Real estate wire fraud continues to be one of the most pressing issues facing the industry. The latest reports from the FBI show that losses from real estate wire fraud totaled more than $213 million in 2020.
One may assume that cybercriminals are focusing their attacks on large enterprises where a single successful breach could result in access to thousands of account details. In reality, cybercriminals are increasingly placing their attention on small and medium-sized businesses (SMBs) to quickly access low-hanging fruit. The latest Verizon Data Report which analyzes more than 29,000 security incidents worldwide found that SMBs are targeted slightly more compared to large organizations.
Why are SMBs a Target for Cyber Criminals?
Many smaller title & escrow companies are beginning to utilize digital tools such as email to exchange information between parties. At the same time, these SMB companies are often under-investing in cyber security. Cybercriminals are aware of these vulnerabilities and view SMB title & escrow companies as easy targets for quick grabs.
Additionally, as SMB title & escrow companies transition to digital practices and workflows, there is often a lack of security knowledge among employees that leaves the business vulnerable to social engineering threats such as phishing and business email compromises (BEC). In these types of attacks, cybercriminals often impersonate C-suite executives using nearly-identical email templates and email addresses to convince employees to transfer money into fraudulent accounts. Similarly, a cybercriminal may replicate the company’s email templates to convince homebuyers to wire their funds to fraudulent accounts.
Minutes to Happen, Months to Detect
Verizon’s report indicates that most attacks were conducted in minutes; however, many organizations took months to discover the breach. IBM’s Cost of a Data Breach Study found that US companies take an average of 206 days to detect a breach. According to the study creators, the length of time to identify and contain a data breach directly correlates with the financial losses of the security breach — the longer the discovery timeline, the higher the costs of the security incident.
A separate study which surveyed over 1,300 SMB owners found that 83% of SMBs are not financially equipped to deal with the repercussions of a cyber attack. Costs of a cyberattack include ransom, cost of data, downtime, non-compliance fines, and legal fees — averaging out to nearly $3 million.
What Can Title Companies Do to Arm Themselves Against Cyber Criminals?
Title companies wanting to invest in best-in-class digital security should ask these 7 key due-diligence questions to find the best technology partners.
CERTIFICATIONS AND COMPLIANCE
What to ask: Do you meet ALTA best practices and the highest standards for user data protection and security?
What to listen for: Third-party certifications like ISO 27001 and SOC-2 ensure the technology meets the highest standards for information security and integrity of systems used to process user data.
Datacenter security
What to ask: How and where is the data physically stored?
What to listen for: The provider should use data centers with physical security standards including professional security staff, video surveillance, and intrusion detection systems. Additionally, the data center should have safeguards that protect the data from environmental factors such as fires or other natural disasters, temperature changes, and power outages.
Application security
What to ask: What application frameworks are in place to mitigate software vulnerabilities and how do you test for such vulnerabilities?
What to listen for: The provider should utilize internal testing and third-party evaluations and testing should take place on a regular basis.
Privacy and Service Operations
What to ask: Do you interact with customer data as part of normal operations?
What to listen for: The provider should provide a fully-documented privacy policy that clearly defines what data is collected and how it is used. The policy should include details on authentication, access controls, and data transport.
Administrative control features
What to ask: What administrative control features do you have to maximize security?
What to listen for: Ensure the provider allows for permission setting and other user management abilities to control access to accounting, reporting, and other sensitive information. Two-factor authentication (which requires two forms of authentication to gain access to a system), IP whitelisting (which specifies the IP addresses that are allowed access), password strength requirements, and secure email offer additional protection.
Network Security
What to ask: How is our data managed on the network?
What to listen for: A system with isolated data has a higher degree of security, privacy, and availability. A secure system will use data encryption and secure channels to transmit data. Additionally, managed firewalls prevent spoofing (impersonation of a device or user on a network to steal data, spread malware, or bypass controls) on the network.
Logging, Monitoring, and Response
What to ask: How do you log and respond to security events?
What to listen for: Security logs should be actively monitored and maintained in a centralized space for at least one year. Identified security incidents should be treated with priority until resolved.
No Business is Too Small or Too Large for a Data Breach
At the end of the day, cybercriminals do not discriminate based on the size of a business. Every business must be effectively equipped to minimize the risk of a security breach. This goes beyond leveraging best-in-class software partners and into the very culture of an organization. Educating employees on cyber security risks and encouraging daily practices that emphasize security standards can help minimize risk and pull everyone up in the organization to be preventers and detectors of security incidents.
Interested in learning more about daily practices that can help minimize your business’s risk of a security incident? Read our Daily Security Checklist for Wire Fraud Prevention.