Scam Prevention: The Case For Two-Step Authentication
Tuesday, September 5, 2017
By Thomas Scott
The article "Scams And Spams And Phishes" in the September/October issue of Orlando REALTOR® magazine describe recent scams directed to local REALTORS®.
I have found that there is a particularly prevalent method criminals get access to REALTORS®' e-mail accounts - then everything else about their business. Their methods makes it clear that two-step authentication, where a code is sent via text, is critical for security of our e-mail and records.
Criminals do not use sophisticated software to hack e-mail accounts. My experience is that most of the time, they simply trick a REALTOR® into giving up their password.
We get a small handful of these e-mails every week and have for several years. They come in as a full-price cash offer on a listing, a cash buyer who wants to hire us as their buyer agent to purchase a property, another REALTOR® offering us a referral, etc. The varieties of theses types of emails are numerous. But they all have one thing in common: juicy bait and a link to click to retrieve the offer, proof of funds, referral information, etc.
That link goes to a page that asks for the REALTORS®' e-mail address and password. It looks like the real thing. If Gmail, it looks like a Gmail log-in page. It's the same for Outlook, Exchange, AOL, Yahoo, etc. Then the REALTOR® just gives up their e-mail address and password, thinking they are logging into their own e-mail account’s webpage (or for Google, Google Docs).
Here is the related policy used by the Jean Scott Homes team under Keller Williams Advantage Rlty:
• We NEVER click a link to retrieve a document, including a link in an attached PDF.
• For offers, our instructions are to e-mail them as a PDF attached, and please not a link to DotLoop, DocuSign, etc.
• For contract management applications such as DotLoop and DocuSign, we sometimes we make a careful exception. We make sure the link actually goes to that website’s domain (http://www.DomainName.com), and we never enter our e-mail address password. (In addition we have different passwords for those two systems).
• If we aren’t sure, we reply, “Please send the entire offer, proof of funds, referral, etc. as a PDF attached to an email. Our email system blocks links to documents as a security measure”. And we will try calling if a phone number is included.
• We turn on two-step authentication whenever available. Even if the bad guys get or guess your password, they won’t have your phone to get the text code.
If an agent’s provider doesn’t offer two-step authentication, that agent should change providers. Security of our e-mail system and contents is that important. Google, Gmail, and Microsoft/Office 365 all offer two-step authentication. Agents can also move personalized domains to them as well.
Thomas Scott, GRI, Keller Williams Advantage Rlty, is operations and marketing manager for the Jean Scott Homes team. He can be reached at firstname.lastname@example.org.