Avoiding the Bait of Spear-Phishing Scams

The real estate industry is getting hit hard by cyberattacks and most breaches are beginning with a little game cyber experts call “spear-phishing,” except it’s no game at all. In most instances, people don’t realize they’re even playing until it’s too late.

Spear-phishing is a twist on phishing. In a phishing scam, an identity thief sends a mass email to see if they can get any “bites” from recipients to their request to obtain money or other personal, identifiable information. In a spear-phishing attack, also known as social engineering fraud or fraudulent impersonation, a criminal targets a specific individual’s email or other secure database. Once they’re “in,” they begin to amass intelligence on their enabler, which is not necessarily the end victim. The real victim is the other entity that will receive the fraudulent email, which purports to be from a trusted source, and asks the victim to wire money or provide some other valuable information.

According to the June 2015 Symantec Intelligence Report, the real estate industry is one of the top three industries targeted with spear-phishing attacks and real estate executives are the catch of the day. Transactions between buyers-sellers and owners-residents are both susceptible to spear-phishing scams. Residents are most vulnerable to these scams because they’re routinely giving money to their landlord or management company. In this instance, criminals will hack the management company’s database and send a realistic-looking e-bill to residents. This e-bill collects payment information and sends the payment to the criminal’s bank account and is never to be seen again.

Transactions between buyers and sellers involve many complicated steps and a number of parties, including the buyer, seller, buying agent, selling agent, title company, escrow agent, attorneys and insurers. Identity thieves see this as a “weakness” to exploit. Often, all a thief will do is gain access to the email account of a title company representative, watch the chain of emails related to a particular deal, and send an email from the email account to the buyer with a reason that an immediate money transfer must occur. Once the money is sent, it’s very unlikely it’ll ever be recovered.

Real estate companies that have one to 250 employees or more than 2,500 employees are the ones most likely to experience a breach. Businesses that fall into one of these two categories incur more than 75 percent of spear-phishing attacks. Experts suspect this is because smaller companies have weaker security protocols and likely haven’t invested enough time and resources into securing their electronic systems, while larger companies are attacked for their large lines of credit and bank accounts.

Insurance coverage is available for this type of fraud and is generally provided by way of an endorsement to an organization’s Crime Insurance and Cyber Insurance policies. Cyber Insurance should be considered to provide coverage for third-party claims arising from a failure with the company’s network security and the mishandling of personally identifiable information and confidential corporate information. Another reason to consider Cyber Insurance coverage is because, if there is a breach, you are held liable even if you have a third party manage an aspect of your business, such as rent collection or property management. The policy also provides coverage for first-party claims such as the costs associated with notifying victims, which can become very expensive when large numbers of personally identifiable information have been compromised.

While purchasing the insurance is advisable, the best defense to falling hook, line and sinker for spear-phishing is prevention. The following are some suggested best practices for mitigating the risk of spear-phishing:

• Develop procedures requiring two or more employees to sign off on any wire transactions.
• Prior to transmitting funds to any bank or vendor, require employees to make a telephone call to verify the transaction. Don’t use the number in the signature block, as the criminals might have tampered with it. Instead, call information or use an internal phone directory.
• Provide frequent communication to employees regarding fraudulent impersonation and what to do if an employee suspects suspicious activity or a potential attack.
• Put employees to the “test” and see if they can detect a spear-phishing email. Provide additional training to employees who don’t pass.
• Conduct third-party computer network penetration testing on a regular basis to monitor the effectiveness of the corporation’s controls, training, etc.
• Understand the cybersecurity protocols of vendors who deal with personal, identifiable information (i.e., property management or rent collection companies).

Fraudulent impersonation is projected to increase in both frequency and sophistication. However, by knowing what it is, how it is perpetrated, and how to avoid it will help your organization avoid becoming a scammer’s catch of the day.

Gregory J. Offner, Jr. is a producer in the Real Estate Division at The Graham Company, one of the mid-Atlantic region’s largest insurance and employee benefits brokers. He can be reached at goffner@grahamco.com or 215.701.5264. Follow @gregoffnerjr on Twitter.