Don’t Fall for Phishy Stories

May 12, 2020

- By Michael Krone, Esq.

When “Shark Tank” star Barbara Corcoran, one of the most accomplished businesswomen in the country, revealed that her business almost lost $388,000 to an email scam, it became obvious that even the most business-savvy amongst us are at risk. With over 85% of all cybercrime throughout the world coming through email, it is now more important than ever that every sector of business be aware of the dangers and risks in transmitting data through that medium. However, it’s not just email we need to be concerned with – it’s voice phishing (“Vishing”) and text phishing (“Smishing”) as well as fax scams that cause us to worry that every form of communication is vulnerable.

In the real estate sales industry, it is most acute because hundreds of thousands of REALTORS® and attorneys transact trillions of dollars in real estate sales per year. Most REALTORS® and attorneys are small businesspeople without the sophisticated tools to catch these scams that large businesses can afford. Yet, even the credit bureau giant Equifax was hacked which just goes to show that any business is vulnerable no matter how sophisticated their systems are.

What are we as an industry looking to protect from these online hackers?  Primarily it is our customer’s personally identifiable financial information (PIFI) as well as our own and that of our firm. This includes credit account information, social security numbers, bank account/check information, driver’s license numbers, and pictures. The protection of this information means securing our business’s future and our viability in the industry. Allowing this data to be unprotected and available to be hacked or stolen leaves us liable for the consequential damages that such theft can create.

The major hurdle we face in our industry today in dealing with Cyber Crime and the constant attacks on our technology and databases is our struggle to establish identity theft prevention protocols designed to detect warning signs or “Red Flags”. In Massachusetts, we are mandated to have a WISP (Written Information Security Program) policy to protect PIFI. We must also be sure that any other parties we bring into the transaction (attorneys, lenders, etc.) are also following standard security measures.

First and foremost, you need to have a secure email. Hotmail, AOL, or other consumer email platforms do not carry the security protections that business-grade email systems such as Microsoft 365 can provide. You must be able to send data in an encrypted format so that it can’t be viewed if a hacker captures your email. Such things as emailing a deposit check without encryption can lead to hackers obtaining the valuable information contained on that check. By encrypting the check as an attachment to the email the data on the check is protected. Adobe and other companies have software to easily encrypt a document with password protection.

Your laptop and computer must have business-grade spam filters, antivirus, and malware protection. We must all have secure and constant backup systems.  Ransomware, a type of malicious software designed to block access to a computer system until a sum of money is paid cannot debilitate you if your data is backed up securely outside of your computer. Providers such as Carbonite and iCloud can provide constant backup each time your computer, laptop, or phone is connected to the internet. If you backup constantly and a ransomware or virus attack should befall you, your data is generally safe and can be downloaded onto a new computer from the Cloud.

There is no way to protect your data and systems from every kind of attack.  However, that doesn’t mean you should give up. To the contrary, install and engage business-grade protection and establish simple rules to protect your data and your business. Set up email rules that will alert you that an email may be fraudulent. Establish protocols to verify the legitimacy of wiring instructions. Put in place rules that can protect you from Vishing and Smishing – such as never totally trusting a text or phone call from someone you do not know or from someone seeking protected data or claiming to be from the IRS or a credit card company. As Ronald Regan once said “trust but verify”. That is the rule we all need to follow today – trust to some degree that what you are receiving is from a legitimate source but verify if there is any inkling that it might not be. Think twice before clicking on a link or attachment in an email. Verify by phone all wiring instructions and bank account information given to you. Finally, be smart – understand that our industry is under attack and that you could be next.