After the spring and summer we’ve been through, when you hear the word “safety” the first things that probably jump to mind are COVID-19 safety procedures such as wearing face masks when meeting clients and in the office, not shaking hands with clients any more, and holding virtual open houses. All those things are still really important, but as the virus spread fluctuates, so do the rules. The best advice we can give you is to keep listening to the governor’s guidance, follow all CDC-recommended health protocols, and take care of yourself.
Now that we have the compulsory COVID-19 talk out of the way, what other kinds of safety are we concerned about as Realtors®? Personal safety, brokerage safety, and cybersecurity. Let’s take a brief look at all three.
When asked if their brokerage had standard procedures for agent safety, only 45% of Realtors® in a recent survey said yes. A full quarter, 26%. said no; while an startling 29% said they didn’t know. Breanne Gingerich, manager of NAR’s Realtor® Safety Program, is working hard to change that and improve the safety culture among Realtors®.
“Realtors® are incredibly personable and kind people, that’s who they are at the core. But that works against us when you consider that by nature of our business, we meet with strangers for a living,” Gingerich says.
What she means by safety culture is talking about safety procedures often, and training agents from the beginning about the importance of having safety protocols in place that they follow with every client, every day, every time. Increasing awareness of safety risks Realtors® face on the job empowers them to be prepared and helps reduce risk.
The job holds inherent risks, such as meeting with strangers and unlocked doors at open houses. “Another hidden danger is a misconception that most crimes against Realtors® are crimes of opportunity or random acts of violence,” Gingerich explains. “But most often that is not the case. The data shows that these crimes are most often predatory in nature: the attacker really preys on the victim before attack. They might search or shop around for Realtors® in an area, choose that person based on a photo or any number of things. They research the victim, come up with a plan on how to get that person alone, and determine how they’re going to execute on that plan.”
Thinking about risks ahead of time and having safety protocols in place reduces your risk. Gingerich offers her top five personal safety tips:
1. Do not meet clients alone, always meet in a public place, even if you talk on phone first and you think you have a good sense of the person. Similarly, don’t hold open houses alone or be at a property alone. Bring a colleague, friend, buddy, or spouse.
2. Dress in a way that makes it easy for you to escape an unsafe situation. Primarily consider your shoes – 3” stilettos or slippery Italian loafers – may look good but will only impede your progress if you need to run. In addition, do not wear expensive jewelry or carry a purse. Always keep your phone on you.r person.
3. When showing a property, always keep your back to the door and let the client walk in front of you. That way no one can sneak up on you.
4. Do not go into basements, attics or crawl spaces with a client, allow the client to explore them on their own.
5. Don’t overshare about your personal life, reveal the name of your child’s school, where you work out, go for coffee in the morning or any other routine they don’t need to know. Consider the information your client must have, and stop there. In the same vein, don’t be friends on your personal social media accounts with buyers and sellers whom you don’t already know.
It’s crucial for a brokerage or real estate office to have protocols in place to protect their agents and to build a culture of safety in the office. “Having a program increases the chance that each agent goes home safely that night. By spreading awareness of dangers and risks that Realtors® face on the job and being prepared can be difference between life and death,” Gingerich says.
If your brokerage doesn’t have safety protocols in place, now is the time to create one. Consider rules about meeting clients at the office or a café first, not at an empty secluded house; and not getting into a client’s car. Realtors® need to be in the driver’s seat – literally. If a client insists on taking their own car, have them follow you. Think about bringing in a qualified safety educator, either with NAR’s Safety Matters course or yourtheir own , to teach your agents about safety, the importance of trusting your instincts and listening to that voice in your head.
Gingerich offers her top office tips:
1. Set up a buddy system and keep track of your colleagues through sharing calendars. Always let someone know when you have an appointment and when they can expect to hear from you. Share a time frame and location list of where you’re going be and at what time.
2. Establish predetermined code words, phrases, or emojis among coworkers that can be used as signal for help while at an appointment. So when someone from the office texts to check in with you during an appointment and you’re not feeling safe, simply text back the predetermined code word or emoji and they can send help. If everything’s fine, send back a thumbs up.
3. Do not work alone in the office – ever. If you’re meeting late at night, walk with colleagues to your car.
4. Have clients sign in at front desk so there’s record of who has visited. Consider photocopying their IDs to strengthen this tactic.
5. Set up a waiting room and always meet clients at the front of the office, do not allow them to walk around freely.
NAR offers an essential course on how Realtors® can limit risks to preserve safety and facilitate a positive business outcome, called Safety Matters: Safe Business = Smart Business. Just updated in 2019, there are two versions: a three -hour and a one hour course. It covers many topics, including risks in the business, safety systems to limit risks, and more. It is offered by Realtor® associations, proprietary schools or real estate franchisees that have a license with NAR’s Real Estate Buyers Agent Council (REBAC). You can find more information on the NAR website by searching ‘Safety Matters Course’. here. <https://www.nar.realtor/safety/real-estate-safety-matters-course.>
Sixty percent of small businesses that are victimized by a successful cybersecurity breach go out of business within six months, according to a report by the Ponemon Institute.
