E-Mail Fraud, Extortion, Social Engineering
While service professionals are generally becoming more aware of the increasing incidents of computer-related crime, such incidents continue to substantially increase in number. The dynamics of the social and entrepreneurial personalities and practices of the agent, combined with highly-sophisticated cyber-criminal operations, continue to create vulnerabilities for real estate professionals. Regular use of social media, personal communication devices, internet advertising and unprotected email and domain names (i.e., myrealestateoffice@google.com) makes agents an easy target for the intruder.

Cybercrime comes in varied forms and terminology is loosely used to describe its’ different forms: phishing, hacking and spamming are among the common terms related to fraud, extortion and social engineering. Common occurrences include:

• Extortion: Your data and/or computer operation is frozen until you pay a monetary demand to the extortionist. Typically a relatively small ransom is requested ($5,000 for example) with the bad guy hoping it will just be paid without law enforcement getting involved. Even if paid, there is no guarantee your data will be released or that they will not come back for more money now knowing you are a willing target. Contacting the FBI or other law enforcement authorities is recommended.
• Email Fraud and Social Engineering: for firms that act as custodians of other people’s money (escrow, trust, IOLTA), cyber-criminals will create complex methods to infiltrate your computer and eventually manipulate the user into wiring money to them. There are numerous precautions that can be taken to minimize this risk, including personal verification of all communications, email addresses, routing numbers and transactions.
• Data Theft: the theft of client or employee data through hacking or phishing can result in civil fines and costs related to credit card monitoring and notifications to the affected parties, forensics, data restoration, crisis response, lawsuits and more. A data breach can easily cost tens or hundreds of thousands of dollars.

There are numerous preventative strategies to help minimize the risk of cybercrime. Recognizing that the “bad guys” are sophisticated international experts, preventative methods should be taken seriously and vigorously implemented.

7 Prevention Tips

1. Implement a mobile device policy – what can and can’t be done with company devices and data
2. Require strong passwords to lock devices
3. Use Encryption on all devices
4. Implement remote wipe software for lost or stolen devices
5. Backup remote devices
6. Disallow the downloading of unauthorized software
7. Keep security up to date

Brokers and business owners who implement security methods like anti-virus software and other protective measures for the firm’s computer and email programs should mandate that agents and employees only conduct business with those approved programs – no individual google or yahoo accounts, separate websites, etc.
Some experts state that it is “when”, not “if”, a business will be compromised. Insurance products exist that will offer protection if data is lost or a wire fraud, extortion or other cybercrime event happens. Policies can be tailored to the needs of a particular business. For example, not all businesses act as custodians of funds so they may not need protection for that, but almost all businesses need some type of insurance for data breach, theft or extortion. A Business Office Liability or Errors & Omissions policy may offer some incidental coverage, though a stand-alone policy is recommended for broader protection, with premiums being generally affordable. These policies will offer coverage for notification, credit card monitoring, credit card industry fines, forensics, data restoration and more. Many also include risk management information and hotlines to help reduce the risk of a cybercrime.

Author: John Torvi

Real Estate Insurance EssentialsEssential Components of an Insurance Plan for ProfessionalsEven the most effectively run real estate practice can be victim of human error, allegations of malpractice, unhappy clients or just plain old bad luck. Protecting a business from the consequences of any of these requires an insurance program that best suits the needs of one’s particular situation. Not all businesses need all types of insurance policies, but understanding what each type of policy does will help you spend your insurance dollars more wisely as well as sleep better at night.

There are a few hints in the content of the email that might alert a client that the email was a phishing attempt like the fact that the client is not addressed by name, the Insured had never mentioned Google Docs or SecureAcess before, and the language syntax is a bit unusual. However, the e-mail address appeared legitimate, the premise seemed reasonably related to accounting matters, and the fraudster even included an Avast email signature indicating that the message came without virus or malware.

One of the Insured’s clients called the Insured to ask about the email and the Insured quickly realized that their firm had been the victim of a phishing attempt. The Insured send out an email to all of their clients advising them not to open the SecureAcess email. However, Insured’s response to the phishing scam did not conform to industry best practices after a potential data breach. Shortly after the Insured’s response to the phishing scam, the Insured was sued for violations of certain state privacy laws, consumer fraud and deceptive business practices, and negligence due to the breach of the Insured’s security system as contained in the phishing email.
Accounting professionals are required to protect confidential client information which includes Personally Identifiable Information, Sensitive Personal Information, and social security numbers. To complicate matters, taxpayer identity theft and other attempts at data breach occur regularly and are likely on the rise with the IRS paying $5.8 billion in fraudulent tax refunds for 2013. Accountants need to develop a strategy for data protection, but they also need to know what to do when their efforts fail and there is an actual or even potential data breach.
The Great American Insurance Accountants Professional Liability Insurance Policy (12 17 edition) provides for assistance after a Security Incident which is defined as “the unauthorized access to or use of data containing private or confidential information in connection with the performance of Professional Services, which results in the violation of any privacy regulation.” The Policy provides for Supplementary Payments in Section VI. As follows:

• B. Reimbursement for Security Incident The Company will reimburse the Named Insured for the following response expenses incurred by the Named Insured in responding to a Security Incident the Named Insured first discovers and reports in writing to the Company during the Policy Period. The maximum amount payable shall be $25,000 for all Security Incidents discovered and reported during the Policy Period, regardless of the number of Security Incidents or the number of Insureds. Security Incident response expenses are:
  1. reasonable fees and expenses by cyber forensic analysts to determine the extent of the Security Incident; or
  2. reasonable fees and expenses by attorneys or consultants to comply with federal, state or local privacy laws requiring that notification or credit monitoring services be provided to individuals when the security, confidentiality, or integrity of their personal information has been compromised by the Security Incident.

  by Kim DeMarinoo.