The days of hackers targeting only retailers are long gone. With attacks that can misdirect wire transfers and hold computer systems hostage, hackers can successfully target any industry, particularly those that are behind the curve for cybersecurity. That applies to real estate. According to a recent report prepared by KPMG, 50 percent of surveyed businesses in the real estate industry believed that they were not adequately prepared to prevent or mitigate a cyber attack.
Unlike for banks and hospitals, there is no federal law requiring real estate businesses to implement information security programs to protect information and systems. That has led to real estate businesses having vulnerable systems and being the focus of potential attacks. Criminals are using a wide variety of attacks that threaten real estate businesses.
Business email compromise
A business email compromise (BEC) is an attack that deceptively convinces businesses to wire funds to criminal back accounts by pretending to be business counterparties, such as vendors or real estate sellers. Often, the criminals will send an email from a spoofed account that appears to be from someone within the business, such as the CEO or a trusted party, like an attorney or escrow agent. The FBI has concluded there have been over $3 billion of losses attributable to BEC.
While any business is susceptible to the BEC attack, the FBI has specifically explained that the BEC scam “targets all participants in real estate transactions.” Emails that may appear to be from an escrow agent or a contractor that just completed construction work could actually be criminals trying to trick a real estate business into sending a wire to the wrong account. The losses can be substantial, as the publicly-traded company Ubiquiti disclosed $46.7 million of fraudulent wire transfers made based on a BEC scam. With the frequency of wire transfers in the real estate industry, BEC scams will remain a significant threat to the businesses engaged in real estate deals of any kind.
Ransomware (operational systems)
Ransomware, malware that encrypts data on computers and makes the data unavailable until a ransom is paid, has become an immensely profitable method for hackers to attack businesses. It has been impossible to miss the threat of ransomware in 2017, with the global attacks of the WannaCry and Petya ransomware. Ransomware attacks were up 50 percent in the first half of 2017 and the profitable economics of the business model mean it will likely remain a favorite choice for cyber criminals. Like most businesses, real estate businesses rely on electronic information and systems to run day-to-day operations. An employee clicking on one malicious email can lock up the information for the entire company.
Ransomware (physical systems)
Ransomware can target physical devices that are internet-enabled, not just personal computers and servers. A luxury Austrian hotel was the victim of a ransomware attack, locking out the hotel guests because the infection affected the electronic locks on the doors. The number of devices that are internet-enabled is increasing with the popularity of the Internet-of-Things. But the convenience of thermostats, door locks and lighting connected to the internet comes with an increased risk that hackers can take control of those systems or make the systems unworkable.
Ransomware may get most of the headlines today, but there are still significant risks of being infected by other types of malware by hackers targeting banking credentials or personally identifiable information. Banking Trojans are used by criminals to capture a victim’s banking credentials to wipe the bank account clean. Other types of malware can be used to steal personally identifiable information, like employee or tenant sensitive data that can be used for identity theft purposes. Real estate targets with employee data, tenant data and significant holdings in bank accounts remain potential targets for these attacks.
Cloud computing vendors
Real estate businesses are following the trend of increasingly relying on cloud computing applications, but those vendors that store information also represent a cybersecurity vulnerability. A criminal does not need to hack a business to get that business’s sensitive data these days: it can target trusted vendors like cloud providers that store other parties’ sensitive information. Even though it may seem that by using a cloud provider, a business is outsourcing the risk, if a cloud provider gets hacked, the real estate business many be stuck holding most of the liability. Provisions in cloud computing agreements often provide minimal protection to customers in the event of a cyber attack, so customers are often left to eat most of the liability.
Implementing safeguards to reduce cyber risk
Now that real estate businesses are in the crosshairs of cybercriminals, they should be focusing on implementing protections to reduce the chance of becoming a victim of an attack and to improve their ability to respond in any such incident.
- Develop a wire policy—One of the easiest and most effective ways to substantially reduce the risk of becoming the victim of a BEC scam is to implement a policy of never sending a wire based solely on an email. There should always be a way to verify the accuracy of the information in an email, such as talking to the individual who sent the email in person or by calling the person at a known phone number. Someone should never verify the wire instructions by replying to the email or calling a phone number from an email in question. This process is known as two-factor authentication. By taking the additional steps of verifying the wire instructions provided, there is a much lower chance that a wire intended to go to an escrow agent in California will land in a criminal’s bank account in China.
- Training—Most hackers continue to rely on phishing, using deceptive emails to induce people to click on links or open attachments that load malware on the computer, to execute their attacks. Training can be an effective tool for lowering the risk of becoming the victim of an attack. When organizations train their employees, they become less susceptible to becoming a victim of hacking or ransomware. Since individuals within a business are often one of the biggest vulnerabilities for a business, a culture of awareness of cybersecurity issues with employees can be a powerful tool to avoid becoming a victim.
- Negotiating information security provisions with counterparties to real estate agreements—Sometimes emails that include new wire instructions from criminals are from valid email addresses, not spoofed email addresses. That is because a hacker compromised the email account of a party and is sending other businesses emails from legitimate email accounts. This can lead to someone sending a wire tranfer to a criminal bank account based upon wire instructions from a valid (albeit hacked) email address. This scenario can lead to disputes about who is responsible for the lost funds: the company with the hacked email or the company that wired funds to the wrong account. To protect a company that will be wiring funds, it is prudent to have in contracts with counterparties provisions requiring the counterparties to maintain reasonable security controls. That way, if the counterparty is ever hacked, there is a potential cause of action under breach of contract for any damages arising from that hack, which could encompass sending funds to the wrong account based on instructions from a hacker-controlled email account of the counterparty.
- Backing up systems—The threat of ransomware is most significant for impacted businesses without adequate backups. Without adequate backups, an organization may become more tempted to pay a ransom because the data is substantially more valuable. Having backups of data and the ability to quickly restore the data makes it easier to ignore the ransom threats and to respond following an attack.
- Negotiate cloud computing agreements—Since cloud providers can store sensitive information about real estate projects and employees, businesses should attempt to negotiate additional protections that are often not included in standard terms and conditions. By focusing on adding information security standards and notification requirements in the event of a data breach affecting the cloud provider, as well as additional indemnification for such events and limits of liability that provide meaningful remedies in the event of an attack, a business can obtain better protection in the event a cloud provider is hacked.
- Cyberliability insurance—There is no such thing as perfect security, so cyberliability insurance can be an important way to mitigate risk. There is a wide disparity of what is covered by any cyberliability insurance policy, so it is important to ensure that a policy covers risks like BEC scams, ransomware threats (and payment of ransoms) and, potentially, even business interruption.
The 21st century will create new opportunities for the real estate industry to leverage technology to improve experiences for tenants and to streamline business operations, but they will also open new opportunities for hackers looking to disrupt those same businesses. Real estate businesses have become, and will remain, a cyber target. Improving cybersecurity controls and programs should be a priority for every organization because a successful attack can lead to lost revenue from hotels and tenants, six- and seven-figure wire transfers to criminal bank accounts and compromised sensitive information about employees. Taking appropriate steps can help reduce that risk, enabling real estate businesses to focus more on the business of buying, selling and managing real estate.
Gregory Stein serves as vice chair of the data privacy and information security group at the law firm Ulmer & Berne LLP. He earned the Certified Information Privacy Professional (CIPP/US) designation from the International Association of Privacy Professionals.