Cyber security researchers recently announced the discovery of two major security flaws that could allow hackers to bypass regular security measures and obtain normally inaccessible data. The flaws, referred to as Meltdown and Spectre, are both caused by design flaws found in nearly all modern processors. These vulnerabilities can be exploited to access all of the data found in personal computers, servers, cloud computing services and mobile devices.
Because Meltdown and Spectre are both caused by design flaws, experts believe that they will be harder to fix than traditional security exploits. Additionally, software patches that have already been released to help address the vulnerabilities can cause computer systems to slow down significantly, which may impact their ability to perform regular tasks.
Researchers believe that Meltdown and Spectre may be limited to processors manufactured by different companies, but also warn that the design flaws that contribute to Meltdown and Spectre have been present for years. Here are some key details about each flaw:
- Meltdown: This flaw can be used to break down the security barriers between a device’s applications and operating system in order to access all of the device’s data. Meltdown can be used to access desktop, laptop, server and cloud computer systems, and can even be used to steal data from multiple users who share one device. Although researchers have only been able to verify that Meltdown affects processors made by Intel, other processors may also be affected. Many software developers have already released updates that prevent hackers from exploiting Meltdown.
- Spectre: This flaw can be used to break down the security barriers between a device’s different applications and access sensitive data like passwords, photos and documents, even if those applications adhere to regular security checks. Spectre affects almost every type of computer system, including computers, servers and smartphones. Additionally, researchers have confirmed that the design flaw that enables Spectre is present in Intel, AMD and ARM processors that are used by nearly every computer and mobile device. Software developers are currently working on a patch to prevent the exploitation of Spectre, but some experts believe that future processors may have to be redesigned in order to fix the vulnerability.
When Meltdown and Spectre were originally discovered in 2017, researchers immediately
reported them to major hardware and software companies so work on security fixes could begin without alerting hackers. As a result, services and applications offered by companies like Microsoft, Google, Apple and Amazon have already been updated to help defend against the flaws. However, you shouldn’t rely solely on a software patch to protect against these vulnerabilities. Here are some steps you can take to protect your computer systems and devices from Meltdown and Spectre:
- Update all of your devices immediately, and check for new updates regularly. You should also encourage your friends, family members and co-workers to do the same.
- Contact any cloud service providers and third-party vendors you use to ensure that they are protected against Meltdown and Spectre. Cloud services and computer servers are especially vulnerable to the exploits, as they often host multiple customers on a single device.
- Install anti-virus and firewall systems to protect against regular malware. Researchers believe that hackers need to gain access to a device in order to exploit Meltdown or Spectre, so keeping your devices free of malware can help prevent data theft.
For additional risk management updates, contact Scurich Insurance today.
Read more
According to the Identity Theft Resource Center, data breaches increased 40 percent in 2016, with a total of 1,093 reported breaches. This trend continued in 2017, with over 1,120 cases reported by October. Businesses, both large and small, are increasingly reliant on the internet for daily operations, creating attractive and potentially lucrative targets for cyber criminals.
With such heavy use of and reliance on computers and the internet by both large and small organizations, protecting these resources has become increasingly important. Learning about cyber attacks and how to prevent them can help you protect your company from security breaches.
Cyber Attacks Compromise Your Company
Cyber attacks include many types of attempted or successful breaches of computer security. These threats come in different forms, including phishing, viruses, Trojans, key logging, spyware and spam. Once hackers have gained access to the computer system, they can accomplish any of several malicious goals, typically stealing information or financial assets, corrupting data or causing operational disruption or shutdown.
Both third parties and insiders can use a variety of techniques to carry out cyber attacks. These techniques range from highly sophisticated efforts to electronically circumvent network security or overwhelm websites to more traditional intelligence gathering and social engineering aimed at gaining network access.
Cyber attacks can result directly from deliberate actions of hackers, or attacks can be unintentionally facilitated by employees—for example, if they click on a malicious link. According to historical claim data analyzed by Willis Towers Watson, 90 percent of all cyber claims stemmed from some type of employee error or behavior. The high-profile Equifax, Snapchat and Chipotle data breaches were all caused by employee error or behavior.
