It doesn’t matter how many technical controls you put in place. If someone inside the organization clicks a link, that person can let a bad guy right into the network and bypass all of the technical security.

—Wade McCain

Do you lock your door when you leave your home? Do you hide your valuables before leaving a parking lot? You probably don’t even think about it when you take these basic precautions.

If it’s second nature to protect your tangible valuables, are you that careful with your digital ones?

Cyberattacks against personal and business computer systems are becoming more common every year. The 2021 FBI Internet Crime Report says Texas had 41,148 reported cyberattack victims and lost $606.2 million to cybercrime last year. And those are just the incidents we know about, says Wade McCain, cybersecurity training specialist at the Texas A&M Engineering Extension Service, Cyber Readiness Center. Plenty go unreported.

“Typically, cybercriminals are going for money. Whatever leads them to money will be the biggest target,” he says. They may be interested in personally identifiable information, customer and financial data, intellectual property and trade secrets, or systems and business plans.

Cybercriminals know they can make money targeting real estate businesses and professionals like you. If you think your home computer or firm is too small or insignificant to be attacked, think again. Once cybercriminals have broken into your systems, they can encrypt your files or trick you into handing over your money and personal information, among other disruptive actions.

There are basic steps you can take to protect yourself online. The more of them you implement, the safer you’ll be. Here is what McCain recommends.

I’m the victim of a cybercrime. What should I do?

That depends on the type of attack, says Wade McCain. You should contact the FBI or file a formal complaint with the Internet Crime Complaint Center, he says. Businesses should reach out to their cyber insurance provider and consult their cybersecurity policies and response playbook. You or your business may need to take quick action, such as contacting your financial institution in the case of wire fraud.

For Individuals

“We at the Cyber Readiness Center believe that it’s more memorable to teach individuals how to secure their personal lives, and then that knowledge will spill over into their professional lives,” McCain says.

Long, unique passwords for every personal and work account are essential. A long password should be at least 12 characters in length. Do not reuse passwords for multiple accounts. If your password gets stolen, cybercriminals can test it all over the internet and gain access to more of your information, he says.

Password managers are programs and apps that can help you generate long, unique passwords and store them securely so you don’t have to remember them. By downloading and installing one, you only need to remember a single password: the one that opens the password manager.

Check before you click. Take a second before opening an email or text message. Do you recognize who sent it? Does the email address or phone number look normal? Are there any misspellings? Does anything seem unusual about the message? Don’t open attachments or click on links from sources you do not recognize. If you aren’t sure if the sender is legitimate, do not log in to a service to read a message or access a file. Invitations to view online documents may direct you to a fraudulent website that looks legitimate but is designed to steal your password. This is a common way criminals can break into your systems.

What are the five most common types of cybercrime?

  • Phishing is when a cybercriminal pretends to be someone or something trustworthy, commonly through email, to trick you into giving up your personal information. Related attacks include vishing (fraudulent phone calls), smishing (fraudulent text messages), and pharming (the use of fake websites to steal credentials).
  • Non-payment and non-delivery: not getting paid for an item you sold or not receiving an item you bought
  • Extortion crimes, such as ransomware, when cybercriminals encrypt your files and ask for payment to decrypt them
  • Data breaches happen when attackers access and/or distribute personally identifiable information they are not authorized to have. The attackers can then sell this information to scammers or use the information to steal from you.
  • Identity theft

Source: 2021 FBI Internet Crime Report

Don’t give out your personal information. Phishing is when a cybercriminal pretends to be a trustworthy person or entity to trick you into giving up your account credentials or personal information. This could take the form of an email, text message, phone call, or website. Verify that the message is legitimate; call the person or organization at a number you independently locate to confirm before responding.

Reduce your digital footprint. People love sharing their personal activities and photos on social media. “Everything you do online is not only in writing but can and will be used against you by the bad people,” McCain says, adding that businesses have been attacked based on what employees have posted in their personal channels. Think carefully about what you post online. Does that post reveal anything sensitive? Consider limiting who can see your posts.

Two-factor authentication protects your accounts by asking users to provide a second credential after the password. Typically, you’ll use a one-time code sent via text message, email, or an app. Many popular services, such as Gmail, Amazon, and financial services allow two-factor authentication.

Websites that monitor major hacks can tell you if your information is in danger. If you input your email address at haveibeenpwned.com, the site will tell you if that address was included in known major data leaks. If the information was leaked, change your passwords immediately.

If a scammer used ransomware to encrypt my files, should I pay to get them back?

It’s a personal decision, says Wade McCain.

The FBI, the Cybersecurity and Infrastructure Security Agency (CISA), and law enforcement would all say no. There’s no guarantee the criminals will give you access to your data—on average, only 65% of data is recovered, he says. They may also try to extort you a second time by threatening to publish the data online. Paying also funds the criminals and reenforces the idea that cybercrime is profitable.

“However, everyone realizes that in some cases, an organization may choose to pay,” he adds. “If you pay the ransom, it’s often cheaper than recovering the data without doing so, even if you have good backups.” Also, paying the ransom may be the only way to stay in business.

