Before you hit “share,” “forward,” or “reply to all,” look a little closer at that email you are about to send. There’s a chance that somewhere lurking below the surface, there could be a threat to your cybersecurity.
When the National Association of Realtors announced it may have been a victim of a possible “phishing” scam earlier this month, it became clear just how attractive we are as real estate professionals to cybercriminals.
Most real estate professionals spend a great deal of time online. We’re comfortable with the internet. We like existing and emerging technology. We’re busy and we have a lot of emails to open and answer. We are also involved in a lot of financial transactions, which makes us a prime target for phishing scams.
What is Phishing & How It Can Hurt Investors
“Phishing” is the practice of sending emails that appear to be from a reputable person or company in order to try to get information about the email recipient. Real estate investors often get “phished” from both sides.
Cybercriminals know that if they can get an investor’s credit card number or password from a phishing email they will likely be able to steal a valuable identity, and they also know that investors’ networks are full of other individuals who also represent value.
For example, just last year, the National Association of Realtors and the FTC teamed up to warn customers that scammers had begun sending emails to buyers about to close on properties. Those emails contained wiring instructions for the closing and – you guessed it – the closing funds were not wired to the seller. Instead they went into a bank account belonging to the scammers, where it was promptly removed and gone forever.
How did the scammers know whom to email? They hacked the real estate professional’s email account and stole the contact list.
Just this April, the entire NAR was victim of a phishing scam. Association members received an email titled “NAR: Urgent Update.” To read the “update,” they had to enter their password.
The email came from what appeared to be a trusted source, so many people entered their password. Even if the email recipient did not have a “NAR password,” they probably tried some other password or event attempted to set a new password. This would lead to the scammers now knowing one or more of those individuals’ commonly used passwords.
You might be thinking to yourself right now: “I’d never fall for something like that!” You might not, but in all likelihood you know someone who would – and who could compromise your online security in the process.
According to Pew research, half of U.S. adults cannot identify examples of phishing, which means that even if you know the signs, your employees and clients may not. If you have employees, then you must train them to identify potential phishing threats in order to avoid a security breach.
If you work on your own, make sure that you take these important steps yourself:
Warning Signs of Phishing
- Do not follow links in emails from unknown senders. Look at the actual “from” address, not the name in the “from” line. If it’s not a known address, then don’t click the link and definitely don’t fill in any information about yourself, your passwords, or your company.
- Do not give out information to IT companies or company vendors, even if you know them, if you receive an unsolicited phone call request.
- Look for the “S.” A truly secure website will not begin with “HTTP,” but rather “HTTPS” followed by the colon, backslashes, WWW, and the actual web address. Do not enter payments or other sensitive information into a website, even a trusted one, if it does not have that “S.”
- Check your email settings regularly. Hackers may break into your email and change nothing except the forwarding address so that everything you get, they get at another email account as well. That way they don’t need your password anymore and you don’t get any login alerts about unusual access to your email account.
Still think it can’t happen to you?
So did Sue Dietz, the 2016 president of the East Central Iowa Association of Realtors. More than a year ago, scammers used information about her that they found online to create fake email addresses that appeared to belong to her.
They used those email accounts to offer other agents referrals and offered access to a Google drive document, via a link in the email, that the email said contained information about the listings. When recipients of the email, trusting “Sue” and eager to see the listings, clicked the link, their computers were attacked by malware designed to scrape passwords and other personal information.
More than 4,000 real estate professionals have received the email, and Dietz’s real email box is often full of correspondence related to it. Even worse, some recipients think that Dietz herself is phishing or trying to steal their passwords, and she’s put a warning about the emails on her personal and business voicemail messages and on her website bio.
If you’re a real estate investor, then you’re a prime phishing target. Be sure to protect yourself and your clients by staying alert and keeping your technology and your cyber-protection up to date.
Most people won’t realize what an important service you’re providing, but you can be sure if you have a breach… they’ll notice. They could blame you if they become a victim, and that would be very bad for business.