Did you know you have a target on your back? Yes, according to the FBI, scammers are specifically targeting e-mail accounts of attorneys, real estate agents, bookkeepers and accountants. Why? Because you have such good intel in your inbox. They can access client names, transaction data and details all that lead to money, money money. While the rule of thumb says changing your bank account password frequently is not always helpful (if someone gets access to your actual account, say sayonara sweetheart to your funds today, not next month). But REALTORS face a different threat… your email accounts are more valuable when monitored… they call it ‘listening in’. The scams of today are smart. And effective. They seek big payoffs. There are too many reports of real estate agents begin hacked, even locally. It’s embarrassing when a naughty link goes out under your name to your entire contact list. It’s horrible when they use that contact list to phish for information from your clients to commit wire fraud.
Broker Owners, Please Make this a Topic of Your Office Meeting!
|Here’s the scoop on what happened the first week of November 2016 in the Berkshires:
While most wire fraud scam target buyer’s agents, in our two situations this week, seller’s agents were the target. In the first case, a sellers agent’s email was hacked and their email messages were monitored for weeks leading up to a closing. Shortly after the closing concluded, a message that appeared to be from the seller’s agent (but was not) was received by the closing attorney explaining the seller lost their check and asked if they could put a stop payment on it and wire the seller’s proceeds instead… Whoa.In the second case a seller’s agents email was hacked and right before the closing, a message that appeared to come from the real estate agent (but was not) asked the closing attorney, “Quick question… can the sellers have their proceeds wired to their personal account instead of a check?” Mike Shepard explained that in both cases the email had the exact property address, referenced the exact time of the closing, and knew all of the parties involved.
3 Steps to take TODAY make your data stay safe from intruders
- Change your email password… today for sure it is very important, and then after today, often. And make sure your email account is not filtering or auto-forwarding messages that you don’t know about (call Sandy if you need instructions). You should have unique password for all accounts—Flex should be different from gmail that’s different from Ziplogix! Make your passwords as long and unguessable as possible. It’s a pain, we know. The alternative is to use a password manager… they provide unique, encrypted log-ins. Worth every penny. (Here’s a link to a list of the top rated password managers). FYI: The Board Office just signed up with LastPass to keep our passwords secure.
- Update your software and apps, especially your firewall, anti-virus /anti-malware software and pop up blocker (We use AdBlockPlus at the office, but there are many great ones… just make sure you’re using one!) Make sure your browser is updated (Chrome, Firefox, Internet Explorer, Safari have security features built in!) Most of these programs have automatic update features, but sometimes we hit ‘later” because gosh darn it, we’re busy right now. And then we forget. FYI: The Board Office Uses Secunia Personal Software (free) to scan and determine what software has an update.
- Two-factor authentication: This step virtually guarantees that your email won’t be hacked. Requiring a response to a text message in addition to a password before you can access your email on a new devise is an awesome step! Search “two-factor authentication” with the name of the service you’d like to use (such as gmail) and you will find simple instructions on how to do this. More information on this.
10 Steps to take from NOW ON to keep your data safe from intruders
- Look for the “https://” that S stands for Secure. Use that for Facebook, for email, for flex, for searching. Anywhere possible. You leave less of a trail when signed in securely. FYI: Search “https anywhere” for a helpful extension that forces https on Firefox and Chrome wherever possible, with no action required after install!
- Forms management program. Consider using an encrypted service (like Ziplogix for free with your membership) as opposed to sending docs through public services like Dropbox or Google Docs, etc. Secure sending is a critical component to keeping your client data safe. And, for gosh sakes please do not send a copy of a deposit check that has routing and account numbers visible anywhere unless in a secure environment!
- Separate computers for work and personal. Consider having a deisgnated work computer/laptop that you don’t use share with other family members or use for a lot of unsecured surfing. It can be a huge help since we tend to be less cautious about casual web browsing than when we’re doing business! You also keep your business machine under your care at all times, while the “household laptop” can run out the door and download files without your knowledge.
