Cyber insurance is now a requirement for many real estate brokerages. This comes as more and more cybercriminals are successful in their attempts to steal information and money from real estate agents nationwide.

At PBI Group, we have seen a noticeable increase in real estate brokerages requesting cyber insurance quotes. Obtaining a strong cyber insurance policy is a great step towards protecting your real estate brokerage, but there are also “non-technical” recommendations that you can do to improve your chances of avoiding becoming a victim of cybercrime.  Below are 8 best practices we often share with your clients:

  1. Turn on MFA/2FA on your email and other information-rich systems. This includes your social media accounts, financial accounts, transaction management systems, etc. MFA (multi-factor authentication) and 2FA (two-factor authentication) are free and easy to enable. Click here for more information
  2. Communicate with your clients to alert them of the risks of wire fraud within the real estate industry. This is a 2-step process:
    1. Have them sign a disclosure document at the point of their becoming a client. This is a valuable CYA procedure but is often not enough since clients sign countless documents and often don’t remember what they are signing. Click here for an example.
    2. Call them 1 week prior to their transaction closing to remind them of Step 1. Alert them that during the next few days, the bad guys are likely to attempt to steal their money.
  3. Verify any electronic money transactions via telephone by calling a phone number you already have on file. DO NOT call the number on the email… you will only be verifying the transfer instructions from the bad guys who sent them. This includes situations where agents may want to change their bank account information for their next commission check which you direct deposit via ACH.
  4. Turn off “legacy protocols” within your email service so POP and IMAP are no longer accessible. Although this is a technical task, it is important because these older ways of accessing your email do not support MFA/2FA. This means that the bad guys can access your email without MFA/2FA by only using your email and password. Once they are in your email account, they can download all of your emails to their computer, thereby stealing years of clients’ information.
  5. Archive older emails to your local computer’s hard drive and get them off the server/cloud. This step is important because if the bad guys do access your email account, they won’t have 10 years’ worth of deal communications to harvest valuable information. Once the archived mail is on your computer, they can’t access it from their foreign location via the internet. Click here for Steps to Archive Outlook.  
  6. Improve your password security on all accounts by using a password manager program. We like LastPass, but there are others.  Why use a password manager? Because it enables you to have unique and complicated passwords which are difficult to guess/reuse. When using only an email address and password, the bad guys often get into your email because your password is either a) really easy for them to guess using software or b) you have the same password on your email as you have on your Facebook account; once Facebook is breached, that password is available on the dark web for sale.
  7. Learn these 2 important email skills to help avoid falling prey to social engineering emails:
    1. Train yourself on what to look for to identify a fraudulent email. Check out these signs that indicate fake email.
    2. Pay attention to your email filters. All email programs have inbound and outbound email filters, which are rules designed to automatically file emails out of your inbox into other subfolders based on logic (e.g. if an email arrives with the word “Urgent” in the subject, move the email to Folder X). If a bad guy gains access to your email account, they will set up email filters to direct emails into hard-to-find subfolders, so you don’t receive any reply to emails that could alert you of suspicious activity coming out of your email account.
  8. Destroy PII (Personally Identifiable Information) once you are done with it. Most real estate brokerages don’t normally collect PII, but it happens. PII varies by state, but it is most easily described as a driver’s license number, social security number, or checking account number. Once you have transmitted that information to whoever needs it, delete that image, email, etc. If you have a business email compromise, then you will have to identify what PII was stolen. This is not a simple task, but once you are done, you are now legally required to alert those clients of your email breach. Contacting old clients to let them know that you lost their social security number to the dark web could cost you securing repeat customers.

Interested in PBI Group generating a Cyber Liability or E&O insurance quote for your real estate agency? Click here.