In today's technology environment, businesses of all sizes face huge challenges related to cyber security. But with intelligent buildings and smart everything enabled by the IoT (Internet of Things), legacy building systems are now internet enabled, and thus vulnerable to all other types of threats that target IT systems.
Therefore, special care is warranted for the real estate industry, especially in terms of corporate liability. One of the biggest problems any business faces is phishing and spoofing emails from cyber criminals. You may routinely get emails pretending to be from someone they are not. In some cases, it may be an email pretending to be Microsoft or another system or software vendor that you use, or even an email pretending to be from your bank.
In many cases, the goal of such emails is to get you to divulge your credentials or important information that can help them commit fraud or extortion. If they get nothing else from you, they at least want to be able to use your email address to send phishing or spoofed emails to other innocent victims.
A Brief Case Study on Cyber Security in the RE Industry
In one recent case, we discovered how a cyber-criminal organization gained access to an accounts receivable resource's email address by using a fake email impersonating Microsoft Office 365. Let’s call this employee Mark Smith. The email from “Microsoft” required Mark to update information by clicking a link to a pop-up window, where Mark entered his credentials. With Mark’s credentials, the criminals now had access to his email account, past communications, and were able to determine which clients owed his organization money.
The cyber criminals then created email accounts impersonating some of the company's customers—with slightly different domain names. They also created mail rules for each user's mailbox to divert all incoming emails from those specific customers to their own temporary Gmail accounts. Next, they sent emails directly from the organization's accounts receivable user's mailbox to customers who owed money, requesting that the payments be wired to the hacker's own bank account instead of sending mailed checks.
It was an almost perfect setup, as the criminals could track, intercept, and communicate with both parties, tricking them into thinking that the emails were legitimate. With multiple communications back and forth between the vendor and customers, customers were ready to wire the money, but luckily someone noticed something odd and alerted management. Upon investigation, the plot was revealed and crime prevented. In this example the crime was prevented, but imagine how many companies could fall victim to such stunts on a daily basis.
Your IT department can implement certain security measures to minimize your organizational exposure to such attacks, but, unfortunately, there is no silver bullet to tackle this problem. For example, with the implementation of MFA (Multi Factor Authentication), the policy ensures that even if you were tricked by a spoofed email and volunteered your credentials to them, the hackers may be unsuccessful in hacking your account. However, the hackers could still get some information from you that could adversely impact your own organization or your customers and vendors. An important factor in this regard is user education. The impact of cyber security threats for real estate companies goes far beyond IT, and requires a combination of technology solutions, business processes, and user education. Take the offense. Read this blog to learn what you can do to protect yourself and your company.
What Your Real Estate Organization Can Do
- Secure your building management systems: Traditional Building Management Systems are vulnerable to hacking. They are usually managed by non-IT personnel with little understanding of networking and cyber security. With the increased emphasis on intelligent buildings and efficient energy consumption, many organizations are scrambling to integrate the traditional building systems with the IoT (Internet of Things) without adequate safeguards against cyber threats. Make sure that your organization is aware of these vulnerabilities and implement a secure approach for implementing building management systems for new properties or integrating legacy building systems with IoT.
- Implement multi-factor authentication: In addition to implementing this important authentication method, implement strong password policies for Corporate Directory, Active Directory, and/or Office 365, and all important applications.
- Ensure excellent anti-malware protection.
- Implement secure data backup strategies.
- Set up and routinely test Corporate Disaster Recovery Procedures.
- Critically review and update your important financial processes: For example, wire transfers. Never send a wire based only on email request. Use other methods to validate the authenticity of such requests, such as face-to-face conversation or phone calls to known telephone numbers, etc.
- Implement security and compliance measures: This reduces the possibilities of hacking and prevents your organizational liability to phishing and spoofing issues. This may include: Enabling mailbox audit logging.
- Implementing DKIM and SPF policies: This ensures, for example, that the recipient organization using appropriate tools can detect if it gets an email from your organization's email address, but it is not coming from your mail system.
- Implement exchange alerts: By adding these alerts, you warn users within your organization about an incoming email from someone with the same display name as an employee of your company but with a different email address.
- Implement policies and procedures for the maintenance and destruction of data: This ensures that confidential data is only held for as long as actually and legally required. This can be accomplished by implementing data retention policies across all critical systems. This approach safeguards against identity theft and ensures compliance with data protection and privacy laws.
- Review mail rules in all users' mailboxes: Additionally, identify any suspicious rules that could be set up by hackers. This will mitigate the risk that hackers already have access to systems. Educate users, customers, and vendors about the perils of phishing and spoofed emails. Teach them what to look for, and how to handle them.
What You Can Do Daily
- Look at email names, not display names: Display names from incoming emails must not be trusted. Look at the email address instead. Spoofed emails can also use slight variations of your internal and external contacts' email addresses. Pay attention to detail.
- Don't click on hyperlinks in emails: This is especially important if the link included in an email is from an unknown sender. If you feel it’s necessary to look at the website, first review the URL by copying and pasting into Notepad or Microsoft Word, for example, instead of just clicking the hyperlink.
- Don't enter your login credentials in a site URL that doesn't start with https: Pay attention when entering your login credentials to a website. If the site URL doesn't begin with https, be suspicious. This is especially important if any of the other suspicious indicators are also noticed.
- Be extra cautious when threatening language is in the email: When you get emails with a sense of urgency or fear, be suspicious. For example, beware of emails warning about account suspension. Often, these are meant to cause hasty actions that can result in you not noticing other indicators about phishing or spoofing.
- Never enter sensitive information in a popup window: Be careful with popup windows. This is a tactic often used by phishers.
- Don't click on attachments if any of the above is true: When you have suspicion about any of the above, lean towards caution. You can call the sender if you know who they are and have their contact number.
- Check junk mail carefully: If your organization's IT department is tightening mail security, it is possible that some legitimate emails may end up in the junk folder. So if you aren't receiving the external email you were expecting, you should check your junk mail folder. But be careful when looking at anything in Junk, and review it with suspicious eyes.
- When in doubt, talk to someone directly. Contact your IT Support if an email looks fishy. If the unusual request is from someone in your office, walk down the hall and speak to them directly. Call the person who supposedly sent you that fishy-looking email and ask them to confirm the request is legitimate. We live in an increasingly digital world, but sometimes you just have to speak to someone directly.
Protect Your Company
With the advancements in automation technologies, intelligent building, and IoT, the real estate sector is providing better services to tenants and enjoying the greatest opportunities technology brings. However, renewed emphasis on cyber security risk management is critical for this industry, and must be taken very seriously. Implementing the right strategy can reduce that risk, and allow organizations to enjoy the business benefits of advanced technologies in this connected world.