Perfect cybersecurity does not exist, says Jessica Edgerton, NAR Associate Counsel, in her webinar on the topic. “All we can do is implement best practices, educate ourselves and be vigilant. I call it staying paranoid in a healthy non-freaking out kind of way.”
Real estate is particularly attractive to cybercriminals for several reasons: there are multiple players involved which brings a lot of opportunity to hack in; transactions generally involve large sums of money; and brokerages are usually small to mid-size companies. The risks range from direct theft of funds to business disruption, to loss of reputation to the cost of system cleanup.
A dangerous misconception is that your brokerage is too small for criminals to bother with. But the truth is, cybercriminals know that generally smaller businesses are less protected. Fundera, a small business financial resource, estimates 43% of cyber attacks target small businesses.
A common cybercrime in the real estate industry is wire fraud, where a hacker collects data from your system and sends your home buyer or their banking representative a very convincing and well-timed email. It looks like it came from your office with last minute changes regarding where to wire their money. Not knowing the email is a fraud, they wire their funds to the criminals, who disappear with your client’s money. To prevent this fraud, Edgerton recommends educating your clients early in the process, warn them to be suspicious of changes in wiring information, develop security conscious email and password practices, and avoid handling disposition of funds when possible. If you’re the entity that was hacked, contact the local police as well as the FBI.
But it’s not all about the money – cybercriminals want your data too, either to sell on the dark web or use in a ransomware attack, where they take your data and demand a ransom for its return. The data they’re after is called Personally Identifiable Information (PII), which varies by state. Massachusetts law defines it as:
''Personal information'' a Massachusetts resident's first name and last name or first initial and last name in combination with any one1 or more of the following data elements that relate to such resident:
(a) Social Security number;
(b) driver's license number or state-issued identification card number; or
(c) financial account number, or credit or debit card number, with or without any required security code, access code, personal identification number or password, that would permit access to a resident's financial account; provided, however, that ''Personal information'' shall not include information that is lawfully obtained from publicly available information, or from federal, state or local government records lawfully made available to the general public.”
Brokerages need to know what PII you have in your systems, work to protect it, and never keep it longer than you need it. If you have a breach, you may have legal liabilities, clients can sue, and you could even lose your license. State laws are in flux over remedies and breach notification regulations, so keep up with changes. You can find the Massachusetts’ statute here.
The Federal Trade Commission (FTC) protects consumers against “unfair or deceptive commercial practices” and they have ruled that bad cybersecurity falls in that category. They look for reasonable protection of PII as well as failure to comply with privacy and security policies. You could face hefty fines, FTC audits and requirements to take remedial measures.
Unfortunately, employees are often unknowingly the source of a data breach through a mistaken click or lack of security. Best practices to offset the human error element include:
· Habit modification – beware of malware apps, unsolicited texts and pop-ups.
· Encourage reporting of possible breaches.
· Stay up to date on the latest scams and malware attempts.
· Implement and enforce appropriate policies regarding PII, document destruction, breach notification and IT security.
Your reputation is at risk too. Symantec’s 2019 Internet Security Threat Report (ISTR) reports nearly one in ten targeted attack groups now use malware to destroy and disrupt business operations, a 25% increase from the previous year. Criminals send an email disguised as a clever notification or a business referral with an attached file containing malicious script. Opening the attachment executes a script which downloads malware intended to destroy your systems.
The FBI’s 2019 Internet Crime Report says business email compromise (BEC) scams are the most damaging and effective type of cybercrime, accounting for over $1.77 billion in losses for victims last year. And in Q1 2020, almost 31,000 organizations were targeted.
The remedy? Edgerton says think before you click. Ask yourself if this is a trusted source and if you have received attachments from them before. If it’s a link instead of an attachment, hover your mouse over the link and look at the actual URL address. If it looks fishy, do not click.
Edgerton’s top infrastructure safety tips:
· Keep your system software up- to- date, and install security patches when prompted.
· Implement antivirus and firewall protections.
· Back up your system in a secure location offline. If you’re the victim of a ransomware attack, you’ll have more choices of whether to pay if you have backup files.
· Consider a voluntary IT security audit to determine your weak points.
· Segment your IT environment and restrict programs and information to a need-to-know basis.
· Third-party IT vendors pose a security risk as well. Do your due diligence, check their reputation and read your contract carefully to make sure you’re covered if they do something that gets you sued.
Most of all, Edgerton says, don’t feel overwhelmed. A great place to start is NAR’s recently updated Data Security and Privacy toolkit. Add URL for print