A breach in cyber security can lead to unauthorized usage through tactics such as the following:
- Installing spyware that allows the hacker to track Internet activity and steal information and passwords
- Deceiving recipients of phishing emails into disclosing personal information
- Tricking recipients of spam email into giving hackers access to the computer system
- Installing viruses that allow hackers to steal, corrupt or delete information or even crash the entire system
- Hijacking the company website and rerouting visitors to a fraudulent look-alike site and subsequently stealing personal information from clients or consumers
Cyber attacks may also be carried out in a manner that does not require gaining unauthorized access, such as denial-of-service (DoS) attacks on websites in which the site is overloaded by the attacker and legitimate users are then denied access.
The Vulnerable Become the Victims
The majority of cyber criminals are indiscriminate when choosing their victims. The Department of Homeland Security (DHS) asserts that cyber criminals will target vulnerable computer systems regardless of whether the systems belong to a Fortune 500 company, a small business or a home user.
Cyber criminals look for weak spots and attack there, no matter how large or small the organization. Small businesses, for instance, are becoming a more attractive target as many larger companies tighten their cyber security. According to the industry experts, the cost of the average cyber attack on a small business is increasing exponentially and shows no signs of slowing down. Nearly 60 percent of the small businesses victimized by a cyber attack close permanently within six months of the attack. Many of these businesses put off making necessary improvements to their cyber security protocols until it is too late because they fear the costs would be prohibitive.
Simple Steps to Stay Secure
With cyber attacks posing such a prominent threat to your business, it is essential to create a plan to deal with this problem. Implementing and adhering to basic preventive and safety procedures will help protect your company from cyber threats.
Following are suggestions from a Federal Communications Commission (FCC) roundtable and the DHS’s Stop.Think.Connect. program for easily implemented security procedures to help ward off cyber criminals. These suggestions include guidelines for the company as well as possible rules and procedures that can be shared with employees.
Security Tips for Your Company
Cyber security should be a company-wide effort. Consider implementing the following suggestions at your organization:
- Install, use and regularly update anti-virus and anti-spyware software on all computers.
- Download and install software updates for your operating systems and applications as they become available.
- Change the manufacturer’s default passwords on all software.
- Use a firewall for your internet connection.
- Regularly make backup copies of important business data.
- Control who can physically access your computers and other network components.
- Secure any Wi-Fi networks.
- Require individual user accounts for each employee.
- Limit employee access to data and information, and limit authority for software installation.
- Monitor, log and analyze all attempted and successful attacks on systems and networks.
- Establish a mobile device policy and keep them updated with the most current software and anti-virus programs.
Security Tips for Employees
- Use strong passwords (a combination of uppercase and lowercase letters, numbers and special characters), change them regularly and never share them with anyone. Never repeat a password across accounts.
- Protect private information by not disclosing it unless necessary, and always verify the source if asked to input sensitive data for a website or email.
- Don’t open suspicious links and emails; an indication that the site is safe is if the URL begins with https://.
- Scan all external devices, such as USB flash drives, for viruses and malicious software (malware) before using the device.
Securing Your Company’s Mobile Devices
Gone are the days when contact names and phone numbers were the most sensitive pieces of information on an employee’s phone. Now a smartphone or tablet can be used to gain access to anything from emails to stored passwords to proprietary company data. Depending on how your organization uses such devices, unauthorized access to the information on a smartphone or tablet could be just as damaging as a data breach involving a more traditional computer system.
The need for proper mobile device security is no different from the need for a well-protected computer network. Untrusted app stores will continue to be a major source of mobile malware which drives traffic to these stores. This type of “malvertising” continues to grow quickly on mobile platforms.
Most importantly, stay informed about cyber security and continue to discuss internet safety with employees.
