In the US, the real estate industry has 335,000 companies with combined revenues of $380 billion and the top 50 companies accounted for 20% of total revenues. According to FBI, the real estate cyber attacks complaints increased by 500% in 2018 with $7 billion worth of financial losses. KPMG survey shows that one-third of real-estate firms have experienced a cybersecurity attack in the last 2 years and 50% of respondents mentioned that their firms are not adequately prepared to respond to a cyber attack. The property managers, developers, brokers and agents, real-estate firm and appraisers hold significant amount of confidential personal and corporate information and this makes real-estate a vulnerable and high-value target for cybercriminals.
In real estate, there are specific vulnerabilities for hackers to exploit. The information systems contain large amounts of personal identifiable information and real estate professionals exchange huge amount of personal and financial data such as deal and payment terms. With distinctive business models and relative technological unsophistication, the real estate industry faces cybersecurity challenges of business email compromise (BEC) and data breaches.
Business email compromise (BEC)
In a BEC exploit, hackers gain access to personal or business email and imitate the owner’ identity to trick customers, partners and employees. BEC is one of the most prevalent cyberthreats in real-estate and three common techniques are illegal access, social engineering and urgent payment requests.
With illegal access, cyber criminals gain access to victims system using spoofed emails, spear-phishing emails and malware. The spoofing involves slight variations on legitimate email addresses, spear-phishing involves making the victim believe that email from trusted supplier and malware are used to infiltrate network to access internal data. With social engineering, the hackers use social media information to target the victims and access the owner email account. In real estate, the three specific types of BEC scams are CEO fraud, false invoice and account compromise. With CEO fraud, hackers pose as the company CEO and send emails to employees to transfer funds. In false invoice, attackers pretend to be suppliers and request fund transfers to accounts owned by fraudster. Finally, account compromise involves hacking and using executive or personal accounts to request invoice payments.
For example, before the sale of house, the buyer receives an email from the real-estate agent with specific details containing date, location and time of deal closings and how to wire money. The hackers can generate such emails and get funds transfer to his/her account. According to the FBI internet complaint centre, the mortgage close wire scam has seen a 1000% increase in 2018 with a total financial loss of $56 million.
With data breach, the sensitive, confidential and protected information is shared and used by unauthorised persons. In real estate, the two common techniques used by hackers for data breach are brute force attacks and malware. The brute force attack involves guessing username and passwords and especially with cloud computing, vulnerabilities have increased with credential stuffing. On the other hand, malware attack involves injecting malicious software into a system to gain personal information. The goal of data breach is steal personal identifiable information to compromise identities, steal money or to sell it on the DarkWeb with huge consequences for the company including damage to customer relationships relationship, company reputation and loss of potential business.
In real estate, data breaches present a real imminent threat with potential financial, legal and reputational consequences. Real estate firm holds huge volume of client information including names, identification number, passwords, addresses, financial details and family records. For example, in the ‘Frist America’ data breach hackers compromised 885 million users’ accounts.
Cybersecurity risks in Finance
Despite the fact, cybersecurity is cornerstone in financial industry; the cyberattacks have become common practice. Financial institutions hold valuable customer and other sensitive data and hackers frequently attempt to break into these networks to steal information for illicit economic advantages. According to statistics, cybersecurity is number one risk for the financial industry with 1 in 3 successful cyber attacks.
Cybersecurity risks in financial industry
- Data breaches: Data breach is the utmost cybersecurity challenge for financial institutions. A data breach exposes sensitive, confidential and protected information to unauthorised persons and hackers steal millions of customers’ records. In the financial industry, data breach involves credit reporting companies, payment processing companies and banks. For example, Equifax data breach resulted in 143 million accounts compromised, JP Morgan data breach had 76 million user data leaked, and CaptialOne has compromised 100 million customer data as well as data processors international had 8 million credit card numbers stolen.
- Mobile App security risk: Mobile applications provide real-time information to customers and leverage real-time information to conduct online transactions. However, mobile applications present cybersecurity risks because they lack full-proof security modules and codes. The cyber criminals leverage weak security measures and controls to steal customer data. In particular, the cloud based services on which banks rely make things more complicated. The communication and collaboration is subject to man-in-the-middle attacks, network penetration and invalidated redirects. During COVID-19, the FBI has issued multiple alerts for banking Trojans and fake mobile banking apps, which trick users into entering authentication credentials on the malicious applications, including web applications.
- Ransomware attacks (DDoS): Ransomware is malicious software that locks out users from accessing important documents or freezes systems to legitimate access thus rendering an encrypted system or locked system until a ransom is paid. During COVID-19, ransomware attacks have increased by 520% with a rash of ransomware attacks on bank technology providers such Cognizant and Finastra. With ransomware, the critical business data is locked, leaving financial institutions unable to serve the customers.
According to FBI, the financial industry has paid $1 billion in ransom attack in 2019.
- Insider threat: Financial institutions invest time and resources to secure technological aspects such mobile apps, websites and ATMs. However, insider risk is one of the biggest risks for financial institutions. The insider threats include unintentional act such as employee opening a phishing link or clicking on spoof website. On the other hand, the intentional act of rogue or disgruntled employee poses even greater threat through unauthorised use of credentials. The employee can steal sensitive information or damage systems to harm the reputation of the financial institution. For instance, the data breach at CaptialOne was organised by an insider ‘software engineer’ who hacked into a cloud-based server containing CapitalOne assets. Likewise, a financial advisor of Morgan Stanley transferred the personal identifiable information of clients on a personal database server and hackers breached the security of that personal server.
The cybersecurity aspect in real estate involves traditional challenges of access management, network intruders and encryption. The unsophisticated technologies and lack of knowledge of cybersecurity dimensions have resulted in risks of business email compromise and data breaches. On the other hand, the financial institutions face complex and dynamic challenges of system vulnerabilities and insider risk. The financial institutions need to deploy advance technologies to manage emerging technological challenges as well as internal control to manage the activities of employees.