Today I was sent an article from several of my real estate pals about an unfortunate incident involving an email scam. From what I can find in the news articles, a buyer received an email from her agent saying that $10,000 was needed for title insurance. The problem was, it wasn’t the realtor who sent the message, and now this buyer is out $10,000.
All around this has been a really unfortunate story. What’s killing me though is the response. By now you’d expect I’d have learned to not read the comments that come with these articles, but it’s tech and real estate and apparently I’m some kind of masochist, so I dove in.
My first issue is with the buyer’s lawyer’s statement:
“But the brokerage says “when used properly” Gmail can be a safe means for business email.
Lawyer Samantha Keser, who represents DiMarco, disagrees.
She calls the agent and the brokerage “negligent” for not using email servers with firewalls and encryption software to handle sensitive, personal information.”
Now, the article itself is lacking some information, so this is going to be speculation on my part based off of my personal experience as an IT person and having worked with Realtors for the past 3 years. I don’t think this was some master hacker running a man in the middle attack on the Realtor’s network, cracking her passwords, or any super spy stuff you see in the movies. I can almost guarantee that the vulnerability in the agent’s email account came from one of the following:
- A phishing scam to get the agent’s login info, much like the scam that took the money from the buyer
- An insecure password recovery question like “What’s my dog’s name” where the answer is easily found online
- She left her account logged in somewhere publicly accessible
Email spoofing is also insanely easy to do and make it seem like the email came from the Realtor’s account, but assuming the reporters got their terminology correct, it seems like they’re implying that the account was hacked and the person was able to send emails as the Realtor from within the account.
The lawyer mentioned gmail being an insecure platform. Except that it’s been widely recognized that Google Apps for Business is a solid choice for small businesses. Now as for the claims that she should have been using a firewall and encryption? If this was someone using a brute force password attack after managing to break their way onto her network, then maybe that would have helped. But regardless on if it was the Realtor’s account that was compromised, or an email spoofing scam that the buyer responded to, the fact remains that the security is only as strong as the person who holds the keys.
All the encryption in the world isn’t going to save her if she was caught in a scam and gave the information they needed to get in. Demanding that the agent should have had encrypted her email is like a child demanding a nightlight to keep them safe. It’ll make them feel better, but if they left the door unlocked the monsters can still get in.
In the mix among all the comments are everything from victim shaming to a witch hunt against the Realtor. The way I see it, both got duped. It’s unfortunate, police should be involved, but a lawsuit based on the claim that the Realtor should have encrypted her email is ridiculous.
I’ll be curious to see the outcome of this if it goes to court. I imagine the fact that as Realtors our clients are owed fiduciary duty by us that there is more liability and higher standard of care expected of the realtor than if it was just a friend who’s email was hacked. Requiring all realtors to use encryption and two step authentication though? The Ottawa Real Estate Board, up until last month, still required me to tell them my MLX password verbally over the phone to verify me. Seeing them implement encryption would be possibly the funniest and most painful thing I’ve ever seen.
Eat, Sleep, Geek, Repeat 
This is spot on.
I used to do security vulnerability testing for companies as a freelance job. I got paid to try to hack into different systems. I was good. I’m on many “lists” because of how good I was.
That being said, hacking Gmail? You’re right, it’s not likely the case. They probably got in the same way anyone’s mother would — By asking you for your information (be it scamming your user/pass combo out of you, figuring out your security questions, or hell, just sitting at your computer or using your email for a few moments).
Gmails (And especially Google Apps for Business, *is* secured by a Firewall. Google blocks all sorts of bad login attempts daily. Also if you try to brute force any Google domain or service, you’ll likely be unavailable for a couple of weeks.Google also makes it easy to change and upgrade your security levels:
https://myaccount.google.com/?pli=1
https://support.google.com/mail/checklist/2986618?hl=en
What the courts will find is that the Realtor and Brokerage are not financially responsible for the loss of $10,000 to the buyer as long as they can prove (with Google’s help) that the email was sent by someone else. That’s the burden of proof that will make or break this case. If someone sat down at the Realtor’s computer, sent an email, and managed to thereafter collect the $10,000…. Well then maybe the Realtor and the Realtor’s Brokerage better higher legal help.