The headline’s become all too familiar: “Cyber thief hacks real estate broker’s email, steals retired couple’s nest egg,” or something similar. The past few years have seen a dramatic increase in such incidents, with the FBI reporting ten “hacked real estate broker email” investigations in Tampa in just the past two months.
I’ve handled two such cases recently for real estate buyers tricked into wiring six-figure amounts to hackers’ out-of-state bank accounts. In one case, we were lucky to recover nearly all of the funds for our clients, an about-to-retire couple. The other case remains pending, but we’re hoping for a complete recovery.
Not every cyber-victim is so fortunate. And those who aren’t will be looking for someone to pay for their loss.
The good news is that, with reasonable care and a bit of common sense, cyber fraud can be prevented. But if the theft occurs because you failed to take precautions to protect your email account, it may be time to call your insurer, or your lawyer. Or both.
It usually starts when a cyber thief hacks into the email account of someone involved in a real estate transaction who has failed to take proper precautions to protect the account. It can be anyone involved – real estate broker, closing agent, attorney, mortgage broker, etc.
Unprotected email accounts are a snap for knowledgeable hackers to break into. A $40 device that’s surprisingly easy to find online lets them access any unprotected computers or smart phones on the same wifi network. It could be the guy at the next table at Starbucks, or sitting across from you at the Southwest Air gate. And if you’re unprotected (more on that in a minute) he can see everything you do online, including reading your user names and passwords.
Once he breaks into a real estate broker’s email account, for example, the hacker watches and waits. Then, when an email mentions an upcoming closing, he pounces. He creates a new domain name similar to the closing agent’s, then emails the buyer fake “wire instructions” hoping to fool the buyer into thinking they’re from the closing agent. And it often works. The buyer, expecting just such an email, wires the closing funds to the thief’s account (which is usually overseas somewhere), and the money is lost forever.
This is a foreseeable crime, which can be prevented with a few straightforward precautions. Let it happen on your watch, and you may be liable to the buyers for their loss. Fiduciary duty plus failure to take reasonable precautions just may equal liability.
Here’s how you can prevent it:
- Don’t use free public email services to conduct business. It seems like everybody has an email account with one of the free services like Gmail, Hotmail or Yahoo mail. But these services can be easy to hack into. So don’t use them. Move your email to one of the many private, secure email hosting services out there that are reasonably priced and have strong malware, virus and phishing filters.
- Do not transact business over public wifi unless your device is set up with a virtual private network which encrypts all transmissions, preventing thieves on the network from reading your passwords and invading your email, bank and credit card accounts. There are a number of reasonably priced, yet extremely effective, VPN apps available online for your computer or smart phone, such as Freedome.
- Never, ever wire funds based just on an email. Always call the sender and confirm the email’s authenticity. Read back the routing and account numbers to them and get their verbal confirmation. Follow it up with an email. And make sure your staff does the same.
- Carefully scrutinize email addresses, giving particular attention to domain names. In both of my recent cyber-theft cases, the hackers fooled the buyers by creating email addresses whose domain names were nearly identical to the closing agents'. One spelled the closing agent’s company name with one “t” missing. The other used the correct spelling, but with a different extension (“.usa” instead of “.com”) A buyer expecting an email from, for example, email@example.com may not identify firstname.lastname@example.org as a fake.
And remember, the weakest link will be the one the hacker attacks. So no matter how secure your email is, if someone else involved in the deal is unprotected, a hacker can still be watching and waiting, and the deal is at risk.
We will discuss some other real estate scams, and steps to take to prevent them, in future posts. For now, remember the truism about “an ounce of prevention.” It really is true.
- Objecting to a real estate project in Florida carries a risk of liability
- Update: Same court again takes hard line on late rent payment into court registry
- Court takes hard line on late rent payment into court registry during COVID-19
- Buying distressed debt to get the underlying property – a litigation due diligence checklist
- 10 Questions Your Litigator May Ask about Your Post-Covid Commercial Lease
- Florida’s Narrow Take on Force Majeure Clauses
- What Does “Ordinary Wear And Tear” In A Commercial Lease Really Mean?
- Landlord Liable for Subtenants' Trademark Infringement
- Landlord Loses Additional Rent Dispute Based on Lease Language
- My Dog Ate My Lease Renewal Notice
- Promissory Notes
- Business of Real Estate
- Development/Land Use
- Liens and encumbrances
- Americans with Disabilities Act
- Ad Valorem Assessments
- Attorneys' Fees
- Loan guaranties
- Restrictive Covenants
- Commercial Brokerage
- Cyber fraud
- email hacking
- Property Tax
- Lis Pendens
- Partnerships and LLCs
- Creditor's Rights
- January 2021
- December 2020
- October 2020
- September 2020
- March 2020
- October 2019
- August 2019
- July 2019
- May 2019
- February 2019
- July 2018
- June 2018
- May 2018
- March 2018
- February 2018
- January 2018
- October 2017
- August 2017
- July 2017
- June 2017
- May 2017
- March 2017
- February 2017
- January 2017
- December 2016
- November 2016
- October 2016
- September 2016
- August 2016
- July 2016
- June 2016
- May 2016
- April 2016
- March 2016