Cyber-Attacks On Real Estate Businesses Increasing Amid Work From Home (How To Protect Yourself) - Stepps
7 minute read

Cybersecurity experts predicted that in 2021, there would be a cyber-attack incident every 11 seconds. This is nearly twice what it was in 2019 (every 19 seconds), and four times the rate five years ago (every 40 seconds in 2016). It is expected that cybercrime will cost the global economy $6.1 trillion annually, making it the third-largest economy in the world, right behind those of the United States and China.

As the ongoing pandemic has a larger segment of the population working from home — with all of its attendant distractions — and the setting is ripe for exploitation. The humble home router has become the surface attack, and the harried, hurried, tired and stressed employee the target of choice. It’s no wonder that within months of the pandemic’s first lockdown, over 4,000 malicious COVID sites popped up on the internet.

How often do cyberattacks occur?

Cyber attacks hit businesses every day. Former Cisco CEO John Chambers once said, “There are two types of companies: those that have been hacked, and those who don’t yet know they have been hacked.”

Why do cyber-attacks happen?

Cybercrime has increased every year as people try to benefit from vulnerable business systems. Often, attackers are looking for ransom: 53 per cent of cyber-attacks resulted in damages of $500,000 or more.

Cyberthreats can also be launched with ulterior motives. Some attackers look to obliterate systems and data as a form of “hacktivism.”

What is a botnet?

A botnet is a network of devices that has been infected with malicious software, such as a virus. Attackers can control a botnet as a group without the owner’s knowledge with the goal of increasing the magnitude of their attacks. Often, a botnet is used to overwhelm systems in a distributed-denial-of-service attack (DDoS) attack.

Why is the real estate industry particularly vulnerable?

While the motives behind a cyber attack can be wide-reaching, attackers target real estate businesses mainly for the following reasons:

  1. To gain a competitive advantage
  2. To access sensitive data stored in the CRM, trust account software and/or website
  3. To gain a financial benefit
  4. For fun (Yes, there are people out there who do this for fun)

One of the other reasons real estate businesses are particularly vulnerable, despite all of the advice out there, is because of the unfortunate lax approach by many businesses toward cyber security.

Common types of attacks


Malware is a term used to describe malicious software, including spyware, ransomware, viruses, and worms. Malware breaches a network through a vulnerability, typically when a user clicks a dangerous link or email attachment that then installs risky software. Once inside the system, malware can do the following:

  • Blocks access to key components of the network or data in your software systems (ransomware)
  • Installs malware or additional harmful software
  • Covertly obtains information by transmitting data from the hard drive (spyware)
  • Disrupts certain components and renders the system inoperable

How to protect yourself against malware attacks: 

  1. Keep your computer and software updated
  2. Use a non-administrator account whenever possible
  3. Think twice before clicking links or downloading anything
  4. Be careful about opening email attachments or images
  5. Don’t trust pop-up windows that ask you to download software
  6. Limit your file-sharing
  7. Use antivirus software
  8. Ensure that your email has business-level anti-spam protection
  9. Ensure your staff are regularly trained on how to act when a suspicious email arrives in their inbox


Phishing is the practice of sending fraudulent communications that appear to come from a reputable source, usually through email. The goal is to steal sensitive data like credit card and login information or to install malware on the victim’s machine. Phishing is an increasingly common cyberthreat.

How to protect yourself against phishing attacks: 

  1. Employ common sense before handing over sensitive information. When you get an alert from your bank or other major institution, never click the link in the email. Instead, open your browser window and type the address directly into the URL field so you can make sure the site is real.
  2. Never trust alarming messages. Most reputable companies will not request personally identifiable information or account details, via email. This includes your bank, insurance company, and any company you do business with. If you ever receive an email asking for any type of account information, immediately delete it and then call the company to confirm that your account is OK.
  3. Do not open attachments in these suspicious or strange emails — especially Word, Excel, PowerPoint or PDF attachments.
  4. Avoid clicking embedded links in emails at all times, because these can be seeded with malware. Be cautious when receiving messages from vendors or third parties; never click on embedded URLs in the original message. Instead, visit the site directly by typing in the correct URL address to verify the request, and review the vendor’s contact policies and procedures for requesting information.
  5. Keep your software and operating system up to date. Windows OS products are often targets of phishing and other malicious attacks, so be sure you’re secure and up to date. Especially for those still running anything older than Windows 10.