It’s important to have cyber insurance; that may dictate how you respond. Sometimes insurance companies can negotiate with the criminals to bring down a ransom payment, he says.

Keep your devices up to date. It may be tempting to delay that software update, but tech companies are continually fixing vulnerabilities. If they’ve provided a solution to a problem, install it. Many devices update automatically or have a setting you can turn on to automatically update.

Back up everything offline. Keep extra copies of your files and important information on an external hard drive (or two) that is disconnected from your computer, the network, and the internet once your backup is completed. If anything happens to your computer, you can start over from your backup file. Be sure to test your backups periodically to make sure they’re working and up-to-date.

For Businesses

When it comes to cyberattacks for real estate companies, knowing your risks is the first step to mitigating them, McCain says. Brokerages are being targeted with phishing, data wire transfers, email compromises, and ransomware.

Learn More

TEEX Cyber Readiness Center (Training & Technical Assistance Services), teex.org/cyber

Cybersecurity & Infrastructure Security Agency, cisa.gov

Internet Crime Complaint Center, ic3.gov

National Institute of Standards and Technology (NIST), nist.gov/cyberframework

Center for Internet Security (CIS) Security Controls, cisecurity.org

CISA MS-ISAC ransomware guide, http://www.cisa.gov/sites/default/files/publications/CISA_MS-ISAC_Ransomware%20Guide_S508C_.pdf

SecuLore Solutions Cyber Attack Archive, seculore.com/resources/cyber-attack-archive

Texas Information Sharing and Analysis Organization, dir.texas.gov

Training your agents and personnel on cybersecurity is the most important thing you can do. Business email compromise attacks resulted in nearly $2.4 billion in losses nationwide last year, according to the FBI. Scammers will compromise a business email account by breaking into the account or tricking the rightful owner into letting them in. Once there, they can conduct unauthorized transfers of funds, the FBI Internet Crime Report 2021 says.

Everyone who accesses your systems protects your organization like a human firewall against cyberattacks. “It doesn’t matter how many technical controls you put in place. If someone inside the organization clicks a link, that person can let a bad guy right into the network and bypass all of the technical security that’s in place,” McCain says.

Verify payment and purchase requests in person if possible. “Too many times, people will authorize paying people and approve real estate transactions through email,” McCain says. “If that email has been compromised, you could literally lose tens of thousands, hundreds of thousands, or even millions of dollars just because you thought you were paying somebody and that’s not really who you were paying.”

Member Benefit: Tech Team One

Tech Team One, a Texas REALTORS® member benefits partner, will run a free diagnostic scan on your computer. A technician can remotely connect to your computer to check for problems. The company sells one-time and ongoing tech support for businesses.

Two-factor authentication is needed for all remote access accounts. Anybody who is connecting to the system through a virtual private network (VPN) or any administrator who is managing a server needs this second layer of protection.

Create a separate administrator account with full access on your devices and only use it for administrative purposes. Brokerages and business owners can set this up across all of the company machines. Give your own account less access and use it for your daily business. Your systems are more secure from malware infection when logged in as a user with fewer privileges. If your computer has been infected with malware, you may be able to resolve the problem using the administrator account, McCain says.

Having procedures in place before anything happens will help your firm immensely. Create a cyber incident response plan. The National Institute of Standards and Technology (NIST) Cybersecurity Framework and the Center for Internet Security (CIS) Security Controls are great places to start: They are a set of guidelines and practices for protecting against cyberattacks. Create a playbook so you know what to do for each type of cyberattack. Once you have established plans, be sure to practice them at least once a year, McCain says.

Advanced Advice

To stay up-to-the-minute on cybersecurity issues, Wade McCain suggests these steps:

Check out respected publications and sources like CSO, Dark Reading magazine, The Hacker News, Infosecurity magazine, and Security Weekly.

Follow security professionals and subject matter experts such as Troy Hunt (troyhunt.com), Brian Krebs (krebsonsecurity.com), and Bruce Schneier (schneier.com).

Test your organization. KnowBe4 offers security awareness training and phishing tests among its services.

Sign up for newsletters with CISA, NIST, SANS Institute, and the Texas Information Sharing and Analysis Organization.

Attend live events such as Black Hat and DEF CON.

Cyber insurance can offer coverage from cyberattacks and guidance when an incident happens.

Hold your partner organizations accountable. Even if your business is secure, you are still at risk if your vendors and third-party organizations you interact with are insecure, according to McCain. Require that any third party you work with follows strong cybersecurity practices.

Keep your systems up to date. Some recent high-profile cybercrimes happened because attackers exploited outdated servers and operating systems, McCain says. Have a patch management system to routinely update your devices and computers.

Having secure, offline backups of data is just as important for businesses as individuals. Those files can help you recover if ransomware freezes your systems.

“My advice for real estate companies is to do all of the basics right—all of the simple stuff,” McCain says. “Having good cyber hygiene will make a big difference.”