other used the correct spelling, but with a different extension (“.usa” instead of “.com”) A buyer expecting an email from, for example, firstname.lastname@example.org may not identify email@example.com as a fake.
And remember, the weakest link will be the one the hacker attacks. So no matter how secure your email is, if someone else involved in the deal is unprotected, a hacker can still be watching and waiting, and the deal is at risk.
We will discuss some other real estate scams, and steps to take to prevent them, in future posts. For now, remember the truism about “an ounce of prevention.” It really is true.