Small real estate businesses, agents and their clients are increasingly becoming targets of sophisticated cyber scammers, according to panelists at a risk management forum at the 2015 National Association of REALTORS® (NAR) Conference & Expo held last month in San Diego. The panelists discussed potential threats and offered tips for agents to protect themselves, their business, and their clients from cyberattacks.

NAR technology policy expert Melanie Wyne said the news often focuses on large companies falling victim to hackers, but small businesses, which often lack the vast technology and legal teams of larger businesses, actually experience majority of attacks.

“Small businesses need to pay just as much attention as large companies to possible cyber threats,” said Wyne.

Darity Wesley, founder of the Lotus Law Center, said hackers are seeking personal identifiable information, such as credit card or bank account information, login credentials, employment details or a physical address, email address, and phone or social security number.

“Identity thieves can do a lot of damage with this information; your credit and whole life could be ruined,” warned Wesley.

Wyne said businesses can suffer financial harm from expenses resulting from a data breach, legal risks from lawsuits from clients or others impacted by the hack, and reputational risks from having to publicly disclose the hack. While cloud and free public Wi-Fi services are convenient for business, they are never completely secure.

Wyne recommended researching the level of security these companies are employing before using their services and storing information or documents into them. She also recommended agents ask these services to be indemnified in case the service is hacked. Anyone using a free email service for business should encrypt emails with client data.

Jessica Edgerton, NAR associate counsel, said in recent months, real estate professionals have reported an upswing in spear phishing, a particular wire scam where a hacker breaks into an agent’s email account and obtains information about an upcoming real estate transaction. After monitoring the account, the hacker will send a mock email to the buyer as they near closing, posing as the agent or someone from the title company and requesting that the buyer wire transaction-related funds.

Edgerton related one situation in which a first-time buyer lost $13,000 when they wired funds to what they thought was the title company. Another attempt to scam a buyer in the Philippines out of $800,000 was intercepted on its way to Russia.

Edgerton recommended agents inform their clients at the beginning of any transaction about this scam. If buyers receive an email about wiring funds, they should immediately call their agent on the phone and confirm.

“It’s a fail-safe measure to call first before you send the money,” said Edgerton.

Wesley added, “It is good basic practice and most important to always communicate with your buyer.”

Although NAR has been advocating a uniform federal law for years, the majority of laws currently governing data security are at the state level, so it is important for agents to know the state laws regarding data security and privacy that affect their organization. California adopted the first data security breach notification law in 2003. Nearly 40 other states have since adopted similar laws modeled after the California law.

The panelists recommended strong passwords, developing a data security program, and implementing safeguards to protect private data. A privacy policy disclosing some or all of the ways the business collects, shares, protects, and destroys personal client information is also good business practice.

The panelists emphasized in today’s Internet world, “you are never completely secure.” With cybercriminals becoming more sophisticated, businesses constantly need to keep abreast of new data security enhancements.