A Note From The Legal Helpdesk: Cyber Security
November 7, 2017
The Legal Helpdesk brings you tips and notes from the NAR Legal Seminar at the Annual Convention in Chicago. On November 2, 2017, attorneys listened to a presentation on cyber security, specifically the impact of cyber fraud on REALTORS®, best practices on preventing cyber fraud from happening to you, and what to do when cyber fraud occurs.
1. Common Attacks
The presentation provided some scary, yet all too real, examples of cyber attacks. The cyber world is continually adapting and developing new technologies. Correspondingly, cyber criminals are continually adjusting and finding new methods of stealing money. Most cyber attacks come from emails - a couple examples below:
i. Fishing emails from a similar email address. For example, a hacker may send your client an email from firstname.lastname@example.org instead of email@example.com (r and n together look like an m), in which the hacker requests money to be wired and provides specific instructions.
ii. Emails from a hacked account. If your email is hacked, clients can receive emails directly from your email account requesting money to be wired to the criminals account.
- Awareness and Training
Real estate transactions are prime targets for cyber criminals. Providing training to your agents and employees is imperative in order to decrease the risk from cyber fraud in your office. While statistics show that individuals open suspicious emails despite training, awareness does lessen the risk. Each office needs specific policies on cyber security – not only what employees or agents should avoid, but also what to do when fraud occurs. Due to the ever-changing world of technology, these policies should be reviewed periodically for updates. Employees and/or agents need training on your policies, and consider setting a schedule for ongoing training and education.
3. Safe Practice Tips
a. Educate your clients on the risk of cyber fraud and how any money transfers will be handled.
b. If you are going out of town and have a closing pending, let your client and the real estate licensee on the other side of the transaction know.
c. Establish contact information with the other real estate licensees involved.
d. Before making a wire transfer, verify with a phone call to the other party(ies) involved using the contact information provided independently.
e. Pay attention to and consider having your IT department analyze the cyber security of your firm’s third-party software.
f. Do not put personal information like social security numbers in your emails.
g. Set your email settings to see the entire email address. Hackers sometime disguise the email address to show up as a name but settings can be changed to show the entire email address. For example, you may receive an email with “REALTOR® Joe” as the address; however, the actual email address is firstname.lastname@example.org. Of course, this only helps if email addresses are reviewed prior to opening emails and attachments.
- Report Chain
Experts say that the window of recovery, if it exists, is short, with a maximum recovery time of 72 hours depending on the specific circumstances. If you suspect cyber fraud has been attempted or has occurred, communicate with the parties to the transaction and, if your office is implicated, inform your IT department. When cyber fraud occurs, contact the financial institution out of which the funds were transferred and U.S. federal law enforcement (information for your local FBI field office can be found at fbi.gov). Once you have notified law enforcement, file a complaint at ic3.gov. An IC3 Complaint is the method by which the federal government documents cyber fraud events.
NOTE: The actual presentation from November 2nd is unavailable. Due to the nature of the presentation, attendees were not given access to slides and were even asked to refrain from taking pictures of the speakers as well as the slides. So, the information above is based on notes from the presentation – inaccuracies are possible, although unlikely.
“Disclaimer: This article provides general information only and does not constitute legal advice. No attorney-client relationship is created by reading, viewing, opening, or other action related to this article. If legal advice or other expert assistance is required, the services of a competent professional should be sought. Specific circumstances may change the applicable law or advice a competent individual would provide. In addition, this information is not meant to supplant or in any way replace Errors and Omissions Insurance or other insurance coverage. Mistakes may occasionally be made. Once notified, we will work diligently to correct the issue in a timely manner and mark any updated or changed articles accordingly.”