3 must-have apps for real estate agents who crave better cyber security

3 must-have apps for real estate agents who crave better cyber security

The threat cyber criminals pose to real estate agents – and specifically their inboxes – has come up in a lot of recent conversations within the real estate and title insurance world lately. Wire fraud scams have cost the industry millions, if not billions, over the past decade or so.

At Federal Title, we’ve received several phony emails supposedly from real estate agents, asking us to wire funds to a particular account. We’ve read about these scams happening in other parts of the country as well.

Our staff is trained to spot these fake emails. We also make phone calls to agents, lenders, buyers and sellers to ensure the funds are going where they are supposed to go because we take our clients' privacy and security very seriously.

But in the interest of cyber security for all, we can recommend a few apps that we think are essential for better inbox protection. These services are free to use and go a long way toward protecting sensitive information, such as the kind that is exchanged throughout the homebuying process.

ProtonMail

First and foremost, make sure you’re sending sensitive information through encrypted email. Most email by default is transmitted in the clear or encrypted after it is sent to the email provider’s server, which means it’s possible for emails to be intercepted. Sending emails over free and public WiFi networks, such as in a coffee shop, makes the contents of one’s emails particularly vulnerable.

When it comes to buying or selling homes, it’s necessary to report personal information such as social security numbers, salary history, alimony payments, wage garnishments, etc. Your real estate agent and lender as well as third parties like the title company are legally required to maintain confidentiality, but a rogue party like a cyber-criminal is not.

ProtonMail, a free and open-source end-to-end encrypted email service that was originally created for researchers at the European Organization for Nuclear Research (also known as CERN in Switzerland) offers a more secure solution. Available as a webmail client or via the iOS / Android app, ProtonMail allows the user to encrypt email contents and data before they are sent to the ProtonMail servers.

With the click of a button, a user can enable to the encryption feature on ProtonMail and set a password, which is then sent separately to the intended recipient(s). Without the password, the contents of the email would present as a series of jumbled characters rendering the email useless to a cyber-criminal.

Another cool feature of ProtonMail is that it allows the user to set an expiration time for the message so that the contents of the email become inaccessible after the pre-determined number of minutes, hours or days, whether someone has the correct password or not.

LastPass

Most IT professionals will usually advise their clients to create a unique password that contains upper- and lowercase letters, a number and a character. The password should also be double-digits in length – and it can’t be used for any other accounts! To make passwords even more interesting, some companies require their employees to change passwords every month or quarter – and it can’t be one that’s been used in the past six months!

Who has time to remember so many random sequences of letters, numbers and characters? It’s really no wonder that so many of us will still default to easy-to-remember phrases such as “Password123!” or passwords that can easily be socially engineered such as kids’ or spouse's names, or mother’s maiden name.

That’s where a password manager service like LastPass comes in quite handy. Essentially, it’s a digital lock box that protects all your unique passwords. With a service like LastPass, all you have to do is remember one difficult password. LastPass will automatically remember and fill in login credentials for every site in your lock box.

LastPass is certainly not the only password manager on the market, but it happens to be the service we like. Skeptics out there may be wondering what happens if a user’s LastPass master-password is cracked, or if a security breach occurs that compromises hundreds of passwords such as the security breach of LastPass in 2015?

That’s where two-factor authentication can really save the day.

Google Authenticator

We’ve talked about two-factor authentication before, a second layer of security that user must clear to gain access to an account. A user must configure two-factor authentication with an external device, usually a smart phone or a thumb drive. We like Google’s free Authenticator app.

Services like ProtonMail and LastPass both offer the option to configure the account with two-factor authentication, and we highly recommend our clients take that extra precaution to protect their encrypted email account and password manager service. (After all, if a cybercriminal gained access to either of those services, it would undermine the whole purpose of this post and likely cause all kinds of hassle.)

When two-factor authentication is enabled, upon logging in a user will either receive a text message containing a six-digit code to unlock the account or be prompted to enter a 6-digit code from her authenticator app. In either case, the code is randomly generated and changes every 30 seconds making it virtually impossible to crack with a brute force attack.

Many social platforms offer some version of two-factor authentication including Facebook, Twitter, LinkedIn, Gmail and Yahoo! Mail. For independent contractors who use TurboTax or Mint to manage their finances, Intuit also offers a two-factor authentication option for their suite of services.

What is two-factor authentication, and why is it important for your real estate business?

We’ve noticed an uptick in agent email addresses that have been compromised by cyber criminals with the intent of defrauding home buyers, sellers and title companies – and most agents are totally unaware when we tell them.

The emails we’ve received of late are generally inquiries about wire transfers of seller proceeds. The sender is hoping the recipient (in this particular scam, title companies) will fall for a request to wire funds to their “client’s” account. If the victim is duped and sends funds, the fraudsters will quickly clear the account making it virtually impossible to recover the funds.