Don’t Let it Happen to Your Company
According to the DHS, 96 percent of cyber security breaches could have been avoided with simple or intermediate controls. Strengthening passwords, installing anti-virus software and not opening suspicious emails and links are the first steps toward cyber security. In addition to the listed tips, the FCC provides a tool for small businesses that can create and save a custom cyber security plan for your company, choosing from a menu of expert advice to address your specific business needs and concerns.
A data breach could cripple your small business, costing you thousands or millions of dollars in lost revenue, sales, damages and reputation. Contact Scurich Insurance today. We have the tools necessary to ensure you have the proper coverage to protect your company against losses from cyber attacks.
Read more
Businesses gather a lot of information from their customers, including personal identifying information (PII). Because of the sensitivity of this information, many states have adopted standards that businesses must follow to safeguard PII. These standards often include data security breach notification requirements.
In California, these laws are enforced by the California attorney general’s office. This Cyber Security Law Summary provides an overview of California’s data breach notification requirements. Businesses can use this information to understand their responsibilities in protecting PII of California customers.
Cyber security Responsibilities
California law requires businesses and individuals that own, license or maintain PII about Californians to safeguard that information. Businesses must implement reasonable security procedures and practices to protect PII from unauthorized access, destruction, use, modification or disclosure.
Under California law, “owning” and “licensing” includes retaining an individual’s PII in an internal account for the purpose of conducting transactions with the individual in question.
Businesses that disclose PII to a third party must have a contract in place requiring the third party to implement and maintain reasonable security procedures and practices.
The responsibility to safeguard PII begins when the information is first acquired and remains in effect until the information is properly disposed of. This means that businesses must also take reasonable steps to dispose of customer records that are within their custody.
Adequate disposal methods include shredding, erasing and otherwise modifying the records where the information is stored to make them unreadable or undecipherable. Businesses can use any means necessary to dispose of PII properly.
Affected Entities
Breach notification requirements apply to individuals and businesses in California that own, license or maintain PII about Californians. Under these laws, a business is any group that is organized, chartered, or holds a license or authorization certificate under California law or the law of any other state, the federal government or of any other country. This definition of business includes any sole proprietorship, partnership, corporation, association and financial institutions. The term also includes any entity that disposes of records.
Certain businesses are exempt from California’s breach notification law, including:
- Health care providers, health care service plans or contractors regulated by the Confidentiality of Medical Information Act;
- Financial institutions that are subject to the California Financial Information Privacy Act;
- Businesses governed by the Health Insurance Portability and Accountability Act of 1996 (HIPAA) privacy and security rules;
- Entities that obtain information under an agreement authorized by the vehicle code and that are subject to the confidentiality requirements of the vehicle code; and
- Businesses that are regulated by state or federal laws that provide greater protections to PII than what is required under California’s breach notification laws. This last exemption is possible because compliance with stricter state or federal laws will be considered compliance with California laws.
Affected Information
Under the breach notification law, PII includes an individual’s first name or first initial and last name in combination with one or more of the following:
- A Social Security number;
- A driver’s license number or California identification card number;
- An account, credit or debit card number, in combination with any required security code, access code or password that would permit access to an individual’s financial information;
- Medical information (meaning any information regarding an individual’s medical history, mental or physical condition, or medical treatment or diagnosis by a health care professional);
- Health insurance information (meaning an individual’s health insurance policy number or subscriber identification number, any unique identifier used by a health insurer to identify the individual, or any information in an individual’s application and claims history, including any appeals records); and
- Information or data collected through the use or operation of an automated license plate recognition system.
PII also includes a username or email address, in combination with a password or security question and answer that would permit access to an online account.
PII does not include publicly available information that is lawfully made available to the general public from federal, state or local government records.
What is a Security Breach?
Under the law, a security system breach is an unauthorized acquisition of computerized data that compromises the security, confidentiality, or integrity of the PII maintained by another person or business.
