With more than $173 million lost in real estate-related cyberattacks in 2024, Cybersecurity Awareness Month is a great time to remind real estate agents about the steps they can take to protect their sensitive information.
The real estate industry is a goldmine for hackers, due to the amount of personal information that’s included on contracts, bank wiring details, and the large sums of money that are transferred between parties every day. Real estate agents can shield themselves from cyberattacks by taking a few simple steps. These include creating different passwords for all of their accounts, setting up multi-factor authentication, and educating themselves and their team members about cybersecurity and hackers’ latest tactics. Ultimately, cybersecurity isn’t a one-time thing, but habits and actions that must be practiced daily.
More than $173 million was lost in real estate-related cyberattacks in 2024, according to the Federal Bureau of Investigation’s Internet Crime Report. Such a figure should keep real estate agents on their toes all year long, but during Cybersecurity Awareness Month, there’s no better time to remind agents how crucial it is to protect their information.
As Cybersecurity Awareness Month has grown in importance, so has the need for strong online protection practices. The October observance began in 2004 as a joint effort between the U.S. Department of Homeland Security and the National Cybersecurity Alliance to promote simple personal computer security tips. Today, Cybersecurity Awareness Month is a global campaign designed to raise awareness and address online threats and risks.
Businesses in every industry must do everything they can to safeguard their digital data from cybercriminals, and real estate is no exception. The large amount of personal information — social security numbers, names and contact information, bank and wire transfer details, and of course, money — involved in every transaction makes real estate attractive to cybercriminals who are waiting to pounce on the first opening they spot.
“Technology adoption has evolved rapidly over the last decade, and that comes with inherent risk,” says KWRI Information Security Analyst Abe Herrera. “Attackers know this. They leverage the urgency and trust baked into real estate relationships and weaponize it.”
Taking a few simple steps can keep your and your clients’ information safe — and leave hackers who want to steal this precious data waiting for a long, long time. Keep reading to learn how you can ensure a cyber-secure October — and beyond.
Develop Strong Password Strategies
It takes more than setting a strong, hard-to-guess password to shield personal data from hackers these days. You must set multiple strong, hard-to-guess passwords for every account you have. That way if a hacker accesses one of your accounts, they can’t use the same password to get into all of them. You could also use a password manager, which acts as an encrypted digital vault for all of your sensitive data. All and any log-ins are stored there and you only have to remember one master password to access them.
Even the most clever, original password can be decoded, so it’s important to have another level of security. You can get this backup in the form of multi-factor authentication (MFA), which is a second type of log-in to access your account. That means even if someone steals your password, they can’t get to your information without the next level of authentication, such as a fingerprint, facial recognition, hardware token, or authentication app.
There are a lot of steps you can take to protect your online information, but turning on MFA everywhere you can delivers the greatest impact, Abe says. Of all the cybersecurity measures you take this month and beyond, consider MFA as a non-negotiable.
Keep an Eye Out for Red Flags and Verify Information Requests
Knowing what to look out for is one of the best ways to prevent cybercrimes from happening in the first place. Hackers have studied the real estate workflow carefully and know what to do and say to access agents’ and clients’ personal information — and even money.
Becoming aware of attackers’ strategies is a big first step to ensure wire fraud protection in your business. For example, hackers will compromise an agent, client, or title company’s email account and just “hang out” and watch messages go back and forth, according to Michael Gartner, KWRI Senior Director of Information Security and IT Services. The moment they see an email that has to do with a transaction, they pounce. A likely attack at this point could involve the hacker sending “updated” wire instructions during the closing period, and counting on the time crunch for someone to rush to wire money without verifying who sent the new transfer instructions.
These same hackers are well aware of the volume and types of documents real estate agents are receiving and sending throughout the day. They use that knowledge to send emails with fake DocuSign pages, Google Drive files, and other legitimate-looking services. Agents are used to receiving these kinds of links, which leads to them lowering their guard and entering their credentials. Once that happens, the attacker has access to their accounts.
To guard against these mishaps, Michael recommends agents only trust links and downloads from emails they requested to receive. It’s critical to check links and be mindful before downloading PDF files and other attachments.
Likewise, Abe suggests agents slow down and verify any request that involves money, especially wiring instructions. Call clients or partners from a known, trusted phone number to verify private information.
“Train yourself and your team to spot red flags in emails,” Abe says. “This needs to be continuous, not a one-time thing. Attackers work around the clock using automation, bots, and AI, and their tactics get better every day.”
