Cyber security threats to real estate and the best practice to stay one step ahead

At first glance, the real estate industry may not appear the most obvious target for cyber-attacks with its bricks and mortar image. However, with a 300% increase during the pandemic, cybercrime is fast becoming one of the biggest threats to all businesses globally – with real estate no exception

Real estate companies hold valuable information of tenants and landlords that cyber criminals want, including bank account and other personal information that criminal hackers can use for identity theft, data breaches, and ransomware attacks. With many real estate firms now relying on digital operations and ‘smart’ technology, such attacks could impact on operations from mere inconvenience to full shutdown. Vulnerability is magnified where commercial buildings have multiple occupancies, or interconnectivity and interdependent IT systems involving third parties.

Property management companies’ online portals can be breached by criminal hackers giving them access to credit and debit card numbers and addresses they can use to commit fraud. Estate agents or conveyancing attorneys are responsible for handling homebuyers’ deposits yet often have minimal security measures in place to protect what are substantial transactions.

Email communications leave all such parties and agents vulnerable to phishing, whereby persons or groups contact potential victims within the firm posing as legitimate institutions to lure them into providing their own or others’ private data, such as banking and credit card details, passwords, or personal identification information.

It starts with cybercriminals hacking into the title company or real estate firm’s system to study the language used, the format of the information, and the transactions, to facilitate them appearing at first glance legitimate and thereafter enable them to commit convincing fraud.

There is no set pattern to such crimes. The nature of cybercrime is for attackers to continually find new and diverse means to breach a company’s networks and information assets, even companies and business sectors known to have the best security measures in place to prevent cyber-attacks.

The vulnerability of the real estate sector has been exposed by a years-long downtrend since the beginning of the Covid-19 pandemic and the move to remote working. Of the various sectors of real estate, commercial and industrial property have been impacted the most, making them more susceptible to cyber threats in their eagerness for enquiries. For instance, there have been instances where online fraudsters have utilised real estate broker’s portals posing as buyers or renters to insinuate themselves with the target firm and perpetrate fraud.

The following is a summary of the various approaches cyber criminals use to attack the real estate sector:

Ransomware: The term was coined because hackers demand a ransom from the organisation before restoring access to its systems and data, which they had inappropriately accessed or prevented from functioning after having attacked the organisation's network.

Business email compromise: This occurs when attackers use emails to persuade property buyers or sellers to transfer funds to fraudulent accounts. These fake emails are typically indistinguishable from an original.

Vendor compromise: Real estate clients experience vendor compromise when a third-party partner experiences data breach.

Phishing attacks: Hackers use fake email adverts, fraudulent social media pages, and websites to lure individuals to provide their personal information which is then used to perform malicious activities.

It is not only information and bank balances at risk: there have also been instances over the years wherein cyber security has the cause of physical property damage. There are several examples of these cases globally:

  • In 2015, hackers employed phishing emails to access login credentials at a German steel mill. They succeeded in disrupting the company’s control system thereby shutting down parts of the plant, resulting in millions of euros of damage.
  • Also in 2015, back-end hackers remotely sabotaged the Ukrainian electricity power grid resulting in power outages for approximately 230 000 consumers for between one to six hours.

Solutions are available to the real estate sector which if implemented can deter most cyber security attacks. For instance, there are great security tools available to monitor their network on a regular basis and identify vulnerable servers. These tools automatically propose solutions on how these vulnerabilities can be addressed.

At the same time, companies should raise employee awareness on cybersecurity alongside tailored training. This equips employees to be able to identify cyber-attacks and understand the risk it poses to the organisation and their responsibility in it. At risk real estate businesses – as with all sectors - should conduct annual cyber security audits so that they have full identification of their cyber risks and can thereafter determine such mitigating actions to address them.

In addition, there are cyber liability policies covering forensic expenses, legal expenses, regulatory fines and penalties, credit monitoring and IT theft repair, liability, and defence costs, including public relations expenses in the event of a cyber attack

This is an ongoing process: cyber security attackers continue to discover ever more sophisticated methodologies and tools to infiltrate information assets. For this reason, it is critical that real estate organisations remain continually abreast with the latest developments in the cyber security sphere and ensure that their IT environments are well secured and protected against cyber-attacks.

Written by:
Pulane Dikgole, Associate Director