Determining whether a breach took place under the law depends on whether the affected information was encrypted or unencrypted, as shown in the table below.
|
Encrypted Information |
|
Unencrypted Information
|
|
Notification must be given if:
- The business reasonably believes the information has been acquired by an unauthorized person;
- The encryption key or security credential was, or is reasonably believed to have been, acquired by an unauthorized person; and
- The business that owns or licenses the PII reasonably believes that the encryption key or security credential could render that PII readable or usable.
|
|
- Notification must be given if the business reasonably believes that the information was acquired by an unauthorized person.
|
Data Breach Notification
California law requires businesses to provide written notice of a breach to the security of their systems if they own or license computerized data that includes PII.
|
Who must be notified?
|
Businesses must notify any person whose PII was compromised as a result of a data breach (as defined above).
In addition, any business that is required to notify more than 500 California residents as a result of a single breach must submit a single sample copy of that notification to California’s attorney general.
Businesses that maintain, but do not own or license, PII must inform the entity that owns or licenses the information of any security breach if the PII was, or is reasonably believed to have been, acquired by an unauthorized person.
|
|
Mandatory Notification Content
|
A valid data breach notification must be written in plain language and must be titled “Notice of Data Breach.” This notification must include the following information (if available at the time the notification is sent):
- The name and contact information of the reporting person or business subject to these requirements;
- A list of the types of PII that was or is reasonably believed to have been compromised by the breach;
- The date of, the estimated date of or date range for the breach;
- Whether notification was delayed as a result of a law enforcement investigation;
- A general description of the breach incident;
- The toll-free numbers and addresses for the major credit reporting agencies (if the breach exposed a Social Security number, driver’s license number or California identification card number);
- An offer to provide appropriate identity theft prevention and mitigation services for affected individuals for at least 12 months (if the entity providing the notification was the source of the breach); and
- Instructions on how to take advantage of the 12-month identity prevention and mitigation services offered (as applicable).
|
|
Optional Notification Content
|
The following information may be included in a breach notification at the discretion of the entity sending the notice:
- Information about what has been done to protect individuals whose information has been breached; and
- Advice on steps affected individuals may take to protect themselves.
|
|
When to Send the Notification
|
Data breach notifications must be made as soon as possible, without unreasonable delay. Timely notifications must take into account legitimate needs to cooperate with law enforcement, determine the scope of the breach and restore a reasonable integrity of the data system. For example, the notification requirement may be delayed if a law enforcement agency determines that the notification will impede a criminal investigation.
|
|
How to Send the Notification
|
Under California law, breach notification can be sent in print, electronically or through a substitute notice, as defined below.
The use of electronic notices is acceptable, as long as all timing, content and formatting requirements are met. Electronic notifications must also follow federal laws regarding electronic records and signatures in commerce.
A valid substitute notice must include:
- An email notice (when the business has an email address for the affected individuals);
- Conspicuous posting, for a minimum of 30 days, of the notice on the internet website page of the business, if the business maintains one. Conspicuous posting means providing a link to the notice on the home page or first significant page after entering the business’ website. The link must stand out from the surrounding text by using larger type, contrasting type, font or color to the surrounding text. The text may also stand out by using symbols or other marks that call attention to the link; and
- Notification to major statewide media.
Substitute notice may also be provided if the business demonstrates that the cost of providing notice would exceed $250,000, the affected class of subject persons to be notified exceeds 500,000 or the business does not have sufficient contact information.
|
Required Format
The notice must be designed to call attention to the nature and the significance of the message. This includes making sure that the title and headings are clearly and conspicuously displayed and using a font type that is 10 point or larger.
In addition, the data breach notice must organize the information according to the following headers:
- What happened
- What information was involved
- What we are doing
- What you can do
- For more information
Safe Harbor
A business that maintains its own notification procedures as part of an information security policy for the treatment of PII is in compliance with the notification requirements mentioned above if it:
- Notifies individuals in accordance with its policies in the event of a breach; and
- The notification takes place within the time constraints mentioned above.
