Online Self-Defense

A Common Tactic

All too often I receive forwarded emails from worried agents who suspect their email accounts have been 'hacked' when in reality they have been a target of a phishing or spear-phishing attack. Phishing is the practice of sending emails that appear to be from reputable companies or contacts in an effort to obtain personal information from the recipient; passwords, credit cards or the like. Spear-Phishing takes it up a notch, in which the emails appear to be from a known or trusted sender and thus lower the guard of their target individuals in hopes that they reveal confidential information.

​In either case, the target had not been 'hacked' but unknowingly volunteered the sensitive information or passwords to the Phisher. Often times falling victim to a Phishing attempt in which they attacker successfully obtained your email password will allow the Phisher to them use your account to conduct Spear-Phishing on other users. 

Real Estate agents are perfect targets with their personal information listed online and a desire to quickly respond to leads. With Phishing on the rise, how can you protect yourself? 

Use Common Sense

That all-cash 1.5 million dollar buyer looking to write a offer that same day and who provided a link to their itemized list of criteria with no phone number or reference to a property... you guessed it - is probably fake. If it feels to good to be true it likely is. Your gut feeling is usually right when something feels off, trust that and proceed with caution. You know who you've been doing business with, who's previewed your property, what your contacts typically sound like when they correspond with you, what the 'norm' is for inquiries from clients... TRUST YOUR GUT! 

Best Practices

1. Don't respond to emails that request personal or financial information. Banks or e-commerce companies generally personalize emails, while phishers do not. Phishers often include false but sensational messages, (e.g. "Urgent - your account details may have been stolen") in order to get an immediate reaction. Reputable companies don't ask their customers for passwords or account details in an email. Even if you think the email may be legitimate, don't respond. Contact the company by phone or by visiting their website. Pick up the phone and speak to a real person, or type the URL in yourself by hand rather than clicking a link in a suspicious email.
2. Do not click on links, download files or open attachments in email from unknown senders. Always be cautious about opening attachments and downloading files from emails, no matter who they are from. Call the individual and confirm they sent you attachments if you question their authenticity. 
3. Beware of the “From” email name. A favorite phishing tactic among cybercriminals is to spoof the From/display name of an email. More than half of 760,000 email threats targeting 40 of the world’s largest brands! Here’s how it works: If a fraudster wanted to spoof the hypothetical brand “Acme Bank,” the email may look something like:
   
   To: You <you.name@kw.com>
   From: Acme Bank<customerservice@secure.com> 
   Subject: Suspicious Login Attempt
   
   While Acme Bank doesn’t own “secure.com” this email still appears legitimate because most user inboxes only present the display name (Acme Bank). Don’t trust the display name. Check the full email address — if it looks suspicious, don’t open the email.
4. Check to ensure the website you are visiting is secure. Before submitting your personal or other sensitive information, there are a couple of checks you can do to help ensure the site uses encryption to protect your personal data.
   - Check the web address in the address bar. If the website you are visiting is on a secure server it should start with "https://" ("s" for security) rather than the usual "http://."
   - Also look for a lock icon on the browser's status bar. You can check the level of encryption, expressed in bits, by hovering over the icon with your cursor.
   - Pay attention to the URL of a website. Malicious websites may look identical to a legitimate site, but the URL may use a variation in spelling or a different domain (e.g., .com vs. .net). 
   -Note that the fact that the website is using encryption doesn't necessarily mean that the website is legitimate. It only tells you that data is being sent in encrypted form.
5. Be extremely cautious with passwords, personal data, and emails. Most banks have a security page on their website with information on carrying out safe transactions, as well as the usual advice relating to personal data. 
   - Never share your pin numbers or passwords with anyone.
   - Do not use the same password for all your online accounts.
   - Change your passwords every 90 days.
   - Avoid opening or replying to spam emails, as this will give the sender confirmation they have reached a live address.
   - Use common sense when reading emails. If something seems implausible or too good to be true, then it probably is.
6. Keep your computer secure. Some phishing emails or other spam may contain software that can record information on your internet activities (spyware) or open a 'backdoor' to allow hackers access to your computer (Trojans). Installing antivirus software and keeping it up to date will help detect and disable malicious software, while using anti-spam software will stop phishing emails from reaching you. 
7. Always beware of urgent or threatening language in the subject line. Invoking a sense of urgency or fear is a common phishing tactic. Beware of subject lines that claim your “account has been suspended” or your account had an “unauthorized login attempt”.
8. Always review the “signature block” of an email. Lack of details about the signer or how you can contact a company strongly suggests a phish. Legitimate, reputable businesses always provide contact details.
9. Check for spelling mistakes. Reputable, legitimate brands are pretty serious about email. Legitimate messages usually do not have major spelling mistakes or poor grammar. Read your emails carefully and report anything that seems suspicious.
10. Analyze email salutations. Is the email addressed to a vague “Valued Customer”? If so, watch out—legitimate businesses will often use a personal salutation with your first and last name.
11. Always report suspicious activity. If you receive an email that appears in any way to be a phishing attack, report it to the the local IT person (support@kw.com) immediately and any other chain of command for security incident escalation right away.

For more information on how to recognize and avoid phishing attacks check out this info-graphic.