It is disheartening, but this column yet again has to address the very real threats that cyber-attacks and ransomware incidents pose to industries, including the real estate industry, and individuals. Recently there has been a wave of serious cyber and ransomware attacks against well-known companies, such as Rapattoni, one of the largest national companies providing hosting services to more than 100 multiple listing services (MLSs), as well as hotels and casinos, notably Caesars and the MGM Grand in Las Vegas [see https://bit.ly/3LoiFTO].
A few weeks ago, it was also reported that another individual in New York City lost $746,000 in connection with a real estate purchase when she was “duped” into wiring funds to a cybercriminal who hacked into her attorney’s e-mail account. When these attacks occur, the FBI and local law enforcement usually become involved immediately. These attacks result in billions of dollars of losses each year. In connection with ransomware attacks, companies are often forced to pay these criminals substantial amounts in ransom in order to regain access to their systems. On the other hand, when individuals are targeted, many times these individuals lose their entire life savings.
The Attack on Rapattoni
On Aug. 8, Rapattoni suffered a cyber-attack which sent shockwaves throughout the real estate industry. While the extent or economic effects of the attack may not be known precisely, many MLSs throughout the country, including the real estate agents and brokerage firms who rely on them, were severely affected and the economic costs will certainly be extensive.
As reported by journalist Mathew J. Schwartz [see https://bit.ly/44NIbss] “Real estate agents’ ability to list or update property information has been compromised by an attack on…Rapattoni….” Schwartz explained that “Multiple regional MLS providers rely on Rapattoni’s services to identify new properties coming on the market, update home listings, and bring together buyers and sellers to facilitate offers and track purchase details, as well as track commissions for listing agents and the agent who secures a sale.” Agents and brokers had to resort to manual processes to update and share listings. It has been reported that the attack on Rapattoni was the “longest-running attack on an MLS.” [See https://bit.ly/3LqwRvw].
Alicia Hope of CPO Magazine [see https://bit.ly/3t0mrfy], reported, “With the cost of a data breach estimated at $4.35 million, cyber-attacks pose an existential threat to most businesses.” She further noted that “the incident shows that cybercriminals are targeting the real estate industry for the vast amount of personal and financial information (including of wealthy individuals) it holds and the cost of disruption or data loss.” She also pointed out that real estate transactions are “lucrative targets for business e-mail compromise and wire fraud.”
The Real Estate Transaction: Wire Fraud is Very Real
On Aug. 26th, Kathianne Boniello of the New York Post reported that an individual in New York City, Leila Meltzer, the victim of a business e-mail compromise (BEC) attack, “lost the bulk of her savings after thieves hacked into her real estate lawyer’s e-mail and duped her into wiring them more than $746,000.” [see https://bit.ly/3Zkco19]. Meltzer, a retired nurse, was in contract to purchase an apartment. She received an e-mail which she thought was from her own attorney. Hackers had accessed her attorney’s e-mail account and instructed Meltzer to wire the balance owed on the transaction to an account controlled by the hackers. Meltzer did not discover that she had been the victim of fraud until two days later, but the funds had already been withdrawn and could not be recovered.
Meltzer reported the incident to the FBI and the NYPD. She also filed a lawsuit against her attorney “alleging the attorney was ‘oblivious to the threat of cybercrime’ and ‘failed to take even the most rudimentary steps to protect Meltzer from cyberfraud.’” Unfortunately, these cyberattacks are all too common, but it is critical that clients are informed about wire fraud and cybersecurity issues.