Enforcement
Businesses cannot waive any of the responsibilities imposed on them by California’s breach notification laws. Any business that fails to comply with these requirements may be required to pay damages and penalties to injured customers by a civil court. Any business that violates, proposes to violate or has violated notification requirements may be subject to these sanctions.
The amount of damages depends on the extent of the harm or injury caused to the customer. The penalty is typically $500 per violation, but a court may order the penalty to be as much as $3,000 per penalty for willful, intentional or reckless violations.
A “customer,” for these purposes, is any individual who provides personal information to a business for the purpose of purchasing or leasing a product or obtaining a service from the business.
Unless the violation is willful, intentional or reckless, a business that fails to provide adequate, complete and accurate notification to affected individuals can raise a complete defense against court penalties if it strives to remedy inadequate, incomplete or inaccurate notifications within 90 days of discovering an issue.
Read more
When cyber attacks like data breaches and hacks occur, they can result in devastating damage. Businesses have to deal with business disruptions, lost revenue and litigation. It is important to remember that no organization is immune to the impact of cyber crime. As a result, cyber liability insurance has become an essential component to any risk management program.
Cyber liability insurance policies are tailored to meet your company’s specific needs and can offer a number of important benefits, including the following:
Data breach coverage.
In the event of a breach, organizations are required by law to notify affected parties. This can add to overall data breach costs, particularly as they relate to security fixes, identity theft protection for those impacted by the breach and protection from possible legal action. Cyber liability policies include coverage for these exposures, thus safeguarding your data from cyber criminals.
Business interruption loss reimbursement.
A cyber attack can lead to an IT failure that disrupts business operations, costing your organization both time and money. Cyber liability policies may cover your loss of income during these interruptions. What’s more, increased costs to your business operations in the aftermath of a cyber attack may also be covered.
Cyber extortion defense.
Ransomware and similar malicious software are designed to steal and withhold key data from organization until a steep fee is paid. As these types of attacks increase in frequency and severity, it’s critical that organizations seek cyber liability insurance, which can help recoup loses related to cyber extortion.
Forensic support.
Following a cyber attack, your organization will have to investigate to determine the extent of the breach and what led to it. The right policy can reimburse the insured for costs related to forensics and seeking out expert advice. Additionally, some policies can provide 24/7 support from cyber specialists, which is especially useful following a hack or data breach.
Legal support.
In the wake of a cyber incident, businesses often seek legal assistance. This assistance can be costly, Cyber liability insurance can help businesses afford proper legal work following a cyber attack.
Coverage beyond a general liability policy.
General liability policies don’t always protect organizations from losses related to data breaches. What’s more, data is generally worth far more than physical assets, and it’s important to have the right protection in place when you need it most. Supplementing your insurance with cyber coverage can provide you with peace of mind that, in even of an attack, your organization’s financial and reputational well-being is protected.
To learn more about cyber liability insurance, contact us today.
Read more
When a data breach or other cyber event occurs, the damages can be significant, often resulting in lawsuits, fines and serious financial losses. What’s more, cyber exposures impact businesses of all kinds, regardless of their size, area of focus, or status as a private or public entity.
In order for organizations to truly protect themselves from cyber risks, corporate boards must play an active role. Not only does involvement from leadership improve cyber security, it can also reduce liability for board members.
To help oversee their organization’s cyber risk management, boards should ask the following questions:
Does the organization utilize technology to prevent data breaches?
Every company must have robust cyber security tools and anti-virus systems in place. These systems act as a first line of defense for detecting and preventing potentially debilitating breaches.
While it may sound obvious, many organizations fail to take cyber threats seriously and implement even the simplest protections. Boards can help highlight the importance of cyber security, ensuring that basic, preventive measures are in place.
These preventive measures must be reviewed on a regular basis, as cyber threats can evolve quickly. Boards should ensure that the management team reviews company technology at least annually, ensuring that cyber security tools are up to date and effective.
Has the board or the company’s management team identified a senior member to be responsible for organizational cyber security preparedness?
