Skip to main content

5 minute read

In an age where digital transformation is at the forefront of every industry, the real estate sector is increasingly becoming a target for sophisticated cyber threats. This report, drawing from real estate industry cyber data as well as the Australian Signals Directorate (ASD) Cyber Threat Report 2022-2023, aims to decode the complexities of these threats and offer actionable insights for real estate businesses.

The notion that the industry may be “sleepwalking into a major cyber event” is alarming yet a realistic assessment given the trends and case studies explored herein.

Executive Summary

The ASD’s analysis for FY 2022-23 underscores the heightened cyber risks facing Australia, with the real estate sector being no exception. Over 1,100 cyber security incidents were responded to, and nearly 94,000 reports were made to law enforcement, showcasing the scale of the threat.

The year saw state actors focusing on critical infrastructure, including real estate, for data theft and business disruption. Cybercriminals evolved their tactics, with business email compromise (BEC) and ransomware attacks becoming increasingly prevalent. The rapid exploitation of vulnerabilities within 48 hours of their identification further accentuates the need for robust cyber security measures.

Year in Review: Key Statistics

  • Cost of Cybercrime: Small business ($46,000), medium business ($97,200), large business ($71,600), up 14%.
  • Cybercrime Reports: Nearly 94,000 reports (on average a report every 6 minutes), a 23% increase.
  • Calls to Cyber Security Hotline: Over 33,000, up 32%.
  • Top Cybercrime Types for Business: Email compromise, BEC fraud, online banking fraud.

Real Estate Industry Examples:

Cyber attacks hit real estate businesses every day. Former Cisco CEO John Chambers once said, “There are two types of companies: those that have been hacked, and those who don’t yet know they have been hacked.”

This ominous statement is particularly prevalent in the minds of these two businesses who experienced serious and chilling cyber attacks in 2023.

Example A: Mid-large agency (Business Email Compromise Fraud)

One of the agents within this agency had their email credentials compromised in a phishing attack.

Phishing is the practice of sending fraudulent communications that appear to come from a reputable source, usually through email. The goal is to steal sensitive data like login information, as was the case here.

The agent was sent an email from what seemed to be a legitimate email from one of the major portals requesting they verify their credentials. The hacker retrieved the agent’s email login via a ‘phishing page’ (a fake login page) and proceeded to log into the agents inbox. The hacker then collected the details of multiple people making an offer on a particular property, of which the agent was receiving via email.

The hacker then retrieved a copy of the contract for the property in question and changed only the bank account details. The hacker then contacted each person who had made an offer on the property, from a fake email address that looked very similar to the agent’s email address, stating they had been successful and to transfer their deposit into the nominated bank account on the contract of sale they had attached to the email…

In this instance, seven people in total were contacted with the same message and a request to transfer a deposit to secure the property.

Luckily, each person had shared the email with their solicitors who quickly noticed the amount being requested was not in line with the regulations for a deposit amount and immediately contacted the agent by phone to verify the legitimacy of the email where the scam was uncovered and no monies were transferred by any party (thankfully!).

How to prevent Business Email Compromise Fraud: 

  • Employee and Client Education: Regular training and communication on identifying phishing and BEC attempts.
  • Verification Protocols: Implement a strict protocol for verifying changes in payment details, including direct phone calls to known contacts.
  • Email Security Measures: Use email filtering tools and multi-factor authentication to secure email accounts.
  • Financial Control Measures: Establish internal controls for financial transactions, such as dual approval for large payments.

Example B: Small Agency (DDoS Attack)

This agency was the target of a large scale DDoS (Distributed Denial of Service) attack.

A denial-of-service attack is whereby a website, server, or network is flooded with large volumes of traffic to exhaust resources and bandwidth. As a result, the system is unable to fulfil legitimate requests, preventing regular visitors from accessing your website. Attackers can also use compromised devices, all linked together around the world, to launch this type of attack.

This is known as a distributed-denial-of-service (DDoS) attack and it is increasingly becoming more common on real estate websites.

The screenshot below shows a snippet of traffic from a 12 hour period whereby 144 million requests flooded the agency’s website.

Typically, DDoS attacks have been known to last for up to 72 hours. However, the example above lasted 3 weeks and was performed on a small independent real estate business, proving that this type of attack can happen to anyone. A DDoS attack can be ordered on the “dark web” for as little as $50 USD, perhaps by a disgruntled ex-tenant, client or former staff member.

In this agency’s case, their web developer was using Cloudflare on their website – a cyber security and website performance platform – which blocked all of the malicious requests and allowed their website to be unaffected by the attack.

How to prevent DDoS Attacks: 

  • Cloudflare: Leverage Cloudflare’s robust DDoS protection services. Cloudflare can detect and mitigate large-scale DDoS attacks, ensuring your platform remains operational.
  • Network Redundancy: Implement redundant network paths and servers to distribute the load during an attack.
  • Regular Monitoring: Continuously monitor network traffic to detect and respond to unusual spikes promptly.
  • Incident Response Plan: Develop a comprehensive incident response plan that includes procedures for mitigating and recovering from DDoS attacks.
  • Security Focused Provider: Work with a website provider who takes cyber security seriously.

In closing:

The real estate sector must awaken to the reality of cyber threats. The statement “There are two types of real estate businesses – those who have been hacked and those who don’t know that they’ve been hacked,” is a stark reminder of the pervasive nature of these threats. The ASD’s report and the case studies we’ve shared here serve as a call to action for proactive measures and heightened vigilance in the digital landscape for all real estate businesses.


Close Menu