Simple Steps to Strengthen Your Cybersecurity Protect Your Data – and Your Customers’

When prospective homebuyers Sean Smith and Erin Wrona received an email asking them to wire $1.57 million for their cash purchase of a Cleveland Park home in Northwest Washington, D.C., they complied. A month later, when the couple arrived at the settlement table to finalize their purchase, they discovered they were victims of wire fraud. While they certainly are far from the first people to have been scammed, the amount of money involved drove this incident to the top of national headlines.

“Pretty much every company I talk to has had money taken through wire fraud at some point,” says Todd Ewing, founder and CEO of Federal Title and Escrow in Washington, D.C., the title company involved in the Smith and Wrona case. “Phishing attempts have been rampant for the past two or three years.”

Attempts at wire fraud during real estate transactions typically start with the breach of someone’s email account, says Finley Maxson, counsel for the National Association of Realtors®.

“It could be an email account of the title company, the attorney, the real estate broker, an agent, a lender or the customer that gets hacked,” says Maxson. “After that, the scammers monitor the emails so they know when a closing is imminent and then send instructions to wire funds to an account they control.”

In the Smith and Wrona case, which Ewing cannot discuss directly because of an ongoing lawsuit, the couple was able to purchase their house with the help of family members who wired them the cash a second time. The couple sued Federal Title, which claimed that it was hacked.

“People think it won’t happen to them, but we’ve had several recent instances of someone attempting wire fraud,” says Helen Krause, marketing director of New World Title and Escrow in McLean. “Someone emailed us twice in one week recently posing as the listing agent in an upcoming settlement and asking for information about where to send the proceeds for the seller. The email went to everyone in the office, so we were suspicious; then we saw the listing agent in person and confirmed that this was fraud.”

scamKrause said the email looked as if it came from the listing agent, but no money was transferred to the wrong location in that case. She reported the incident to the FBI.

In another recent instance, the email of a buyer’s agent was hacked and the buyer received two different sets of wiring instructions, according to Krause.

“Luckily, the buyer called us to confirm the instructions before anything was transferred,” says Krause.

After receiving requests from lenders without a property address or a name, Krause calls first to ask for those details before providing any information.

“Scammers can be logged into your email and lurking in the background ready to send a realistic-looking email as soon as a closing is scheduled,” says Simon. “We’ve trained everyone in our office not to click on a link or an attachment, no matter how real it looks, without confirming that it’s real. Even if your computer doesn’t instantly crash if you click on the link to what’s supposed to be a contract or an offer, the scammers are logging your keystrokes so they know your password,” he cautioned.

A common scam, warns Ewing, is when a fake buyer makes an all-cash offer and requests a quick closing.

“The buyer writes an earnest money deposit check for $100,000 or some other large amount and then a few days later withdraws the contract and demands a wire transfer to immediately return the deposit,” says Ewing. “The check won’t have cleared the bank by then and it will never clear, so the agent or broker loses that money.”

"Attempts at wire fraud during real estate transactions typically start with the breach of someone’s email account."

Prevention of wire scams and other cybercrime requires both sophisticated technology and old-fashioned tools.

“Pick up the phone and call before you open anything unexpected,” says Simon. “It just takes a few minutes.”

Be sure to look up a phone number for the person or company sending the email on their website rather than call the number listed in the email, advises Ewing, since that phone number will be fake if the email is a scam.

“Assume that anything you send over email can be accessed by other people,” says Simon. “Don’t send sensitive business over email.”

Changing your email password every 30 days should be standard practice, says Simon, who recommends installing a password-keeping app on your smartphone.

Other low-tech advice that could prevent a data breach includes not leaving paperwork with Social Security numbers or other sensitive information in your car or on your desk where these can be seen or photographed by a passerby.

“The thing to remember is that even though lenders and title companies have secure portals, any person in the real estate process can be hacked at any time,” says Krause. “That’s why it’s so important to train everyone to call a number from a website, not an email you received, and check before sending any money.”

Frequent reminders to yourself, your team and other agents can prevent a security breach in many cases.

“We’ve had our IT provider do rigorous training for the entire staff for the past two years, including providing faux email tests to catch staff members who were clicking on links that they should ignore,” says Ewing.

It’s human nature to make mistakes, says Ewing, but one of the silliest – and contradictory – he saw earlier this year was a legitimate email from an agent with wiring instructions for a client even though the email had a disclaimer on the bottom which stated, “This brokerage will never transmit wiring instructions via email.”

In addition to basic protections of avoiding links and attachments and calling someone who appears to

have sent you legitimate information, Maxson recommends taking inventory of the data you’re collecting electronically and getting rid of what you don’t need.

“You should have a data protection plan in place as well as a cyber security program,” says Maxson. “Make sure your network is separated, so that people only have access to the information they actually need and not to all information. Make sure your network connections are secure and your software is up-to-date.”

Backing up all your data won’t prevent a data breach, but it can protect you in the event of a ransomware attack, says Maxson. If you have everything backed up, you won’t be tempted to pay someone to give you access to your hacked computer.

“Make sure all your vendors are implementing proper security procedures, too,” says Maxson.

Insurance policies offer some protection against cybercrime, but as with all policies, Simon recommends making sure you understand the limitations of the coverage.

“Insurance companies may be willing to pay $10,000 or $25,000 for IT services in the event of a ransomware attack, but I don’t know of any company that would pay out more than $1 million if someone wired money to the wrong place,” says Simon.


Realtors® should educate their clients from the beginning about the potential for wire fraud, says Maxson.

“Make sure your clients know you won’t ask them to do anything important over email, so if they do get something that looks like it’s from you, it will seem out of place,” says Marcus Simon, office manager of Ekko Title in McLean.
"Backing up all your data won’t prevent a data breach, but it can protect you in the event of a ransomware attack."

“We ask agents to send the message to their buyers and sellers that we take wiring money very seriously,” says Ewing. “We never wire instructions that aren’t encrypted. We only send wiring instructions to a buyer, never to an agent.”

Federal Title’s system is that customers talk to an agent on the phone before a settlement and then are sent an email with a link that asks them to answer a security question before they can access the wiring instructions.

Many agents include a message near their email signature warning about the potential risks of wire fraud.

Realtors® should work with their clients and help examine the wire instructions to see if there are any typos, grammatical errors, or names of banks that are suspect. Verifying the bank’s location and address should be done outside of the information in the wiring instructions. Foreign banks should be considered a red flag.

NAR offers the following email template as a sample for its members:

IMPORTANT NOTICE: Never trust wiring instructions sent via email. Cyber criminals are hacking email accounts and sending emails with fake wiring instructions. These emails are convincing and sophisticated. Always independently confirm wiring instructions in person or via a telephone call to a trusted and verified phone number. Never wire money without double-checking that the wiring instructions are correct.

“The best thing you can do is be vigilant about your email because that’s where this all starts,” says Simon.

The National Association of Realtors® has a downloadable Cybersecurity Checklist for Real Estate Professionals: https://www.nar. realtor/law-and-ethics/cybersecurity- checklist-best-practices-for-real-estate-professionals.

Additional resources from NAR can be found at: data-privacy-security.
Featured Resources