Real estate professions are constantly on guard against hackers, especially phishing, where a hacker sends the professional an email message which, appearing innocuous, results in the disclosure of sensitive information such as passwords or download of malware. There are also variations to watch for, including smishing where the message is via SMS text message and vishing where the message is via voice over the phone. Phishing and its variations are often the first step toward business email compromise (BEC) and real estate wire fraud (REWF) and can result in millions of dollars of loss and damage to the professional’s good name and brand. Businesses need to concern themselves with three main areas: prevention, limiting impact, and recovery.
Prevention
The first step in preventing phishing and its variants is management establishing company policy regarding phishing and training people to recognize and not engage with phishing messages. Here are some tips of what to watch out for, each of which can be used to create a phishing test:
- Beware of messages designed to instill emotion and urgency to act – messages about action you must take immediately to avoid consequences such as “fraudulent transaction” or “found a video of you” or “you’ve been hacked”. Also watch for messages that promise prizes.
- Look for typos or bad grammar – it’s a giveaway
- Hover above links to make sure it is to a familiar site. Look before you click!
- Don’t click on attachments unless you have verified the sender.
- Don’t trust the display name. Does the email match? For example, does MLS Support really have the email address mlssupport@yourmls.support-hackerdomain.com?
- Don’t give up your password via email and if you click through to a site requiring login, triple check the URL before entering.
- If you did click through to a website, look carefully at the URL and site to validate it’s authenticity.
Hackers can be very tricky. “https://YourBank.com” looks similar to “https://YourBαnk.com”. But look closely – the second URL uses different character that looks like “a” to fool you.
There are also a great many technical steps that limit the likelihood that computers and devices will be impacted, including ensuring operating systems and software is kept patched and configured to security standards, using Windows software restriction policies, configuring browsers to security standards, and seeing email servers to warn of external content. Lastly, staff should consider phishing management software that allows users to report suspicious emails via email plugin, isolate such messages, and allows technical staff to take appropriate action, such as quickly deleting identified messages from all email accounts.
Limiting the Impact
If you are located on a network with others, passwords provided via phishing or malware downloaded as a result can easily spread of the hacking impact between computers and devices. Therefore, it’s critical that technical staff set up the office -and even home offices – with appropriate protections, including a properly configured firewall and intrusion prevention system and reputational web filtering, appropriate network topology, modern XDR (augmenting antivirus protections). Email servers also need to block executable attachments and scan for malware as well. Lastly, there should be no management connections open between segments (file shares, pre-installed utilities (i.e. Terminal Services, Remote Desktop, telnet, FTP) that use workstation credentials to access other computers and multi-factor authentication (MFA) should be used to log onto systems and accounts of sensitivity.
Recovery
If computers or devices are compromised, you will need to work with computer support to ensure that malware is no longer an issue, then change passwords and restore from backups. If online backup is compromised, you may need to retore from offline backup, such as a portable hard drive that is regularly connected only while backup is running. If accounts (i.e., email, Google, iCloud, social media) are compromised you will need to work with the providers to regain control. If your phone or email is compromised, this can be difficult! If personal or financial data is breached or wire fraud is suspected, follow your business disaster recovery plan to address the damage, contact law enforcement, and follow the breach notification laws of all relevant jurisdictions.