Commercial Magazine

Cracks in the Cybersecurity Foundation

Be prepared for hackers who will exploit any vulnerability

By Jeffrey Bernstein

Recent high-profile cybersecurity attacks, including the hacking last year of Fidelity National Financial Corp. and First American Financial Corp., continue to plague the commercial real estate industry with financial losses, productivity problems and brand damage. The attacks are costly and can erode confidence in the banking and commercial real estate systems.

Last November, Fidelity National, the largest title insurance company in the U.S.,  fell victim to a cyberattack that resulted in data possibly being compromised for more than 1 million clients. First American, the nation’s second-largest title insurer, was attacked in December, only a month after the New York Department of Financial Services reached a $1 million dollar settlement with the company for an earlier cyber breach. The settlement stemmed from a 2019 data leak at First American that exposed 885 million records.

Another recent cyberattack hit the U.S. arm of the Industrial and Commercial Bank of China Limited (ICBC), the world’s largest lender by assets. The bank suffered a breach when it was hit by ransomware. The attack reportedly disrupted the U.S. Treasury Trading market and left the company temporarily owing Bank of New York Mellon $9 billion, an amount many times larger than its net capital.

Unfortunately, the cybersecurity issues impacting the real estate and financial services industries are not confined to isolated incidents. They represent a systemic vulnerability demanding top executive support, urgent attention and collective action.

Staggering scale

While headline-grabbing data breaches compromise sensitive information and create new avenues for fraud and identity theft, business email compromise (BEC) frauds operate on a more insidious level. They infiltrate communication channels and manipulate unsuspecting victims into transferring funds directly. These scams often impersonate trusted parties such as real estate agents, lawyers or lenders, tricking individuals into wiring closing costs, earnest money deposits or even mortgage payments to fraudulent accounts.

“While headline-grabbing data breaches compromise sensitive information and create new avenues for fraud and identity theft, business email compromise (BEC) frauds operate on a more insidious level.”

The scale of this criminal enterprise is staggering. A 2022 FBI report found that real estate fraud losses through BEC attacks topped $2.4 billion, highlighting the widespread reach and devastating impact of these attacks.

Anyone can be susceptible to BEC scams, ranging from individuals to cities. In 2022, a California couple lost their dream home after a BEC scam tricked them into sending the downpayment to a fraudulent account. The author of the fake email, posing as the seller’s lawyer, convinced the couple to expedite the transfer, resulting in a devastating financial loss.

Last September, the City of Fort Lauderdale lost $1.2 million in a phishing scam. City officials believed they were making a payment to a construction company building a new police station. But the emails, documentation and paperwork all came from thieves.  

These cases are simply the tip of the iceberg. Hackers know the significant value of real estate investments, and they target all parties in real estate transactions either to divert funds, misdirect proceeds, or steal valuable information.

Web of regulations

Service providers and lenders for commercial and residential real estate operate within a complex web of regulations that define their data security posture and privacy practices. Key federal regulations include theGramm-Leach-Bliley Act.

This act mandates that financial institutions implement reasonable safeguards to protect customer data. While not explicitly addressing business email compromise scams, the act’s broad security requirements can extend to protecting email communication and wiring instructions. The Federal Trade Commission (FTC) actively pursues investigations and enforcement actions against BEC scams, offering resources and consumer protection measures.

State-specific regulations add another layer of complexity. In Florida, for example, the Florida Security Breach Notification Act requires companies experiencing breaches affecting personal information to notify affected individuals and state authorities. This applies to email compromise incidents that expose sensitive data.

Another Sunshine State law is the Florida Data Privacy Act, which will take effect this July, the act grants Florida residents certain rights regarding their personal data, including the right to access, correct and delete such data. While not directly addressing BEC scams, this act emphasizes consumer control over their information, fostering a data security-conscious environment.

Wall of defense

In this precarious environment, a comprehensive cyber resilience and incident response program is paramount for real estate lenders and service providers. Such a program should include the following areas:

Cybersecurity awareness training: Educating employees and partners to identify and report suspicious emails, phishing attempts and social engineering tactics is the first line of defense against both data breaches and BEC attacks. Performing tabletop education exercises will also go a long way to understanding how policies are working and how effectively staff will react to cyber incidents and events.

Email authentication protocols: Implementing domain-based message authentication, reporting and conformance, domain keys identification mail (often written as DomainKeys Identification Email) and sender policy framework are protocols that can verify the sender’s identity. They also reduce the risks of spoofing, making it harder for scammers to impersonate legitimate parties.

Multi-factor authentication: Requiring this for access to financial accounts and sensitive data adds an extra layer of security. This type of authentication makes it more challenging for attackers to gain unauthorized access, even if they obtain login credentials.

Robust Security

There also are a variety of proactive security plans that companies should put in place before they are confronted with a cyberattack. Here are some steps to take:

Response plan: Having a documented plan outlining steps to take in case of a breach or BEC attack is crucial for minimizing damage and expediting recovery. The plan should include notification procedures, communication protocols and a collaboration strategy with law enforcement.

Cyberthreat intelligence: It is crucial to stay informed about evolving cyberthreats through security advisories and industry alerts. Such research can help a company anticipate and proactively mitigate vulnerabilities.

Test security: Perform vulnerability scans and penetration testing studies with regularity. This will help identify vulnerabilities, flaws and other deficiencies that exist within a firm’s computer networks, systems, applications, systems, devices and facilities.

Outside assistance: Employ an experienced internal resource or engage an outside cybersecurity team of professionals. They will assist when inevitable cybersecurity incidents and events occur, as well as position an organization to quickly investigate and respond to these challenges.

Beyond prevention

The fight against BEC scams and data breaches cannot be won solely through prevention. Effective clawback mechanisms are crucial to regaining access to funds diverted through BEC frauds, but victims must work quickly — often within 12 to 24 hours — or the funds may be lost forever.

“Effective clawback mechanisms are crucial to regaining access to funds diverted through BEC frauds, but victims must work quickly —often within 12 to 24 hours — or the funds may be lost forever.”

While various laws and regulations, including the Uniform Commercial Code Article 4A and the Federal Financial Institutions Examination Council regulations, may impose some security requirements on financial institutions, getting money back is often a difficult task. That is why companies also need to consider having comprehensive data breach, data loss and cybersecurity insurance policies as well. A good policy will also help you to comply with state regulations that require you to notify clients of a data breach involving personally identifiable information.

● ● ●

For lenders or commercial real estate originators who think their organizations are too small to be on the radar screen of these attackers, think again. Cybercriminals don’t discriminate by the size of their targets. According to a recent report from the email security company Barracuda Networks, the smaller the organization, the more likely their employees are to be targets for an attack.

In fact, the average employee at a small business with less than 100 employees will receive 350% more social engineering attacks than an employee of a larger enterprise. Small- to medium-sized businesses are an attractive target for cybercriminals because, collectively, they have a substantial economic value and often lack security resources or expertise.

So, what can commercial real estate businesses do? The best thing is to prepare for and prevent a data breach or fraud. The second-best thing to do is to minimize or mitigate its impact. Plan for the worst and hope for the best while engaging a trusted cybersecurity professional or team of professionals to be on standby… just in case.


  • Jeffrey Bernstein

    Jeffrey Bernstein is the director of cybersecurity and compliance advisory services for Kaufman Rossin’s risk advisory consulting practice. Kaufman Rossin is a certified public accounting firm that provides professional services to businesses, organizations, institutions and their leaders. Bernstein advises clients in highly regulated industries on the protection and compliance of their networks, applications, systems, data, devices, people and property. Follow him on Twitter @Jeff_Bernstein1.

You might also like...