Organizations that fail to create cyber-specific leadership roles could end up paying more for a data breach than organizations that do. This is because, in the event of a cyber incident, a fast response and clear guidance is needed to contain a breach and limit damages.
When establishing a chief information security officer or similar cyber leadership role, boards need to be involved in the process. Cyber leaders should have a good mix of technical and business experience. This individual should also be able to explain cyber risks and mitigation tactics at a high level so they are easy to understand for those who are not well-versed in technical terminology.
It should be noted that hiring a chief information security officer or creating a new cyber leadership role is not practical for every organization. In these instances, organizations should identify a qualified, in-house team member and roll cyber security responsibilities into their current job requirements. At a minimum, boards need to ensure that their company has a go-to resource for managing cyber security.
Does the organization have a comprehensive cyber security program? Does it include specific policies and procedures?
It is essential for companies to create comprehensive data privacy and cyber security programs. These programs help organizations build a framework for detecting threats, remain informed on emerging risks and establish a cyber response plan.
Corporate boards should ensure that cyber security programs align with industry standards. These programs should be audited on a regular basis to ensure effectiveness and internal compliance.
Does the organization have a breach response plan in place?
Even the most secure organizations can be impacted by a data breach. What’s more, it can often take days or even months for a company to notice its data has been compromised.
While cyber security programs help secure an organization’s digital assets, breach response plans provide clear steps for companies to follow when a cyber event occurs. Breach response plans allow organizations to notify impacted customers and partners quickly and efficiently, limiting financial and reputational damage.
Board members should ensure that crisis management and breach response plans are documented. Specific actions noted in breach response plans should also be rehearsed through simulations and team interactions to evaluate effectiveness.
In addition, response plans should clearly identify key individuals and their responsibilities. This ensures that there is no confusion in the event of a breach and your organization’s response plan runs as smoothly as possible.
Has the organization discussed and formalized a cyber risk budget? How engaged is the board in terms of providing guidance related to cyber exposures?
Both overpaying and underpaying for cyber security services can negatively affect an organization. Creating a budget based on informed decisions and research helps companies invest in the right tools.
Boards can help oversee investments and ensure that they are directed toward baseline security controls that address common threats. Boards, with guidance from the chief security officer or a similar cyber leader, should also prioritize funding. That way, an organization’s most vulnerable and important assets are protected.
Has the management team provided adequate employee training to ensure sensitive data is handled correctly?
While employees can be a company’s greatest asset, they also represent one of their biggest cyber liabilities. This is because hackers commonly exploit employees through spear phishing and similar scams. When this happens, employees can unknowingly give criminals access to their employer’s entire system.
In order to ensure data security, organizations must provide thorough employee training. Boards can help oversee this process and instruct management to make training programs meaningful and based on more than just written policies.
In addition, boards should see to it that education programs are properly designed and foster a culture of cyber security awareness.
Has management taken the appropriate steps to reduce cyber risks when working with third parties?
Working alongside third-party vendors is common for many businesses. However, whenever an organization entrusts its data to an outside source, there’s a chance that it could be compromised.
Boards can help ensure that vendors and other partners are aware of their organization’s cyber security expectations. Boards should work with the company’s management team to draw up a standard third-party agreement that identifies how the vendor will protect sensitive data, whether or not the vendor will subcontract any services and how it intends to inform the organization if data is compromised.
Does the organization have a system in place for staying current on cyber trends, news, and federal, state, industry and international data security regulations?
Cyber-related legislation can change with little warning, often having a sprawling impact on the way organizations do business. If organizations do not keep up with federal, state, industry and international data security regulations, they could face serious fines or other penalties.
Boards should ensure that the chief information security officer or similar leader is aware of his or her role in upholding cyber compliance. In addition, boards should ensure that there is a system in place for identifying, evaluating and implementing compliance-related legislation.
Additionally, boards should constantly seek opportunities to bring expert perspectives into boardroom discussions. Often, authorities from government, law enforcement and cyber security agencies can provide invaluable advice. Building a relationship with these types of entities can help organizations evaluate their cyber strengths, weaknesses and critical needs.
