Gregory Stein | Aug 30, 2017 nreionline.com
The days of hackers targeting only retailers are long gone. With attacks that can misdirect wire transfers and hold computer systems hostage, hackers can successfully target any industry, particularly those that are behind the curve for cybersecurity. That applies to real estate. According to a recent report prepared by KPMG, 50 percent of surveyed businesses in the real estate industry believed that they were not adequately prepared to prevent or mitigate a cyber attack.
Unlike for banks and hospitals, there is no federal law requiring real estate businesses to implement information security programs to protect information and systems. That has led to real estate businesses having vulnerable systems and being the focus of potential attacks. Criminals are using a wide variety of attacks that threaten real estate businesses.
Business email compromise
A business email compromise (BEC) is an attack that deceptively convinces businesses to wire funds to criminal back accounts by pretending to be business counterparties, such as vendors or real estate sellers. Often, the criminals will send an email from a spoofed account that appears to be from someone within the business, such as the CEO or a trusted party, like an attorney or escrow agent. The FBI has concluded there have been over $3 billion of losses attributable to BEC.
While any business is susceptible to the BEC attack, the FBI has specifically explained that the BEC scam “targets all participants in real estate transactions.” Emails that may appear to be from an escrow agent or a contractor that just completed construction work could actually be criminals trying to trick a real estate business into sending a wire to the wrong account. The losses can be substantial, as the publicly-traded company Ubiquiti disclosed $46.7 million of fraudulent wire transfers made based on a BEC scam. With the frequency of wire transfers in the real estate industry, BEC scams will remain a significant threat to the businesses engaged in real estate deals of any kind.
Ransomware (physical systems)
Ransomware can target physical devices that are internet-enabled, not just personal computers and servers. A luxury Austrian hotel was the victim of a ransomware attack, locking out the hotel guests because the infection affected the electronic locks on the doors. The number of devices that are internet-enabled is increasing with the popularity of the Internet-of-Things. But the convenience of thermostats, door locks and lighting connected to the internet comes with an increase risk that hackers can take control of those systems or make the systems unworkable.
Ransomware may get most of the headlines today, but there are still significant risks of being infected by other types of malware by hackers targeting banking credentials or personally identifiable information. Banking Trojans are used by criminals to capture a victim’s banking credentials to wipe the bank account clean. Other types of malware can be used to steal personally identifiable information, like employee or tenant sensitive data that can be used for identity theft purposes. Real estate targets with employee data, tenant data and significant holdings in bank accounts remain potential targets for these attacks.
Cloud computing vendors
Real estate businesses are following the trend of increasingly relying on cloud computing applications, but those vendors that store information also represent a cybersecurity vulnerability. A criminal does not need to hack a business to get that business’s sensitive data these days: it can target trusted vendors like cloud providers that store other parties’ sensitive information. Even though it may seem that by using a cloud provider, a business is outsourcing the risk, if a cloud provider gets hacked, the real estate business many be stuck holding most of the liability. Provisions in cloud computing agreements often provide minimal protection to customers in the event of a cyber attack, so customers are often left to eat most of the liability.
Implementing safeguards to reduce cyber risk
Now that real estate businesses are in the crosshairs of cybercriminals, they should be focusing on implementing protections to reduce the chance of becoming a victim of an attack and to improve their ability to respond in any such incident.
The 21st century will create new opportunities for the real estate industry to leverage technology to improve experiences for tenants and to streamline business operations, but they will also open new opportunities for hackers looking to disrupt those same businesses. Real estate businesses have become, and will remain, a cyber target. Improving cybersecurity controls and programs should be a priority for every organization because a successful attack can lead to lost revenue from hotels and tenants, six- and seven-figure wire transfers to criminal bank accounts and compromised sensitive information about employees. Taking appropriate steps can help reduce that risk, enabling real estate businesses to focus more on the business of buying, selling and managing real estate.
Gregory Stein serves as vice chair of the data privacy and information security group at the law firm Ulmer & Berne LLP. He earned the Certified Information Privacy Professional (CIPP/US) designation from the International Association of Privacy Professionals.