As artificial intelligence (AI) propels the cybersecurity landscape into uncharted territories, the frequency and complexity of cyber attacks are escalating at an unprecedented rate.
Qualia’s 2024 survey found that 21% of title & escrow companies have been the target of 20 or more cyber attacks in the past 12 months. This already-high figure is expected to grow; a striking 93% of security leaders from across industries predict that businesses will face daily cyber attacks by 2025.
Despite this looming reality, many title & escrow companies continue to rely on outdated methods to protect their businesses, including one-time security training sessions and set-and-forget processes. This approach leaves them vulnerable in an era where cybercriminals have growing access to tools that make cyber attacks easier and more cost-effective than ever.
As the threat landscape evolves and attacks become a daily reality, ensuring that security is top of mind for all employees is essential.
How AI is changing the threat landscape
AI advancements are making it easier than ever for cybercriminals to carry out a variety of attacks with increasing speed and sophistication at scale. There are three primary ways AI is changing the threat landscape.
1) AI increases the speed and scale of attacks
AI algorithms can analyze data and identify patterns to create personalized and targeted attacks. This enhances cybercriminals’ abilities to orchestrate highly targeted phishing campaigns quickly and at scale.
With these augmented capabilities, cyber attacks are easier and cheaper to carry out. This means cybercriminals are casting a wider net and targeting businesses of all sizes rather than only the enterprise companies with bigger payouts. Qualia’s 2024 survey found that 98% of title & escrow businesses have experienced the same or increased number of cyber attacks over the past year.
2) AI makes fraudulent communication harder to detect
Previously, phishing attempts and Business Email Compromise (BEC) scams were characterized by improper grammar and spelling. Now, AI enables attackers to craft convincing messages without these errors, eliminating red flags that could have exposed the scam.
For example, in April, the American Land Title Association (ALTA) issued an alert about a spoofed email appearing to come from ALTA President Don Kennedy (pictured below). Before AI, a recipient may have been able to detect that the email was fraudulent by spotting spelling or grammar errors, but this email appeared professional and in line with ALTA’s tone and company voice.
3) Advancements in AI are enabling more sophisticated deepfakes
With deepfake technology, cybercriminals use AI-powered voice and video cloning methods to impersonate a trusted individual (a family member, co-worker, boss, etc.) and manipulate video or audio to deceive victims into sharing sensitive information. As AI technology advances, deepfakes are increasingly easier to create and more realistic.
During Qualia’s 2024 Future of Real Estate Summit (FORES24), speaker Victor Kabedon, Co-founder & CTO of Truework, described an incident involving deepfake technology. A VP at Kabedon’s firm received a phone call from someone the VP thought was his mother. The VP’s “mother” told him that she was in danger and needed him to provide his username and password to the individuals holding her hostage. In actuality, a criminal in Malaysia had copied the mother’s voice and used it to deceive the VP. “It’s very scary how quickly someone can copy another person’s voice,” Kabdebon warned. Luckily, this incident did not result in financial losses because the VP contacted Kabdebon’s team before reacting.
Ultimately, attacks will vary and continue to change as technology like AI enables new capabilities. Still, most will involve penetrating people in your organization to gain access to systems or redirect funds to fraudulent accounts. This means your people are your first line of defense from attackers.
The current state of cybersecurity awareness and training in title & escrow
Qualia’s survey of title and escrow professionals found that less than half (45%) of respondents receive cybersecurity training upon new hire. Meanwhile, only one-third receive cybersecurity training at least quarterly, and only 15% receive it weekly.
While one-time or bi-annual cybersecurity training may have been sufficient in the past, teams now need always-on security training that happens upon new hire and at least quarterly to stay on top of the fast-changing threat landscape.
It’s also imperative that all transaction partners are in the loop regarding evolving threats and attacks during the closing process. Real estate agents, in particular, who most often guide homebuyers through the closing process, should be updated regularly on new threats and schemes impacting the closing.
