Anna, an administrative assistant with a real estate investment company, found herself working remotely from home, due to her company’s COVID-19 office shutdown. Supplied with a company-issued laptop and password access to her company’s IT system, Anna continued working on her everyday tasks, which ranged from reviewing paperwork and forms, to keeping track of the company’s various active and passive real estate investments.
One morning, she logged on to her company’s email network and found an email from Chris, a qualified 1031 exchange intermediary, with whom Anna’s company frequently worked. Chris’s email contained a brief message -- “See attached for information” -- and an attached document.
Anna, thinking the document was something pertaining to a current deal in escrow, moved her mouse to click “download.” Then she paused for a moment. It wasn’t like Chris to send out documents without some kind of advanced discussion. Instead, she sent Chris an extra email, asking about the document. Chris’ email response indicated he hadn’t sent any document, but he wanted to see what Anna had received.
Anna forwarded the first email she’d received to Chris and her company’s IT department. On a conference call later in the day, Anna learned that the email was a phishing attempt. Chris’s email address had been “spoofed,'' with the fake message and a ransomware-loaded document sent to Anna’s company. Had Anna downloaded the document, she might have unleashed nasty stuff, which could have impacted her company’s IT system, and the computer on which she was working.
Anna, Chris, and their companies are fictitious. Phishing attacks are not. Though hackers and scammers have relied on phishing attacks to steal sensitive information for years, outbreaks have been increasing, due to an increase in remote offices. While all industries are vulnerable to phishing attacks, the document- and information-heavy nature of the real estate sector makes it particularly appealing to hackers.
The maturation of a serious IT problem
Phishing is a scam that targets users through electronic methods, specifically, emails and texts. The scam is successful, thanks to social engineering, a psychological manipulation ploy that fools victims into downloading questionable documents from emails, or linking to dubious websites. Social engineering works by spoofing, or copying, logos and letterheads, which gives the appearance of a legitimate sender. Once that document is downloaded, or link clicked, ransomware and malware end up in the IT system, doing everything from stealing sensitive information, to collecting passwords and financial account information, to setting up a corporate espionage plan.
The concept of phishing isn’t all that new. It dates back to the early 1990s, when America Online was a popular gateway to the internet. Phishing, a term coined by hackers who stole AOL accounts and passwords, used email “lures,” sending them out to “fish” for passwords and other information from the “sea” of internet users. They understood that, while most users wouldn’t accept the “bait,” enough might, which would make the entire enterprise worthwhile.
Over the years, hackers have become more sophisticated, as have their phishing exploits. There are three types of such scams.
Clone Phishing. With this message, the hacker clones a reputable email letterhead, and sends it to the victims, with a message that involves clicking on some kind of link. Trusted logos, letterheads, and company names are spoofed, and can lull the victim into believing that the email message is genuine.
Spear Phishing. Spear phishing is similar to clone phishing, but is directed toward a specific individual or company. This more directed attempt is designed to gather information about the specific target, mostly by stealing private data.
Whaling. These are directed at senior executives or other high-profile targets within a company. The counterfeit email or message might contain a customer complaint, or some other issue of importance to the executive, prompting him or her to click on a link, or to download a document.
The Industry Impact
As COVID-19 means more people are working remotely, phishing incidences are increasing. Part of the reason is that workers no longer operate within a safe work perimeter. Additionally, remote working has led to the increased use of mobile devices and tablets. Dubious emails and texts can be more difficult to determine on the smaller-screened smartphones and iPads.
Real estate is particularly vulnerable to this problem; even before the coronavirus outbreak, a great deal of business was accomplished online. Because real estate and private equity firms regularly communicate with investors and customers about financial matters, they are easily targeted by hackers.
One study, conducted by cybersecurity company Proofpoint, examined six phishing attacks that specifically targeted real estate companies. The methods ranged from realistic-looking Office 365 log-in pages, to fake document attachments, to credit card authorization forms.
And in one specific real estate deal, a woman came close to losing down payment funds for a house on which she was scheduled to close. The hacker, posing as the title agent, sent her increasingly threatening messages the day before signing, telling her if she didn’t wire down payment money immediately, she was at risk of losing the house. The frantic buyer wired the money, only to find that it never made it to the title company. This woman was fortunate -- the title agent and FBI were able to find the scammer and return the money. But the story underlines the very large problems that can happen in the aftermath of a phishing attack.
Don’t Take the Bait
Steps can be taken to protect companies and information from hackers and scammers that are trying to lure victims in. These include the following.
Boost employee awareness. When employees are made aware of social engineering and phishing attempts, they’ll be less likely to randomly click on dubious links or downloads. But there is more to this than saying, “don’t click on suspicious links.” It’s important to talk regularly with staff and show them examples of phishing emails and texts. Consistently remind them that legitimate emails and texts won’t ask for emails, usernames, or passwords.