Denial-of-Service (DDoS)

A denial-of-service attack is whereby a website, server, or network is flooded with large volumes of traffic to exhaust resources and bandwidth. As a result, the system is unable to fulfil legitimate requests, preventing regular visitors from accessing your website. Attackers can also use compromised devices, all linked together around the world, to launch this type of attack.

This is known as a distributed-denial-of-service (DDoS) attack and it is increasingly becoming more common on real estate websites.

How to protect yourself against DDoS attacks: 

Even with the strongest and/or most sophisticated firewall in place, DDoS attacks can still occur. One of the biggest mistakes that real estate website developers make is using plugins (typically WordPress plugins) to manage their firewall rules. You need to ensure that your website developer is blocking malicious traffic BEFORE it reaches your website in the first place.

This is done at the server level or via a CDN (content delivery network). WordPress plugins will not prevent a large scale DDoS attack from being performed and such plugins will also slow your website down due to the resources required for the plugin to work. You should avoid using security plugins on your website for these reasons and instead insist to your website provider to implement a system that blocks malicious traffic from ever reaching your website.

Platforms such as Cloudflare sit between your visitors and your website and, in simple terms, it will determine what is good vs. bad traffic – allowing the good and blocking the bad. It also has automated DDoS protection, even on the free version, and allows you to configure more advanced rules should you notice any strange traffic patterns.

Relying on humans (your web developer generally) to manually respond to DDoS attacks is not ideal. You need automated rules in place to ensure that your website is protected. Cloudflare will help you to prevent and mitigate DDoS attacks like this one below, performed on a small independent real estate business whereby the attacker used compromised servers from around the world to flood this website with significant levels of traffic for weeks on end.

The screenshot below shows a snippet of traffic from a 12 hour period whereby 144 million requests flooded the website but were all blocked automatically by Cloudflare’s DDoS detection, Web Application Firewall (WAF) and custom firewall rules.

Typically, DDoS attacks have been known to last for up to 72 hours. However, the example above lasted 3 weeks and was performed on a small independent real estate business, proving that this type of attack can happen to anyone. A DDoS attack can be ordered on the “dark web” for as little as $50 USD.

Cyber Insurance

Cyber-attacks can be very expensive with the current average cost of an attack on a small to medium sized business estimated at $1.9m.

An increasingly important part of running a business today, Cyber insurance is one of the fastest-growing products in the insurance world and real estate is one of the fastest industries to adopt it. Although there are ways to report cyber-attacks, it is very rare that an attacker is found and/or charged.

You must adopt a defence mindset with your cyber security and cyber insurance may just be the peace of mind you need if you ever fall victim to one of these attacks.

In closing…

You’ve worked hard to get your business to where it is today, but one successful cyber-attack could be all it takes to cause significant damage to your organisation and reputation. Cyber threats are becoming more sophisticated with advances in hacking, malware and social engineering techniques. One security breach could corrupt your business’s critical data, causing financial loss, reputational damage and liability to third parties.

Do you have everything in place to protect your business as best you can? I certainly hope that you do, or that you will.

Disclaimer: Reference in this article to any specific commercial product, process, or service, or the use of any trade, firm or corporation name is for the information and convenience of the public, and does not constitute an endorsement, recommendation, or favouring by Stepps Pty Ltd ATF The Stepps Unit Trust. The contents in this article do not constitute legal or financial advice, are not intended to be a substitute for legal or financial advice and should not be relied upon as such. You should seek legal and financial advice or other professional advice in relation to any particular matters you or your organisation may have in relation to the content in this article.

Author: Josh Cobb

Phone Number: 0427 184 183

Email Address: [email protected]

Stepps was founded by Josh Cobb in 2014. Josh has advised more than 100 brands since starting the company and hundreds of agents who have attended his workshops. He is the host of the popular Real Estate Pros podcast, oversees digital strategy for top performing real estate agents and teams, and travels the globe with several international speaking engagements each year.

Josh was named as a finalist in the REB Awards for Industry Thought Leader of The Year in 2017, 2018 and the winner of  Brisbane Young Entrepreneur of The Year 2017 – Marketing, PR & Events and a finalist for the same award in 2020.

In addition to web development and digital strategy consulting, the company also runs Stepps Media, a fast-growing education company that produces an iTunes top-ranked podcasttraining events, email and webinars.