Reports of wire fraud scams have come in from all over the country and have cost the industry millions, if not billions, of dollars over the past several years.

These emails inquiring about wire transfers don’t come from the agent’s legitimate email account either, which is why the agent is often unaware any cyber hacking has occurred. Instead, the emails come from phony email accounts that look almost identical to the agent’s legit email account that was hacked – perhaps an extra letter, hyphen or dash is the only difference.

By the time the title company receives one of these phony email inquiries, the real estate agent’s legitimate email account has already been compromised along with all the contents of the inbox. Information pertaining to upcoming closings, specific property addresses, names and email addresses of other parties in the transaction are all used to bait the wire-fraud trap.

Needless to say real estate professionals must do all they can to protect their inboxes and the interests of their buyers and sellers, and email accounts have proved a particularly vulnerable area for attack. That’s where 2-factor authentication comes in handy.

What is two-factor authentication?

Pretty much like it sounds, two-factor authentication creates a second layer of security that a user must clear to gain access to the account. A classic example is the ATM card. To take money out, the individual must know their pin code (password) AND be in possession of the bank card that’s linked with the account that matches their pin. Having one or the other is not enough.

Two-factor authentication works very similarly with email, and many major email providers such as Gmail and Yahoo! Mail offer the option. To configure, a user goes to account settings, ticks the box to enable two-factor authentication and enters her mobile phone number. There’s an option to receive a verification code by phone or text. Enter the verification code to configure two-factor authentication with that mobile device.

From then on, any time the user logs into her account she must also enter a unique code to gain entry. It might seem like a hassle, but it increases email security significantly.

Even if an individual’s username and password are compromised – maybe they accidentally downloaded malware from a spam email or used public, unsecured WiFi to access their email – the criminals cannot gain access unless they also possess the specific mobile device that was configured with the email account.

The two most common two-factor authentication methods rely on text messages and/or mobile applications to produce the code.

With text message, a user logs into her email account with username and password and then receives a text message on her phone that contains the unique six-digit code. Once she successfully enters the code at the email login, she unlocks the second layer of security and gains access to her account.

A second method is similar to the SMS approach but instead relies on a free smart phone app, such as Authenticator by Google, which produces a new six-digit code every 30 seconds. A user logs into her email account with username and password and then opens the app to obtain the unique six-digit that unlocks the account.

With both methods, the user must have knowledge of their username / password AND possess a specific device that’s configured with the email account. Knowledge of the username / password makes one factor, and possession of a specific device makes two factors.

How to change your chosen title company after you have a ratified sales contract

Most homebuyers know by now that it’s their legal right to choose their own title company and that shopping for title services is one of the most effective ways to reduce costs at the closing table.

(For those who haven’t heard this, read our content on Marketing Service Agreements and Affiliated Business Arrangements and see for yourself how these common deals jack up closing costs for consumers.)

But what happens if a homebuyer doesn’t learn about this important right until after her sales contract has been drafted, accepted and signed by all parties? And is it possible to change title companies once a title company has been designated in the contract and an earnest money deposit has been delivered to that designated title company?

The short answer is you can change your mind with the consent of the seller, through a simple addendum to the sales contract. View our a settlement agent-change sample addendum.

Once the addendum is completed and signed by all parties, the homebuyer can then use the new title company listed on the addendum.

Even if the earnest money deposit was already delivered, with the addendum in place, the new title company would simply reach out to the old title company holding the funds and arrange for a wire transfer. That’s it!

How might a homebuyer find herself in a situation where she wishes to change her company after all parties have signed a sales contract with a designated and undesired title company?

First and foremost, we encourage every homebuyer to get closing cost quotes from several local title companies and compare costs and online reputations to avoid this situation. We also remind homebuyers that title companies don’t necessarily include all the same services in their settlement fee. Sometimes additional services, i.e., document fees, processing fees, amount to hidden costs, so it’s important to ask what services are included and what extra costs may be charged.

And while it’s technically illegal for real estate agents to fill in the name of a preferred title company if their brokerage has a professional affiliation with that title company, the practice persists. In these cases, homebuyers may not realize until after they have a ratified sales contract that they could have chosen their own title company.

It’s important to ask your agent if his company has a professional affiliation with the title company he’s listed in your sales contract and what benefits or incentives the real estate agent or brokerage may be receiving by recommending that title company. Sometimes the answer is there is no affiliation; the agent is familiar with a certain company and recommends that company from the perspective of good service and pricing.

There’s nothing inherently wrong with an agent directing their client to use their favorite title company, except that it may lead a homebuyer to falsely believe she does not have a choice, or once a title company’s name is written into the contract and that contract is ratified, the decision is set in stone and the title company can’t be changed.

A homebuyer maintains a right to choose her own title company and also has the right to change her mind and choose a different title company.

