Despite increasing awareness of security threats, the real estate industry still suffered a staggering $396M+ in adjusted losses in 2022 as a result of business email compromise (BEC) scams, according to the FBI’s Internet Crime Complaint Center (IC3). The title industry, in particular, continues to face an increase in threats from cybercrime. With more of the closing process quickly becoming digitized and fraud attempts consistently on the rise, title & escrow companies need to stay up to date on the ways they can combat the persistent risks to data security.
Last year, we published a variety of security measures title companies could deploy to help protect themselves from security threats. This year, we’re updating our guidance to capture more of the tools available to help safeguard your data and protect your business and customers as instances of data compromise and wire fraud continue to rise (and the methods bad actors use evolve). While well-detailed security procedures are a must for businesses of all sizes, there are a number of tactics you can quickly implement to help mitigate the risk of a damaging attack.
The best practices outlined below will help you educate your employees and clients on the risks inherent in real estate transactions, shore up vendor security, and bolster the security of the systems you use daily.
Leverage your software provider’s security features
Businesses of all sizes can and should work with technology partners that uphold the highest standards for data security. Software providers that meet acceptable security benchmarks will offer features to help your business build better safeguards for your organization. However, having these features available isn’t enough, you have to use them and encourage your teams to do so as well. Below are some actions you can take and features you can deploy to immediately reinforce your company’s data security.
Use password managers
Setting up unique, secure passwords for every application, website, and portal that requires login credentials is one of the most basic security tenets. The same password should never be used twice, and passwords should be long (8+ characters) and complex (using a mix of lowercase, uppercase, numeric, and/or special characters).
Password managers, like BitWarden and 1Password, can be used to generate and store passwords in a secure online vault to help you and your team easily keep track of login information across multiple systems. Password managers can also boost productivity by automatically filling out password fields for each site you visit.
Encourage two-factor authentication (2FA) or multi-factor authentication (MFA)
2FA (also referred to as Multi-Factor Authentication [MFA]) strengthens access security by requiring two methods to verify your identity; the first method being the password you enter at login, and the second being a code that you receive through a secure source. 2FA is critical to data security because it adds an additional layer to logins that has been proven to stop attackers, even if a user’s username and password have been compromised. Recent research from Microsoft shows that 2FA blocks more than 99.9% of account hacks.
How it works
- Jane Doe enters her username and password into the main login page
- A unique six-digit code is sent to Jane Doe’s trusted device (i.e., her cell phone)
- Jane Doe retrieves the code and enters it where prompted on the login screen
- Jane Doe gains access to the system
2FA codes can be sent as SMS messages via text or retrieved from an authenticator app, like Google Authenticator. When deciding which method to use, keep in mind that authenticator apps have the added benefit of working even if you don’t have phone service. If your service provider experiences an outage or you’re traveling internationally and don’t have the ability to receive texts, you’ll still be able to log into your system via an authenticator app.
Limit access to nonpublic information (NPI)
Limiting the number of people who have access to NPI is one of the surest ways to safeguard data. A recent survey performed by AT&T reported that 56% of security professionals say insider threats have become more frequent in the last 12 months. Configure your system to only allow users access to the information they need to perform their job function, ensure that these permissions are regularly reviewed and kept up to date, and regularly review audit logs for unusual activity.
Establish Allowed IPs
IP addresses are identifiers that allow information to be sent between devices on a network. They contain location information and make devices accessible for communication. Setting up Allowed IPs gives you the ability to dictate specific IP addresses or IP ranges from which users can access your system. This prevents an unknown device from accessing the system to retrieve sensitive information.
(For Qualia users who want to turn on these features, click HERE to access the Qualia Knowledge Base, which offers step-by-step instructions for enabling 2FA and Allowed IPs.)
Configure a Sender Policy Framework (SPF)
A Sender Policy Framework (SPF) is a technique that helps prevent criminals from using your domain to send spoofed emails to your partners and customers. An SPF record allows businesses to specify which IP addresses are authorized to send emails from your business domain. Online tools can be used to determine whether your email domain has a correctly-configured SPF record.
Review security activity for discrepancies
Regularly monitoring recent security activity can help identify suspicious activity when it happens. Security logs can help you to see:
- Logins to your account
- Password changes
- Email changes
- If 2FA/MFA active on a user’s account
- If 2FA/MFA has been enabled or disabled
- When users have been removed from the system
If an action on the security log seems outside of the ordinary, investigate immediately to confirm that your data is not at risk. If a bad actor has gained access to your system, take the necessary steps to mitigate the damage. The ALTA Cybersecurity Incident Response Plan details actions you can take.
Raise user awareness for employees and clients
The majority of cyberattacks are carried out using social engineering tactics that trick victims into sending sensitive information or clicking on malicious links that will infect their network or device. Typically, a criminal disguises themselves as a trusted contact to lure someone into completing a desired action. This is why it’s important for real estate professionals to understand security basics and what different scams may look like.
Providing staff with adequate security training is a critical baseline; however, it’s also important to create a culture of security that motivates teams to make daily security habits part of their DNA. This will make every team member accountable for the security of the entire organization.
It’s equally important to educate consumers on the cybersecurity issues plaguing the industry. Homebuyers are often unaware of wire fraud threats and are not familiar with what these types of attacks may look like. Real estate professionals can act as advisors to help educate homebuyers on how to spot potential wire fraud attempts. Placing a warning about the dangers of cybercrime in email signatures or including information about the threat of wire fraud in closing instructions can help promote awareness and the need for vigilance.
Ensure vendors meet your security standards
The security of your vendors is also critical for protecting client information and your business—when one transaction member is exposed, everyone is vulnerable.
It’s important to remember that every vendor your agency implements is an extension of your brand and customer experience. As such, you should carefully review their privacy policies and ensure that their practices adhere to your agency’s security standards.
When vetting vendors:
- Research what security measures the vendor has in place to protect their customers’ data. Look on their website or in their privacy policy to find this information
- Seek to understand what security features the vendor offers to help you protect your company and your customers’ information
- Check reviews and ratings to see what the vendor’s customers have to say about their security practices and offerings
Thoroughly vetting vendors for robust security practices is such an important aspect of protecting your business that ALTA includes it as a key component of ALTA Best Practices Pillars 3 and 4. Check out our webinar with ALTA’s Product Director, Steve Gold, to learn more about implementing ALTA Best Practices 4.0 into your daily operations.
Looking for vendors that are SOC 2 Type 2 compliant and ISO 27001 certified is also a good way of identifying that a software partner upholds high standards of security and has demonstrated they take appropriate measures to safeguard valuable data.
Secure your business through technology
Fraudsters are leveraging the latest technology. You should be too.
The right software will offer powerful security features and an intuitive user design to make fraud prevention and data protection an integrated part of your system. But remember, it’s not enough to have these features available in your system; you need to use them consistently in your daily operations.
Learn more about Qualia’s approach to security and compliance.
