By Dan Franklin, Director of Commercial Real Estate, River City Bank
Large financial transactions are a routine part of doing business in the CRE industry, which has made it a prime target for a growing and sophisticated threat: cyberfraud, which has cost companies and investors billions of dollars with devasting financial and reputational consequences.
How does it occur? Cyberfraud can take many forms, but a common scenario involves Business Email Compromise whereby the cybercriminal gains access to the victim’s email. This access is often gained via a phishing attack, which involves the victim accidentally revealing sensitive information (username and password) or installing malware. This tends to occur when the cybercriminal sends an email (but it can also be texts, phone calls, or other communications) that encourages an action, such as clicking a link, often by instilling a combination of fear and sense of urgency (e.g. “fraudulent activity has been detected in your bank account…click here to review transactions”).
Once the criminal intruder gains access, they tend to lie in wait, observing how you conduct business – who you work with, who approves transactions, what transactions are normal, etc. Once they gain sufficient knowledge about your activities, they strike! They might pretend to be an escrow agent and send you updated wire instructions for an upcoming closing. Or perhaps they’ll impersonate your company’s CFO or CEO, instructing you to execute a transaction. It can take many forms, and the criminals are sophisticated and creative. And if their deception works, you could lose millions.
Impact of Being Defrauded. In addition to the material loss of capital, you could also incur operational damages due to transactions not closing, the need to change account numbers, and simply being distracted from your core business in a major way. Furthermore, there could be reputational damages as your tenants, investors, and other business partners may have a deteriorated level of confidence in your firm.
Who are the Cybercriminals? The old stereotypes of a hacker being a young person in a basement or someone that composes an email full of misspellings and poor grammar are long gone. Instead, many modern cybercriminals are sophisticated organizations operating overseas that have training programs, collaboration between hackers, etc. They are organized, sophisticated, adaptive to changes in technology, and will only get better as they adopt modern technologies such as generative AI.
Trending the Wrong Direction. As depicted below, losses from cyberfraud have been trending upward. And for the uninformed potential victim, the threat is even more severe than the data suggests considering that during this same period, companies have been rapidly deploying campaigns to generate awareness of cyberthreats. In other words, we are losing the battle against cyberfraud as the criminals continue to gain more ground each year despite our efforts to counteract it.
What Can You Do?
- Verify Wire Instructions Through Multiple Channels. Always confirm wire instructions through a secure, independent communication channel. If you receive an email with updated wire instructions, do not rely solely on that email. Instead, call the recipient using a verified phone number to confirm the details. Avoid using any contact information provided in the suspicious email, as it may be fraudulent.
- Use Secure Communication Channels. Avoid discussing sensitive financial information, such as wire instructions, via email. Instead, use encrypted email platforms or secure online portals.
- Educate Your Team. Human error was found to be responsible for 68% of incidents according to Verizon’s 2024 Data Breach Investigations Report. It is crucial to educate employees, partners, and key vendors (e.g. property managers) about cybersecurity risks and how to recognize potential scams. Turn-key training programs are available from reputable vendors such as KnowBe4.
- Implement Multi-Factor Authentication (MFA). This security measure requires users to verify their identity using two or more methods, such as a password and a one-time code sent to their phone. This additional layer of security makes it much harder for cybercriminals to infiltrate your system.
- Be Wary of Last-Minute Changes. Cybercriminals often rely on the sense of urgency that exists right before a transaction closes to make their move. Trust your gut and always verify changes independently as previously mentioned.
- Monitor Financial Accounts.If fraud is discovered quickly, you may be able to recover some funds.
- Cyberfraud Insurance. Consider purchasing a policy and make sure to review the coverage to ensure wire fraud and business email compromise incidents are covered.
What to Do if You’ve Become a Victim. Immediate action is crucial. Contact your bank and request a wire recall as soon as possible. Additionally, report the incident to the FBI’s Internet Crime Complaint Center (IC3) https://www.ic3.gov and local law enforcement. The sooner you act, the better your chances of recovering the stolen funds.
Cyberfraud is a serious threat to the CRE industry that is only getting worse. At River City Bank, we take it very seriously and have implemented operational best practices accordingly. However, safeguarding financial accounts is a team effort since cybercriminals will naturally gravitate towards the weakest link. Therefore, it’s vital that bank clients participate in the fight by taking certain actions such as those listed above to ensure an overall strong defensive position to this growing threat.
Dan Franklin manages all of River City Bank’s commercial real estate origination activity throughout California and the western United States. Since joining the bank in 2008, Dan has served in various commercial banking roles, including years as Commercial Banking Director, Business Development Officer, and Relationship Manager. A recipient of the Chartered Financial Analyst designation, Dan received his undergraduate and MBA degrees from the University of California at Davis.