Ryan Heidorn is a managing partner and co-founder at Steel Root, a cybersecurity company headquartered outside Boston. Ryan teaches cybersecurity at Endicott College and is an outspoken advocate for digital privacy. He holds a master’s degree in information technology and prior to founding Steel Root worked as a systems engineer in data security and ransomware response.
Fighting Wire Fraud and Improving IT
Learn how one of Boston’s top luxury real estate firms took steps to protect its business, agents, and clients against scams and onsite technology downtime.
September 28, 2018
The vast majority of real estate professionals don’t know the detailed ins and outs of IT and cybersecurity or the jargon that goes along with it. However, more real estate companies and individual agents are finding themselves in the crosshairs of hackers trying to swindle clients’ money. So cybersecurity can no longer be an afterthought.
According to a November 2017 article in The Washington Post, the FBI reported that “nearly $1 billion was ‘diverted or attempted to be diverted’ from real estate purchase transactions and wired to ‘criminally controlled’ accounts in 2017,” an explosive increase from $19 million in 2016.
In a more recent report from the FBI, there was a 136 percent increase in worldwide losses between December 2016 and May 2018 from sophisticated scams targeting both businesses and individuals performing wire transfer payments. Scams targeting the real estate sector, specifically, rose 1,100 percent from 2015 to 2017, with an estimated loss of more than $1.6 billion between June 2016 and May 2018 in the U.S. alone.
As scams involving hackers gaining access to an agent’s email and sending clients fraudulent wire instructions become more pervasive, Gibson Sotheby’s International Realty has decided to take action.
“We had been well aware of the prevalence of wire fraud in our industry, and it was becoming a growing concern of ours,” says Gibson Sotheby’s CEO Colleen Barry. “We knew that the number of breaches, both publicized and unpublicized, was growing at a frightening rate.”
Gibson Sotheby’s decided to work with my company, Steel Root, a business technology firm based in Salem, Mass., to produce simple, effective solutions and secure business information. We devised and implemented a multipart program to reduce vulnerabilities and protect the data and money of Gibson Sotheby’s clients.
The brokerage’s case is one brokers and agents can learn from when considering IT and cybersecurity needs. Here are five examples that may help when you’re looking for IT assistance.
Here are some business and technology tips to help you safeguard your real estate firm from wire fraud and other nasty invasions:
1. Culture is key. Train employees and agents on how to evaluate suspicious emails.
2. Communicate your wire policy to buyers early and often. The policy should state that wire transfers will never be initiated through email and that you should verify any transaction by phone or in person.
3. A would-be attacker only needs to compromise one party in a real estate transaction (agent, attorney, lender, buyer or seller). Make sure the partners you work with are also following security best practices.
1. Require two-factor authentication for every email account.
2. Consider using an email security product to filter out or flag spoofed emails.
3. Ditch free or traditional antivirus software. Install premium security software to better protect against modern malware.
1. Locking Out Wire Fraud
Many dramatic cases involving huge losses have been widely reported in the news, including a Washington, D.C., couple who lost $1.57 million when settlement funds were hijacked, and an Illinois couple who lost their life savings by following fraudulent closing instructions emailed to their account.
First, we helped Gibson Sotheby’s recognize the underlying causes and vulnerabilities that can open the door to wire fraud, including when a security system relies exclusively on a password. Central to our program was implementing two-factor authentication, which requires both password protection (the real estate firm had already been doing that) and a second code that is sent to the agent’s cell phone to authorize a check-in or the use of an unfamiliar device.
“Hackers are creative enough to send something that appears to be legitimate, such as something that looks like an Office 365-produced file. They tell you that you’ve been logged out, ask you to re-sign in, and then capture your username and password,” Barry says. “The person who has fallen for this scam has no idea that someone is using their password, and their email is now being accessed by another device.”
Criminals today can manipulate agents and force them to rush and make errors. This psychology interrupts agents and stops them from being as discerning with their communications. This is how real estate professionals become unsuspecting victims. The IT firm you choose should have a firm grasp on wire fraud threat and ways to avoid becoming a victim.
“In the end, our agents understood that even though we were asking them to take some additional steps, the potential inconvenience was a worthwhile tradeoff for the peace of mind of preventing wire fraud,” Barry says.
2. Tired of Tech Talk
One important point for Barry was implementing security measures in clear, understandable ways that don’t require language dwelling on technical details and architecture. They had become frustrated in the past when IT professionals would use overly complicated jargon in troubleshooting or providing technical solutions.
For example, their marketing team was having trouble accessing a server that was physically located in the room where they worked. However, another IT company suggested increasing the bandwidth of the internet connection. “They had us throwing money at problems rather than preventing them in the first place,” Barry says.
Greg Clarke, Gibson Sotheby’s director of marketing, came to us with their problematic marketing department server. We found that they had been using a server much too large and complex for their needs. It was also too expensive and unwieldy for their infrastructure to handle.
Not all IT solutions are about adding bigger and better technology. Sometimes, it’s about finding the right size and scale for your business. Gibson Sotheby’s servers were also breaking down on a regular basis, and the company’s staff felt like their needs were being overlooked. There was frequent downtime, which meant marketing materials like property photos and collateral for specific listings couldn’t be quickly accessed when needed.
3. IT Agents of Change
IT shouldn’t be solely reactive. In fact, it should be about proactively avoiding problems. We ran a report for Gibson Sotheby’s that analyzed the company’s technology usage and pinpointed ways to improve efficiency, reduce downtime, improve security, and reduce costs.
Avoid IT companies that try to sell you all the bells and whistles you don’t need. Instead, find a technology firm that strives to understand your company’s specific needs and what your agents will actually use.
4. Accounting for the Best Results
Ideally, you want an IT vendor that thinks like a partner and positively affects your company’s bottom line. That means having the least amount of downtime possible. It may also make financial sense to bundle specific services such as phone, voice over IP, and internet access. Negotiate contracts to make sure you’re not paying for more than what you need, and ensure that you’re getting the right service.
5. Responding to Real (Estate) Needs
“What you need from any vendor, but particularly an IT vendor, is responsiveness,” says Robyn Grandolfi, chief accounting officer at Gibson Sotheby’s. Look for IT support that can provide fast answers and solve problems any time of day. Strong communication skills in a nontechnical language is a must, as is understanding the mechanics of your particular business.