Don't Get Caught by the Phishing Hook

It's spring home buying season, but that also means it's phishing season, and not the kind that puts fresh trout on the dinner table. "Phishing" is an attempt to try to trick you to give up financial or other confidential information, such as your user ID or password, by sending you a communication that looks as if it is from a legitimate organization. The communication typically is from scammer who is using the name and likeness of a financial institution or other trustworthy organization. It contains a call to action or link to a fake website that can look identical to the real one and usually features a web address that is nearly identical.

As home sales activity heats up this spring, real estate agents and brokers also need to ramp up their alert levels and be increasingly aware of these scams. Scammers are increasing their focus on real estate because they know that there are millions of transactions totaling billions of dollars each year, and our industry relies heavily on email and texting to coordinate communications for these transactions. We all get busy, yet we need to be particularly cautious and keenly aware of any communications that ask for confidential information, no matter how trustworthy the source may appear.

A good example occurred in Florida earlier this year. A fake organization calling itself the "Florida Board of Realtors" sent out invoices to real estate professionals throughout the state, sending them a "Final Notice" bill. The attached letter suggested that their real estate licenses were in jeopardy unless they paid the annual $225 fee. The invoice even cites a Florida Statute in an attempt to establish legitimacy. This highly sophisticated scam even included links to a very professional looking website. However, if you dug a little deeper, you would discover that most of the links on the website were broken – they did not work – and the blog content was very outdated. Fortunately, Florida Realtors were notified immediately by members and sent out a statewide alert to members. But how do you protect yourself from something like this, and other scams?

Real estate targets

Escrow and Wire Fraud scams: Inman News recently reported that scammers are stealing escrow deposits and closing funds by hacking agent and escrow email accounts. Protect yourself from being a victim of this scam by never emailing money transfer instructions with confidential details to a client – always call or fax clients the wire instructions and tell them to always check with you if they are notified of any "last minute changes" (a trick scammers often use). The NAR has some great tips about how to avoid escrow scams and, if it happens, the action steps you need to take here.

High Profile Agent Impersonation phishing scam: Sue Dietz, a real estate sales associate, who also served as president of the East Central Iowa Association of Realtors® in 2016, had her identity stolen for a phishing scam. Scammers created a fake email address in her name and sent out fraudulent emails to thousands of other agents offering referrals. Responders were provided a Google Drive link that was supposed to have details about the referral, but instead, it installed a computer virus that allowed scammers to obtain passwords and other personal information on the agents' computers. A similar scam happened to Sam DeBord, President of Seattle King County REALTORS®, and he shared some great tips here.

Lures to avoid

First, avoid the obvious: the email from the African prince is not real and neither is the offer to wire $50 million dollars into your bank account; Bill Gates is not going to give anyone $5000 for clicking on a Facebook link; and that desperate email from a friend trapped in a European country with their wallet and passport stolen asking you to wire them money probably means their email account was hacked. That's the point: if it smells fishy, it probably is phishing.

Second, don't be deceived: Your bank, PayPal, your credit card provider – none of these firms will ever ask you in an email to send any confidential information back to them in an unsecured email. If you receive a call asking for your confidential information, and you are not certain the call you received is legitimate, hang up and tell them you will call them back. Go online to their verified website to find a customer service number to call, or look at the back of your credit card or your bank statement and call that number first to verify the authenticity of the call you received earlier. That's what the scammers want: to direct you to call a fake phone number or their fake website to capture your information.

Third, never click on an attachment unless you are expecting it from someone you know: This is the biggest mistake people make. Today, even a Word document or PDF attachment can cause a web page to open up and that web page may look like your Gmail sign-in page (or another familiar site), but it is really a fake web page designed to steal your credentials. And that's just the beginning. You need to always err on the side of caution when it comes to an attachment. When in doubt – delete!

Finally, follow these simple online phishing safety rules:

• Never email any confidential information. Email is unsecure unless encrypted.
• Scrutinize the email address to make sure the URL is legitimate and not fake: does it say accounts(at)bankofamerica.com or accounts(at)bankoamerica.com? There's a big difference.
• Public Wi-Fi is easy to hack and if you are using it to sign into your bank account, you are vulnerable to hackers.
• Check the security of the website. For any financial information you provide over the web, check that the site is secure: the URL should begin with https.
• Watch what you click on: do not click a link in an email to go to an organization's site. Instead, look up the real URL and type it into the web address yourself.
• Only download and open file attachments that you are expecting from people you know and never open executable files that are attached. Not sure? Call the person and ask.
• Do not click on a URL attachment in an email, as it could redirect you to a malicious website.
• Never enter personal information in a popup window.
• Make sure your operating system, browser, and security software are up-to-date.