- Don’t Fall for It: Don’t open any files you do not know, with 100% certainty, you should be receiving. This includes links to docsign, dropbox files, google-docs or anything attached to e-mail. Definitely never open a .zip file. If someone needs to send a super large file that needs to be compressed you CAN use these services, but it should be clear to the sender and receiver when it is sent and what it is. Over the phone or in person. Human to human. Oh, and how about being a good steward and do NOT SEND any files without communicating first. That’s helpful too, and “trains” the people you do business with to handle things with this level of care.
- Cautious with Public Computers: Be cautious when using public computers to check e-mail or financial accounts; there’s virtually no way to know if they are infected with malware accidentally, or have keystroke-logging spyware installed intentionally.
- Understand Wifi Hazards: Be cautious when using any wifi network, free or paid. The coffee shop? Airport? For email, business or banking – nope! When connected to a wifi network that doesn’t require a password, outsiders can easily observe and capture any websites you visit, any e-mail you access, and any file transfers you make (unless encrypted with https). Did you know that if you join a wifi network on your phone and your email auto sends and receives you’ve made yourself vulnerable. Yep. Scary stuff all that “free” bandwidth. Did you ever notice how advertisements suddenly change based on searches you’ve done online, places you’ve physically been or things you’ve clicked on or liked on facebook? Some is from tracking online, others from marketing companies that use your wifi data to identify trends to modify ads to catch your eye. Intrusive and dangerous wifi. Make sure you are using encrypted sites only or stay away.
- Learn Some Surfing Protection: Zip up your virtual wet suit, you need some surfing protection. A little knowledge of how the internet works can help make you informed and knowledgeable about safe links and browsing online. You should know how to recognize legitimate or fraudulent sites. Some things you should know?
(1) identifying a website’s proper address
(2) understanding page tabs, new windows and new browsers
(3) how to recognize legitimate ads that are embedded into pages or when you’re infected with adware
(4) how to “read” website pages and links for validity.
(5) knowing when the site you were browsing redirects to another location.
(6) where to locate the HTTPS, the lock symbol, and other signs that your data is properly encrypted.
FYI: If you don’t know this stuff, call the board office, we’ll help!
- Free is Just a Trap: Please don’t fall for the lure free stuff. Don’t click links that promise free prizes or gifts. Hackers know psychology – and make a ton of money playing on our greed. Be incredibly careful if you’re downloading free software, movies, smiley icons, screen savers and coupon-printing software. They are a hotbed of malware. For the price of “free” you can unleash a destructive agent in your computer.
- Don’t randomly click links in your friends/colleagues emails either. Normally, if you send me a link that says nothing, I DO nothing. Well, maybe I’ll call and ask about the link before I send it to the bin. Staying safe is priceless (and so is sending a quick sentence to verify the source…. like, “This article is a perfect example of our conversation at the committee meeting yesterday.” Yep, I’d click that link much quicker!
- Password Protection for devises: In addition to all of the password protections we mentioned above, please make sure your cell phone, laptops and computer all have an access code to gain entry. Another huge help in keeping your data secure.
Oh no. What to do if you do get hacked:
- Change all your account passwords, not just the account that was hacked.
- Scan your computer and/or hire a techie stat to check your computer for malware, viruses, trojan horses, etc.
- Notify the administrators (especially if it was a bank account) and notify the FBI if it involves wire fraud or theft of funds.
- Notify the Board Office so we can be aware if patterns develop.
- Notify your contacts if your Email was hit, your facebook friends if that was hit, etc…Apologize for the inconvenience but know it happens to the best of us and swift action is the best remedy.
With the rampant wire fraud happening in the real estate business, we just wanted to remind all that you should be telling your seller and buyer clients to NEVER wire money without a voice or face-to-face confirmation with either you or their attorney. Email instructions should NEVER be followed. The FBI, working with the Mass Association of REALTORS, put out this helpful tip sheet should you encounter such a fraud.
Give the Board Office staff a call if you have questions about the issues, and we implore you to make your email account as safe as possible so your lapse in security doesn’t accidentally put your client at risk!
A great narrative of what happened to a buyer’s agent that got hacked – how it happened and what he learned to prevent it:
NAR Legal Counsel outlines the Issue