Illinois REALTORS® and their clients are being victimized by sophisticated wire fraud schemes rooted in hacked email accounts.
Example: Hackers who have already gained access to email accounts of sellers, buyers, real estate brokers or attorneys watch messages for words or phrases that indicate imminent real estate transactions. When closings are near, they intercept real messages and send counterfeit messages to the intended targets with instructions to wire funds to fraudulent accounts. If the victims send money to the accounts before they are discovered as fraudulent, the money may not be retrievable.
There are ways to try and make sure you and your clients aren’t victimized by schemes like this. IAR Legal Hotline Attorney Betsy Urbance and IAR Director of Information Technology Matt Brewer offer the following tips.
- If your office has its own information security policy, make sure you understand it and follow it. A security policy can contain rules concerning: acceptable use, email, password construction, security response and a clean desk policy discouraging employees from leaving confidential or proprietary information where anyone can see it.
- If your brokerage doesn’t supply you with encrypted email of its own, consider a free email system with built-in protections, such as Gmail, Hotmail or Yahoo.
- Don’t do business through public WiFi, but if you feel you must access email through WiFi, give it added protection by logging in to a Virtual Private Network (VPN) before logging in to your email account. A VPN creates a secure, encrypted connection between you (at a hotel) and the VPN provider (your business). It prevents someone from hacking into your messages from another room at the hotel.
- Use strong passwords (16 characters, at least one number, one uppercase letter, one lowercase number and one special symbol) on all your accounts and change them frequently. Use www.passwordsgenerator.net.
- Promptly return phone messages to clients, especially if they are being asked to send a wire transfer to a third party, independently verifying your clients’ phone numbers.
- Verify email requests for money or payments by calling the person who sent the request or talking to him or her in person before completing the transaction. Do this even if you know the person so that you prevent a hacker from impersonating a trusted business associate. Be skeptical of any email request for payment or money and double-check these requests by another method.
- Use two-step verification to protect your email from being hacked. Brewer says if you have two-step verification enabled, a text message is sent to your mobile phone whenever anyone attempts to open your email account from a device that hasn’t been used in the last 30 days. A code in the text message must be used to gain access to the email account. If you receive the text alert and you’re trying to access the account, you follow the instructions and go about your business. If someone else is trying to use your account, they will be unable to do so without the text message, and you will know something illegal is happening.
- Don’t trust anyone.
Managing Brokers and local association leaders – particularly individuals with information technology, financial or chief executive officer responsibilities – should be particularly vigilant, says Brewer, because cyber criminals will target their email accounts for use in scams.
Urbance says educate yourself about the methods criminals use, and implement best practices to protect confidential client information as well as company information.
For example, criminals may try to hack into email accounts to learn passwords, steal identities and later trick clients or business associates into sharing key information or inadvertently diverting payments into fraudulent accounts.
Controlling the damage
The National Association of REALTORS® suggests members consider cyber insurance through a specialist in advance of any problems. Also, NAR has recommendations in case of the theft of a money (wire) transfer. They include:
- Call banks immediately to stop transfer.
- Contact all other parties to the transaction.
- Contact police.
- Change all passwords.
- Report incident to the FBI Internet Crime Complaint Center: http://www.fbi.gov/scams-safety/e-scams.
- File report with REALTOR® associations.
- Call the Attorney General.