Watch out for social engineering fraud!
Like lawyers and other professionals handling trust funds, real estate licensees face the risk of being targeted by social engineering fraudsters. This type of fraudster typically uses email or telephone to deceive you or your clients and to “engineer” situations in which persons inside organizations are fooled into disclosing information, providing access to networks, or transferring funds under false pretences.
For example, a cybercriminal hacks into a brokerage’s server and, over time, monitors the brokerage’s emails, gathering information about deals in the works. Using this information, the criminal crafts a fraudulent email to one of the brokerage’s clients, asking that the deposit funds be sent to a different account—not the actual brokerage trust account, but one controlled by the criminal. Relying on the email, the buyer makes the payment. By the time the brokerage discovers that the deposit was never paid into its trust account, the criminal is long gone with the funds.
Or a brokerage receives fraudulent instructions from an email address that “spoofs” that of a legitimate client, or perhaps a law firm, and pays out a deposit to a party with no legitimate claim to it, such as an account overseas.
Or an accounting clerk in a strata management brokerage is induced by a fraudulent email to change key information in the brokerage’s systems, such as bank account information of a client, resulting in funds being transferred to the account of the fraudster and not the client.
The list goes on. E&O has not had such a claim reported… yet. The Lawyers Insurance Fund has had several such claims, and it’s only a matter of time before these scams start to hit real estate licensees. Here are some tips to help protect your livelihood and reputation from the damage these frauds cause:
Tip 1: Establish safer procedures or protocols to confirm transfers of funds.
- Every brokerage should establish protocols for transferring funds out of its accounts and adhere to them.
- Every request to transfer funds or any change in payment instructions could be a fraud and should be verified through direct, in-person contact with the author.
- Brokerages should consider implementing a policy whereby payment instructions are not taken by email, but must be given in person or at least by telephone.
- Warn staff that any request to bypass trust payment protocols on the basis of urgent circumstances is a red flag of a possible fraud. Some of these scams succeed because they create a sense of urgency that leads to staff members bypassing protocols.
- Once you begin communicating with a new client, inform them that you will never send wiring instructions via email without first confirming it through direct, in-person contact.
- Tell your clients to contact you immediately if they receive an email containing any change in money transfer instructions.
Tip 2: Educate yourselves about safe computer practices.
- Brokerages should educate both staff and licensees about these scams and the importance of complying with protocols. Security awareness training can educate employees and licensees about password security, the types of attacks to look out for, and what to do in the event of a breach.
- You can precede the training with a simulated phishing attack or a password audit, to show staff how easy it is to fall victim to an attack. Security awareness training and simulated attacks should be carried out at least once a year.
- There are plenty of resources available online to warn and educate you about cyber protection. Start with the information on the Canadian Anti-Fraud Centre’s website, the online publication, Get Cyber Safe Guide for Small and Medium Businesses, and information from the Lawyers Insurance Fund.
Tip 3: Protect your computer systems.
- Protect your computer systems and data. Licensees should use secure email domains that have strong firewalls and antivirus protections.
- Change passwords regularly. Create strong passwords that are long with upper- and lower-case letters, numbers and special characters.
- Never use public computers or public Wi-Fi for business purposes.
Tip 4: Consider buying cyber insurance.
- Although some of the social engineering scams may have coverage under the indemnity Plan (if scams involve an error in performing or failing to perform real estate services for others), many of them would fall outside that coverage.
- Brokerages should consider purchasing a cyber insurance policy as part of their risk management practices.
E&O would like to thank the Lawyers Insurance Fund for the background and resources used as the basis for this article.