Taking Important Steps to Notify Clients of Cyber Threats
It is important to discuss the risks associated with cyber threats, wire fraud, BEC attacks, privacy issues, etc. at the very initial stages of representation. It is also recommended that these issues are detailed in writing and provided to the client so that the client is made aware of what to do in instances such as this. Below is language that should be utilized and included on all e-mails sent by attorneys and other professionals:
WARNING: FRAUD ALERT – BEWARE OF CYBER-FRAUD – If you receive an email from this office requesting that you wire or otherwise transfer funds, you must confirm the request and any corresponding instructions via telephone before you initiate any transfer. Hackers are targeting emails of attorneys, real estate brokers and other businesses in attempts to initiate fraudulent wire requests. YOU MUST CONFIRM THE TELEPHONE NUMBER OF THIS OFFICE WITH PREVIOUS EMAILS AND CORRESPONDENCE YOU HAVE RECEIVED FROM THIS OFFICE AND MUST CALL OUR OFFICE IN PERSON TO BE SURE IT IS ACCURATE.
It is also recommended that language be included in engagement letters, retainer agreements or in disclosures that are signed and acknowledged by the clients. Some of the points that should be covered may include the following:
- Highlight that there are high incidents of e-mail fraud and cyber security threats involving hacking and theft of personally identifiable information (e.g., Social Security numbers, bank account numbers and routing information).
- Alert clients that hackers may gain access to your e-mail and/or e-mail system and send false e-mails requesting that funds or other sensitive information be sent to them (posing as you or someone else) via e-mail.
- Inform clients never to do anything without directly speaking with someone at your office.
- Alert clients that you will never send them any e-mails requesting such information without also calling the client directly and confirming such a request personally by telephone after any such e-mail has been sent.
- Most importantly, alert clients NOT to wire any funds to any person or entity without first calling your office to confirm the same and to confirm the bank account and routing information.
- Alert clients that they are to contact the office directly and not through e-mail to confirm whether any instructions received are legitimate.
As noted above, the real estate industry is specifically targeted by these cybercriminals due to the frequent use of wire transfers. Real estate agents and real estate attorneys are particularly vulnerable because the e-mails exchanged between these parties and their clients contain critical information as to when a closing will occur, the amounts that will need to be wired and the location to which the wire transfers are to be made. A cybercriminal will try to gain access to a party’s e-mail account, and once this is accomplished, the criminal will wait for the opportune moment to strike.
2022 FBI IC3 Report on Cyber Crimes
Each year the FBI’s Internet Crime Complaint Center (IC3) issues an in-depth annual report on the state of cyber-criminal activity in the United States and the risks posed by such activity. The FBI’s 2022 IC3 Report [see https://bit.ly/3Rlt4TS] states, “Today’s cyber landscape has provided ample opportunities for criminals and adversaries to target U.S. networks, attack our critical infrastructure, hold our money and data for ransom, facilitate large-scale fraud schemes, and threaten our national security.” While the 2022 IC3 Report indicates that there was a 5% decrease in reported incidents as compared to 2021, the “potential loss has grown from $6.9 billion in 2021 to more than $10.2 billion in 2022.” These totals are certain to increase in 2023. From 2018 to 2022, IC3 received 3.26 million complaints and losses during that time were $27.6 billion.
IC3 Areas of Concern
According to the 2022 IC3 report, the top five cybercrimes involved extortion, phishing, personal data breach, non-payment/non-delivery, and tech support. Incidents of extortion crimes rose significantly in 2022, with 76,741 reported incidents as compared to 39,260 in 2021. This number is expected to increase dramatically in 2023. The 2022 IC3 report also highlighted three areas of concern: Business E-mail Compromise (BEC), Investment and Ransomware.
Business E-mail Compromise (BEC) Threats
In 2022, IC3 received 21,832 complaints relating to BEC scams and losses totaled more than $2.7 billion. According to the IC3, BEC is a “sophisticated scam targeting both businesses and individuals performing transfers of funds. The scam is frequently carried out when a subject compromises legitimate business e-mail accounts through social engineering or computer intrusion techniques to conduct unauthorized transfers of funds.” BEC scams commonly target individuals involved in real estate closings. The IC3 Recovery Asset Team (RAT), which assists with all aspects of cybercrimes, offers the following specific guidance to those victims of BEC crimes:
- Contact the originating financial institution as soon as fraud is recognized to request a recall or reversal and a Hold Harmless Letter or Letter of Indemnity.