Qualia’s aforementioned survey found that 97% of title and escrow professionals said they warn homebuyers and sellers about the risks of cybercrimes during the closing process; however, only 45% of respondents said they train real estate agents on cybersecurity. By offering regular training, memos, and security alerts to real estate agents, title & escrow companies can better protect homebuyers from potential threats.
Tips for creating a culture of cybersecurity
Building a security culture — where everyone in the organization at all levels is aware and hypervigilant about the potential of an attack — is paramount, but this is not an easy task. Below are six tips for promoting a culture of cybersecurity in your organization.
1) Appoint a “security officer”
A secure operation relies on everyone in your organization, but it’s essential to have one person who is ultimately responsible for security. In larger organizations, this may mean hiring a full-time security officer. For smaller businesses, which may not have a dedicated security team, it’s still important to designate one individual as the “security officer,” even if it isn’t their full-time role.
This person will have the explicit responsibility of regularly assessing the company’s security processes and technology against best practices, meeting with other industry leaders to understand the threat landscape, and implementing a wire fraud response plan and a written information security plan (WISP) that outlines the organization’s information security measures and protocols.
2) Train and retrain staff regularly
To keep up with evolving fraud vectors, it’s imperative that cybersecurity training is ongoing and frequent. Training can be a mix of both formal and informal modalities. For example, you might require employees to take a cybersecurity course with an instructor once a quarter and also mix in weekly informal updates, using internal channels to share examples of phishing attempts that happened inside the company or attacks that happened outside the company. Some companies also conduct internal phishing tests to help employees understand what a real attack might look like.
In addition to regular training, it’s also important to refresh materials often. For example, training materials to spot phishing emails in the past may have instructed employees to look for spelling and grammar issues. Now, with AI, these errors are less likely, so you might update materials and train staff to look for things like:
- The sender’s email not matching what’s expected
- The email body including some sort of appeal to authority or a sense of urgency
- The inclusion of unexpected attachments or links
3) Make it easy for employees to act in a secure way
Employ the latest technology and security features across the organization so that employees are automatically required to follow the latest policies. For example:
- Rather than recommending employees use a password manager, require its use and encourage employees to create strong, unique passwords.
- Instead of allowing employees to toggle on multi-factor authentication (MFA), use admin controls to require MFA across your company’s systems and applications.
- Limit permissions so employees can only access the data and functionality necessary to do their job.
4) Encourage openness and incident sharing
Ask staff to broadcast suspicious emails, phone calls, and SMS messages on internal channels so that other people in the organization can look for similar communication in their inbox. Remind staff that even false positives (broadcasting a suspicious message that ends up being legitimate) are okay and are better than false negatives (not broadcasting a suspicious message that ends up being malicious).
You can also use internal channels like company listservs, Slack, or your company’s intranet to share information about cybersecurity incidents happening in the industry, the latest news about cyber attacks, and insights from cybersecurity experts.
5) Act transparently when an incident occurs
If a successful attack occurs inside your organization, make sure everyone is aware of how the incident happened and the steps being taken to mitigate it and prevent future similar scenarios. The purpose of these updates should never be to attribute blame to an individual but rather to identify what the organization can do better next time.
You might also consider using red teams to conduct “attacks” internally and spot vulnerabilities in your system and people before a criminal does. When a red team attack is carried out, if someone falls victim, use the case as an opportunity to educate staff and open up dialogue about how processes could be improved.
6) Guide buyers to operate securely
Embed education into your workflows and processes and use every opportunity to remind transaction parties about wire fraud and best practices for mitigating risk. Use specific, real-world examples where possible to show clients how fraud might transpire and encourage clients to take additional steps to verify information during high-risk moments, such as when they are wiring funds.
Providing clients with tools such as a secure client communication portal also makes it easy for them to act securely.
Your people are only part of your cyber defenses
Your people are your frontline defense against cybercrime, but your processes and technology are equally important in fortifying your business against rising threats. With Qualia, you don’t have to rely on your employees, partners, and clients having their best day every day to protect your business from rising cyber threats. We offer built-in wire fraud education, risk assessment reviews, and more security features across our product ecosystem.
To learn more about Qualia’s commitment to security, visit our Trust Center.