The threat cyber criminals pose to real estate agents – and specifically their inboxes – has come up in a lot of recent conversations within the real estate and title insurance world lately. Wire fraud scams have cost the industry millions, if not billions, over the past decade or so.
At Federal Title, we’ve received several phony emails supposedly from real estate agents, asking us to wire funds to a particular account. We’ve read about these scams happening in other parts of the country as well.
Our staff is trained to spot these fake emails. We also make phone calls to agents, lenders, buyers and sellers to ensure the funds are going where they are supposed to go because we take our clients’ privacy and security very seriously.
But in the interest of cyber security for all, we can recommend a few apps that we think are essential for better inbox protection. These services are free to use and go a long way toward protecting sensitive information, such as the kind that is exchanged throughout the homebuying process.
First and foremost, make sure you’re sending sensitive information through encrypted email. Most email by default is transmitted in the clear or encrypted after it is sent to the email provider’s server, which means it’s possible for emails to be intercepted. Sending emails over free and public WiFi networks, such as in a coffee shop, makes the contents of one’s emails particularly vulnerable.
When it comes to buying or selling homes, it’s necessary to report personal information such as social security numbers, salary history, alimony payments, wage garnishments, etc. Your real estate agent and lender as well as third parties like the title company are legally required to maintain confidentiality, but a rogue party like a cyber-criminal is not.
ProtonMail, a free and open-source end-to-end encrypted email service that was originally created for researchers at the European Organization for Nuclear Research (also known as CERN in Switzerland) offers a more secure solution. Available as a webmail client or via the iOS / Android app, ProtonMail allows the user to encrypt email contents and data before they are sent to the ProtonMail servers.
With the click of a button, a user can enable to the encryption feature on ProtonMail and set a password, which is then sent separately to the intended recipient(s). Without the password, the contents of the email would present as a series of jumbled characters rendering the email useless to a cyber-criminal.
Another cool feature of ProtonMail is that it allows the user to set an expiration time for the message so that the contents of the email become inaccessible after the pre-determined number of minutes, hours or days, whether someone has the correct password or not.
Most IT professionals will usually advise their clients to create a unique password that contains upper- and lowercase letters, a number and a character. The password should also be double-digits in length – and it can’t be used for any other accounts! To make passwords even more interesting, some companies require their employees to change passwords every month or quarter – and it can’t be one that’s been used in the past six months!
Who has time to remember so many random sequences of letters, numbers and characters? It’s really no wonder that so many of us will still default to easy-to-remember phrases such as “Password123!” or passwords that can easily be socially engineered such as kids’ or spouse’s names, or mother’s maiden name.
That’s where a password manager service like LastPass comes in quite handy. Essentially, it’s a digital lock box that protects all your unique passwords. With a service like LastPass, all you have to do is remember one difficult password. LastPass will automatically remember and fill in login credentials for every site in your lock box.
LastPass is certainly not the only password manager on the market, but it happens to be the service we like. Skeptics out there may be wondering what happens if a user’s LastPass master-password is cracked, or if a security breach occurs that compromises hundreds of passwords such as the security breach of LastPass in 2015?
That’s where two-factor authentication can really save the day.
We’ve talked about two-factor authentication before, a second layer of security that user must clear to gain access to an account. A user must configure two-factor authentication with an external device, usually a smart phone or a thumb drive. We like Google’s free Authenticator app.
Services like ProtonMail and LastPass both offer the option to configure the account with two-factor authentication, and we highly recommend our clients take that extra precaution to protect their encrypted email account and password manager service. (After all, if a cybercriminal gained access to either of those services, it would undermine the whole purpose of this post and likely cause all kinds of hassle.)
When two-factor authentication is enabled, upon logging in a user will either receive a text message containing a six-digit code to unlock the account or be prompted to enter a 6-digit code from her authenticator app. In either case, the code is randomly generated and changes every 30 seconds making it virtually impossible to crack with a brute force attack.
Many social platforms offer some version of two-factor authentication including Facebook, Twitter, LinkedIn, Gmail and Yahoo! Mail. For independent contractors who use TurboTax or Mint to manage their finances, Intuit also offers a two-factor authentication option for their suite of services.