Stay on Top of the Latest Hacking Tactics
Business strategies are constantly changing in the real estate industry, and the hacking industry isn’t any different. Cybercriminals are looking for new ways to compromise accounts and steal data; it’s critical to know what they’re up to today so you aren’t their next victim.
Michael recommends researching hackers’ newest tactics annually. He notes that just as our annual physicals change a bit as we age, the same is true when examining our cyber health. Hackers’ efforts to stay ahead of their victims means that there’s something new to look out for each year.
Looking into what hackers are up to at the moment is as simple as going to YouTube each quarter and searching for the latest phishing trends, Michael says. Most of the phishing efforts tend to be financial and often focused on world events — trying to entice people to donate money for hurricane relief, for example.
“They’re opportunists and they have no regard,” Michael says. “They’ll do whatever it takes to make some money. Their success keeps them coming back for more.”
Get Educated on Cybersecurity
Gaining some basic cybersecurity knowledge could make all the difference in keeping your and your clients’ sensitive financial data safe from hackers. Learning more about cybersecurity could also prevent the theft of your clients’ personally identifiable information (PII) — any information that could identify someone directly, such as their name, address, or social security number. PII also includes information that could be used to identify an individual if combined with other indirect identifiers, such as their gender, location, or birthdate.
Fortunately, there’s no shortage of educational resources available to help you and your team increase your cybersecurity know-how. Here are a few places you can learn more about this important topic:
The National Association of Realtors (NAR) offers security and data privacy resources and best practices.
The Cybersecurity and Infrastructure Security Agency (CISA.gov) provides free resources that are practical and non-technical, as well as a variety of awareness materials.
The National Cybersecurity Alliance (staysafeonline.org) has resources for online safety, privacy, and cybersecurity for businesses.
Platforms like KnowBe4 offer structured security awareness training, while simple YouTube explainers can give quick “what to watch for” refreshers. You can search YouTube for “how to spot phishing” or check out the CISA or the Federal Trade Commission’s official channels.
Additionally, Abe suggests looking to your brokerage for support. They may offer micro-trainings, knowledge bases, and phishing simulations that can help you stay up to date on the latest hacking tactics. Taking these steps not only makes your business more secure, it also helps to build client trust and protect your reputation.
Be Consistent
Cybersecurity isn’t a one-time setup — it’s a practice you must consistently work on to keep your private data safe.
“Many folks operate under a ‘security through obscurity’ mindset, assuming they’re just one fish in a massive sea, so their risk is low. That’s a mistake. Attackers go for the low-hanging fruit; they choose the path of least resistance. Threats evolve every week.”
Abe Herrera
Abe notes that the best way to stay ahead on cybersecurity is to treat it like hygiene — a set of regular habits that become muscle memory.
Following the National Institute of Standards and Technology (NIST) five-step cybersecurity framework can also help keep your business and sensitive data out of harm’s way:
Identify your client’s PII: Determine all of the client information that you need to shield from a cyberattack, such as names, addresses, social security numbers, email addresses, and phone numbers.
Protect PII with MFA: Password-protecting your client’s personal information isn’t enough to safeguard it from hackers anymore. Use multi-factor authentication as another layer of protection in case your password is ever stolen.
Detect suspicious emails: Artificial intelligence (AI) has eliminated the misspellings and poor grammar that made suspicious emails easier to spot, Michael says. That’s why it’s critical to slow down and only download files and click on links from emails you requested.
Respond with a communication plan: Have a strategy in place for you and your team to follow in the event you detect a cybersecurity issue. This includes assessing the damage, how to contain the threat, and what you need to do to eliminate it.
Recover with backups: Have backup services on hand so your company can move forward quickly if any of your software was damaged or accounts were compromised by a cyberattack.
Maintaining good cybersecurity practices also includes keeping all of your devices and software updated, including your phone, laptop, apps, and Wi-Fi router. Software updates help eliminate vulnerabilities that hackers use to access systems and data. They also stabilize systems, shield you from malware and attacks, and ensure compliance with regulations. Avoid fake update scams by never downloading or installing software updates from sources you don’t recognize. Visit software companies’ official sites to confirm if an update is legitimate.
“Remember, security isn’t always convenient and convenience usually isn’t secure. Never assume, ‘it won’t happen to me.’ Attackers cast a wide net and real estate is in their sights every day.”
Abe Herrera
