By Katrina Creer
Unsuspecting real estate agents are being tricked into redirecting funds and disclosing sensitive private information with an increasing number of cyberattacks on the Australian property industry.
However, businesses can make it harder for these faceless criminals to operate by being educated, investing in secure systems and most importantly staying alert, experts advise.
Don’t think it won’t happen
Cyber security incidents are estimated to cost Australian businesses up to $28 billion per year but it isn’t just the major companies being impacted. Mid-to-small businesses account for 43 percent of cyberattacks, according to a report into internet security by software firm Symantec.
Simone Herbert-Lowe from Law & Cyber said no business is too small to fall victim and that small businesses are often targeted because they are vulnerable. Real estate agencies are attractive because they act on high value funds transfers.
“Just think about how much money changes hands in a property transaction, particularly in a market like Sydney where $1m is not even considered high but how many people would ever normally transfer that amount of money?” she said.
Personal details held by real estate agencies also makes them prone to being hacked or impersonation fraud. They are likely to have fewer IT resources than other organisations holding information of the same value.
“You are not going to attack the banks if you are a smart cybercriminal, you are going to attack the small business involved (in the transaction),” Ms Herbert-Lowe said.
You need more than a computer program
A study by accounting software firm MYOB found that 87 per cent of small and medium-sized businesses in Australia believed they are safe from cyberattacks by simply using antivirus software.
But Nigel Phair, Director of UNSW Canberra Cyber said while such technology is important, real estate agents need to undertake a ‘fundamental risk management process’. This means looking at what valuables they are holding and add appropriate extra controls.
Internal networks should be using two-factor authentication for any staff or contractors to ensure that they don’t get ‘phished’ into giving up access or their passwords.
“For instance, if an agent told me to put 10 per cent into a trust account, they should really get me to ring them back and verify it over the phone before I make the transaction,” Mr Phair said.
“It is about putting in more controls about where the big money is moving.”
Know the risks and stay alert
Cybercrime gangs have been known to send huge numbers of emails a day exposing these ‘mega-lists’ to malicious software.
Even if you are not targeted, there is still a chance of being caught up in a scam.
Businesses such as real estate agencies who are handling money on behalf of someone else have to treat the threat more seriously.
“You might think you have been authorised because you have read a scam email that appears to be from the client, but unless you actually have instructions from the true client then it is potentially a breach of trust if you pay money out of your trust account based on a scam email,” Ms Herbert-Lowe said.
Cybercriminals have even resorted to mimicking real estate branding or impersonating clients in an attempt to access trust funds through emails. This type of crime, known as ‘business email compromise’, is carried out either through social engineering that relies on the ‘human tendency to trust’ or by computer intrusion.
‘Domain spoofing’ is used to slightly alter an email address so it appears to be from a trusted source. Passwords should also be taken seriously with at least 12 characters and a combination of numbers, symbols and lowercase letters.
“Be aware criminals have programs that can fire every dictionary word at a computer to crack it and never use your business name,” Ms Herbert-Lowe said.
Always act cautiously
Agents need to adopt a ‘zero trust mindset’ in their day to day business, experts warn.
Do not open suspicious attachments or click on dubious links, check for any spelling mistakes. Be cautious where the email is not addressed to you and contains a generic salutation, is marked as an ‘urgent’ or encourages log-in to a different website.
Cathy Baker, who is a committee member of the REINSW Residential Sales Chapter, stresses trust account details can no longer be sent through an email. Instead, it must be a two-part approval process.
“Gone are the days where you can just transfer funds,” she said.
“There needs to be a secondary person, usually the office manager, who they need to call before a transfer occurs.”
Real estate agencies are also being urged to check their insurance policy covers cybercrime. And importantly should a safety breach occur, it is important to have a plan in place.
Ms Baker said the first port of call should be to speak to your insurance company before engaging a solicitor.
Educate staff on the risk protecting information, cyber security, and spotting phishing emails. Both the Australian Cyber Security Centre and the Australian Competition and Consumer Commission (ACCC) provide best practice information for small businesses.
For more information go to: https://www.cyber.gov.au/