Editor’s note: This feature originally appeared in the March issue of DS News
One in every 99 emails is a phishing attack, according to Avanan’s phishing statistics. This amounts to 4.8 emails per employee in a five-day work week. Considering close to 30% of phishing emails make it past default security, the threat is very much present.
The success rate of these attacks has emboldened scammers to launch more of them. Avanan reports an increase of 65% in phishing attacks from 2016 to 2017. This is a global phenomenon affecting every region and economy.
In 2018, 83% of people received phishing attacks worldwide, resulting in a range of disruptions and damages. This includes decreased productivity (67%), loss of proprietary data (54%), and damage to reputation (50%). When it comes to the attacks, two in three phishing attempts use a malicious link and more than half contain malware.
Malware—or malicious software—describes any program or code that is harmful to systems. Malware seeks to invade, damage, or disable computers, computer systems, networks, tablets, and mobile devices, often by taking partial control over a device’s operations. Once infected with malware, scammers gain access to a wide variety of functions, including taking computer screenshots, sending, downloading and deleting files, and stealing passwords.
Phishing occurs when a scammer uses fraudulent emails, texts or copycat websites to get someone to share valuable personal information such as account numbers, Social Security numbers, login IDs, or passwords. Scammers use this information to steal someone’s money or identity—or both. In real estate transactions, this is a precursor to what the FBI refers to as business email compromise (BEC), often resulting in wire transfer fraud. The FBI reported 11,300 people suffered losses of nearly $150 million due to wire fraud in 2018.
Ditch the Complex Password?
If a company fails to properly educate and make employees aware of the dangers of phishing, the most complex password requirements won’t matter. Studies show that poor password security instead of password complexity is often a major cybersecurity weakness for most organizations and employees that leads to criminals accessing non-public personal information. The latest password guidelines issued by National Institute of Standards and Technology (NIST) recommend significant changes to the way companies and people approach the complexity and usage of passwords.
Among the changes, NIST recommends the removal of periodic password change requirements, dropping the algorithmic complexity that often resulted in passwords that are easily cracked with password cracking tools, and the use of long passphrases instead of developing complex passwords.
Easy to Remember, Hard to Guess
In what may seem like a 180-degree turn, NIST moved away from what’s been promoted for more than a decade, recommending long passphrases in lieu of complex passwords. These new security guidelines are more focused on creating unique passphrases that users will remember easily, using whatever characters they want, instead of using convoluted and complex passwords that make no sense to the user.
More Is More
The NIST password guidelines update requires users to create passwords that consist of a minimum of eight characters. However, it also allows the password form fields to include the use of up to 64 characters. This change was made to help support the use of passphrases. According to the Verizon 2018 Data Breach Investigation Report, lengthy and complexity of passwords are not enough on their own.
“Users should use long password phrases consisting of three or more words that normally don’t go together but are easily remembered and be at least 15 characters long,” suggested Paul Noga, Director of Information Technology and Cybersecurity for Southern Title. “Passwords should be screened against lists of commonly used or compromised passwords. Users should only change their passwords when they suspect there could be a potential compromise.”
What Title Agents Are Doing
Noga said his company’s minimum password length is set to 15 characters, and it still requires character complexity (special characters, upper and lowercase). He added that Southern Title will soon revisit its policies and likely switch to passphrases with a minimum of 15 characters and maximum of 64.
“A passphrase of five words would take a hacker eight years to crack,” Noga said. “We are going to set the password expiration to one year and only have user’s change their password if we suspect suspicious activity or compromise. Passphrases are easier for users to remember and allowing them to make a long enough passphrase that will be hard to crack with in the password age we set.”
Remembering complex passwords or long passphrases can be difficult, so many use password managers. Southern Title is looking to purchase the business plan for the password manager Keeper. This will give staff the ability to access the program from multiple devices so the company can centrally manage accounts and allow for recovery.
“Password managers allow users to use a different password for every application and website they access,” Noga said. “All they need to remember is their password to their vault and they can have the manager randomly generate long complex passwords for everything else. The manager allows them to log on form the vault and it automatically fills in the credentials. This makes their lives much easier and more secure.”
Ken Kirkner, Director of Global Operations and SVP for Trident Land Transfer Co., agrees that password managers simplify the process. His company uses LastPass, which provides an extension for Chrome, Safari, Firefox, and other browsers.
“It is easy to use and a good route to go,” he added.
Genady Vishnevetsky, Stewart’s Chief Information Security Officer, says an additional security measure a title professional should employ is multifactor authentication for everything that supports it.
The American Land Title Association (ALTA) recently updated portions of its Title Insurance and Settlement Company Best Practices. One of the changes is the recommendation that companies use multifactor authentication for all remotely hosted accessible systems storing, transmitting or transferring non-public personal information.
Vishnevetsky added that user email protection services can help title agents protect against phishing attacks.
“Microsoft and Google both offer a solution as additional service,” he said. “There are standalone services such as Mimecast or Proofpoint that provide the same capabilities.”
As a security practitioner, Noga believes layered security is the best advice for businesses. Complete protection against attacks isn’t a reality. Noga said the best that can be achieved is to reduce the risk by putting in controls that will protect, detect and respond to incidents.
“The goal is to protect but be able to detect and respond when a protection fails,” he said. “The faster you can detect and respond the faster you can reduce the impact.”
In addition to multifactor, examples of layers include firewall, intrusion detection and prevention system (IDS/IPS), data loss prevention, encryption (at rest and in transit), VPN access for remote users, next-gen endpoint protection (which replaces most antivirus programs that use only signature-based detection), security information and event management (to get visibility into your network and systems through log and event aggregation and correlation), patch management (updating firmware, operating systems, software, etc.), and security awareness training.
“These are just a few of the controls that work together in a layered defense, but security awareness training is really the best bet to combat this,” Noga said. “Spam and malware filters only catch about 10 to 15 percent of phishing emails. Educating users on spotting the red flags is truly the best route for combating social engineering attacks and scams.”
These scams often lead to wire transfer fraud. To help raise awareness and educate homebuyers as well as real estate and mortgage professionals about the risk and urgency of the problem, ALTA launched in July 2019 the national Coalition to Stop Real Estate Wire Fraud.
“For many individuals, buying a home can be stressful, confusing, and filled with a lot of paperwork to send and sign,” said Diane Tomb, ALTA’s CEO. “In recent years, we’ve seen the rise of a sophisticated type of fraud by cybercriminals who prey on these facts. The coalition raises awareness and educates consumers, especially first-time homebuyers, about how they protect themselves. We want to identify and empower those who have been victimized to tell their story and advocate for solutions.”
The coalition outlines easy steps that consumers and professionals can follow to combat real estate wire fraud. Professionals should:
- Warn Early and Often: Make sure your clients know about the growing and looming threat of real estate wire transfer fraud.
- Educate: Remind your client that you will not email changes to wiring instructions or payment information.
- Call: Tell your client to call you via a known phone number to confirm all wiring instructions as well as soon after they make any wire transfers.
- Create: Within your company, establish a rapid response plan for wire fraud incidents.