- File a detailed complaint with www.ic3.gov. It is vital the complaint contain all required data in provided fields, including banking information.
- Visit www.ic3.gov for updated PSAs regarding BEC trends as well as other fraud schemes targeting specific populations, like trends targeting real estate, pre-paid cards, and W-2s, for example.
- Never make any payment changes without verifying the change with the intended recipient; verify e-mail addresses are accurate when checking e-mail on a cell phone or other mobile device.
Ransomware Crimes
The IC3 report explains that “Ransomware is a type of malicious software, or malware, that encrypts data on a computer, making it unusable. In addition to encrypting the network, the cyber-criminal will often steal data off the system and hold that data hostage until the ransom is paid. If the ransom is not paid, the victim’s data remains unavailable.” The IC3 notes, “Phishing e-mails, Remote Desktop Protocol (RDP) exploitation, and exploitation of software vulnerabilities remained the top initial infection vectors for ransomware incidents reported to the IC3.” In 2022, the IC3 received 2,385 ransomware complaints and 39,416 extortion complaints, which amounted to losses exceeding $34.3 million and $54.3 million, respectively. However, the figures contained in the IC3 report may be well below the actual amounts.
According to a report by Chainalysis [see https://bit.ly/3LqPjnB], ransomware crimes are significantly on the rise in 2023, and “Ransomware attackers are on pace for their second-biggest year ever, having extorted at least $449.1 million through June.” In all of 2022, the figure relating to ransomware attacks was just under $500 million. Chainalysis projects that ransomware attacks will extort close to $900 million if the pace continues, which will be second only to 2021, where the figure totaled nearly $940 million—and, with the recent attacks, the pace does not seem to be slowing.
As we can see from the recent attacks on the Las Vegas casinos that occurred this week and the attack on Rapattoni, the economic effects can be devasting. The IC3 report points out that the “FBI does not encourage paying a ransom to criminal actors. Paying a ransom may embolden adversaries to target additional organizations, encourage other criminal actors to engage in the distribution of ransomware, and/or fund illicit activities. Paying the ransom also does not guarantee that a victim’s files will be recovered.” Although not recommended or ideal, in many cases a ransom is paid in order to regain access.
The IC3 Recovery Asset Team
The FBI strongly recommends that all incidents of cyberattacks should be reported to IC3 so that investigators can assess the attack and obtain critical information which could potentially allow them to track these criminals, hold them accountable, and possibly prevent future attacks. Once these incidents are reported to IC3, the Internet Crime Complaint Center’s Recovery Asset Team (RAT), which was established in 2018, communicates with financial institutions and “assists FBI field offices with the freezing of funds for victims who made transfers to domestic accounts under fraudulent pretenses.” Unfortunately, once the funds are wired to the cybercriminal’s account, it may be difficult or impossible to claw back the funds. However, if the FBI and the banking institution are notified within 24 to 48 hours from the time the funds were wired, the funds may be recoverable. The RAT Team serves as the “liaison” between law enforcement and financial institutions.
Cyber Threats Are Real, Do Not Take Them Lightly!
It is not a question of whether you will be the victim of a cyberattack, but when. The potential for a cyberattack should never be taken lightly. Cyberattacks are very real and all individuals and businesses need to be aware of the dangers and risks. Individuals and companies must take these threats seriously and put in place protections to reduce the risk, although it is impossible to totally eliminate it.
These cyberattacks are very costly. Companies and individuals are also required to spend thousands more to comply with the data breach and notification requirements of state and local laws. It is important for all businesses to look into obtaining cybersecurity insurance coverage as most insurance policies do not cover cyberattacks or the related damages and costs incurred. Appropriate cybersecurity coverage will not only cover the damages incurred, but will also provide coverage for the costs involved to send the required notices under the law, which can be very expensive. Once an attack occurs it is too late. Taking the appropriate measures in advance will go a long way in affording the necessary protections should one occur.