Has the organization conducted a thorough risk assessment? Has the organization purchased or considered purchasing cyber liability insurance?
Cyber liability insurance is specifically designed to address the risks that come with using modern technology—risks that other types of business liability coverage simply won’t cover.
The level of coverage your business needs is based on your individual operations and can vary depending on your range of exposure. As such, boards, alongside the company’s management team, need to conduct a cyber risk assessment and identify potential gaps. From there, organizations can work with their insurance broker to customize a policy that meets their specific needs.
Asking thoughtful questions can help boards better understand the strategies management uses to prevent, detect and respond to data breaches. When it comes to cyber threats, organizations need to be diligent and thorough in their risk prevention tactics, and boards can help move the cyber conversation in the right direction.
Cyber exposures impact organizations from top to bottom, and all team members play a role in maintaining a secure environment. However, managing personnel and technology can be a challenge, particularly for organizations that don’t know where to start.
That’s where Scurich Insurance can help. Contact us today to learn more about cyber risk mitigation strategies you can implement today to secure your business.
Read more
No industry is exempt from cyber crime, and the real estate industry has become a common target. As hackers devise plans to obtain sensitive information about real estate transactions, real estate professionals need to take particular interest in cyber security to protect their clients and themselves from wire fraud.
What is Wire Fraud?
In instances of wire fraud, a common ploy involves hackers breaking into a real estate agent’s email account to obtain details about upcoming transactions. Once the hackers have all the information they need, they send an email to the buyer, pretending to be the agent or a representative of the title company.
In an email to the buyer, the hackers state that there has been a change in the closing instructions and that the buyer needs to follow new wire instructions listed in the email. If a buyer falls victim to the scam and wires money to the fraudulent account, they’re unlikely to see the money again.
Red Flags
A potential indicator of wire fraud is an email that makes any reference to a Society for Worldwide Interbank Financial Telecommunication (SWIFT) wire transfer, which is sent via the SWIFT international payment network and indicates an overseas destination for the funds.
However, since the emails tend to include detailed information pertaining to the transaction—due to the perpetrator having access to the agent’s email account—many people make the mistake of assuming the email is from a legitimate source. The email addresses often appear to be legitimate, either because the hacker has managed to create a fake email account using the name of the real estate company or because they’ve hacked the agent’s actual email account.
How to Avoid It
Wire fraud is one of many types of online fraud targeting real estate professionals and their clients. To prevent cyber crime from occurring, every party involved in a real estate transaction needs to implement and follow a series of security measures that include the following:
- Never send wire transfer information, or any type of sensitive information, via email. This includes all types of financial information, not just wire instructions.
- If you’re a real estate professional, inform clients about your email and communication practices, and explain that you will never expect them to send sensitive information via email.
- If wiring funds, first contact the recipient using a verified phone number to confirm that the wiring information is accurate. The phone number should be obtained by a reliable source—email is not one of them.
- If email is the only method available for sending information about a transaction, make sure it is encrypted.
- Delete old emails regularly, as they may reveal information that hackers can use.
- Change usernames and passwords on a regular basis, and make sure that they’re difficult to guess.
- Make sure anti-virus technology is up to date, and that firewalls are installed and working.
- Never open suspicious emails. If the email has already been opened, never click on any links in the email, open any attachments or reply to the email.
If You’ve Been Hacked
Take the following steps if you suspect that your email, or any type of account, has been hacked:
- Immediately change all usernames and passwords associated with any account that may have been compromised.
- Contact anyone who may have been exposed to the attack so they too can change their usernames and passwords. Remind them to avoid complying with any requests for financial information that come from an unverified source.
- Report fraudulent activity to the FBI via the Internet Crime Complaint Center at www.ic3.gov/default.aspx. Also contact the state or local realtor association, which will alert others to the suspicious activity.
Contact Scurich Insurance today for more information on avoiding real estate fraud and other types of cyber crime.
Read more