This isn’t an invitation to change title companies several times prior to closing or to change for no good reason. Keep in mind any addendum to a ratified sales contract must be signed by all parties, including the sellers. You may risk delaying closing, annoying your sellers or even causing your deal to fall through by abusing your right to change title companies after you have a ratified sales contract.

We put this post together specifically to help those who learned after the fact they could have chosen their own title company and would like to exercise that right. Two primary reasons a homebuyer may choose to change title companies might be she’s found a title company that charges lower prices and/or provides better customer service than the company initially listed on the sales contract.

Beware of possible malware attack

Several real estate agents and lenders who work with Federal Title recently received an email purporting to be from a Federal Title employee with the same name as a local real estate professional and with a file attachment for download. The email is a scam, and we implore you to delete the email immediately.

If you ever have questions or concerns about an email you received from Federal Title, please do not hesitate to contact us to verify its authenticity. Also, know that we will never ask for or provide personal / financial information through unsecure channels.

Our technology team suspects the email sent last Thursday at approximately 6 pm was a malware attack. Malware is software that’s intended to damage or disable computers and computer systems.

A malware program might log keystrokes of a user to obtain sensitive login information. Malware can create a computer zombie, allowing a hacker to use that computer to conduct other malicious attacks usually without the owner’s knowledge. An estimated 50 to 80 percent of spam sent worldwide is attributable to zombie computers.

This is not the first time a hacker has impersonated a title company, real estate professional – even a consumer – in an attempt to install dangerous malware or gain access to sensitive information. We want our clients to be aware of another common scam we have observed, one that attempts to steal the consumer’s down payment funds via a fraudulent wire transfer. This kind of attack is unfortunately becoming commonplace, and once the funds have been wired to the scammer’s account they are gone.

The Federal Trade Commission posted a bulletin that explains how scammers phish for mortgage closing costs. They offer a few ideas to help real estate professionals and their clients avoid phishing scams.

  • Don’t email financial information. It’s not secure.
  • If you’re giving your financial information on the web, make sure the site is secure. Look for a URL that begins with https (the "s" stands for secure). And, instead of clicking a link in an email to go to an organization’s site, look up the real URL and type in the web address yourself.
  • Be cautious about opening attachments and downloading files from emails, regardless of who sent them. These files can contain malware that can weaken your computer’s security.
  • Keep your operating system, browser, and security software up to date

We also want to remind you that Federal Title takes Internet security very seriously. We use military-grade email encryption technology and adhere to the American Land Title Association’s Best Practices for the proper handling of each and every individual’s non-public personal information, i.e., social security and bank account numbers.

Unfortunately we anticipate malware and phishing scams will remain a threat to our industry for the foreseeable future. The best way to defend against such attacks is to be skeptical of any email that contains an attachment download or requests sensitive information – and always exercise extreme caution when providing sensitive information online.

Fewer hands in the pie means more pie to go around

Happy Pi Day! What better day than Pi Day to remind homebuyers about all the hands in their "pie" so to speak when it comes to real estate closings.

It's no surprise that everyone wants a piece of the proverbial pie, from the real estate agent's commission to the lender's fees to the government's taxes and, yes, even the title company's charges.

Having to share some of your pie is a fact of life. Having to give up all of your pie is a tragedy of life.

Just like homebuyers, we don't like having to give up our entire pie. That's why we have held firmly as an independent title company – we will not share our pie, or profits, with referral sources through Affiliated Business Arrangements or Marketing Service Agreements.

Not all title companies feel the way we do. They happily share their pie with their referral sources because they believe they can make it up by taking more pie from unassuming homebuyers. Unfortunately, they are often right.

Homebuyers who understand how much dough is at stake, however, are often surprised by the cost difference between one title company to the next. When made fully aware of these differences, most homebuyers choose to spend less.

With fewer hands in the pie, as our company founder Todd Ewing likes to say, there's more pie for everybody. In this case it means a cost savings of up to $750 for our clients.

The cost savings we extend to our homebuyers is part of our revolutionary REAL Credit™ program, which reflects costs passed through to consumers who close with other, affiliated title companies. To date, the cost savings hovers above $8 million.

That's a lot of pie.

  • Ways to save at closing

    Title charges are the largest chunk of closing costs and can vary by hundreds of dollars.

    Learn more

  • What are closing costs?

    The real estate closing process involves loan steps, legal steps and title steps.

    Learn more

  • What's title insurance?

    Insure your legal ownership just like you'd insure the building, but for lots cheaper.

    Learn more

Connect with us


Our blog contains general information only, not intended to be relied upon as, nor a substitute for, specific professional advice. Rate tables and figures that appear on our blog are deemed reliable but not guaranteed. For current rates & policies, refer to our Quick Quote and Consumer Guide. We accept no responsibility for loss occasioned to any purpose acting on or refraining from action as a result of any material on our blog.