Cybercrime – Don’t be the Easy Target
Antivirus – A common misconception is that Macs don’t get viruses or malware. The reality is that in the past it was much more lucrative to target Windows because there were just more of them. As Macs have become more popular, so has writing viruses and viruses to target Macs. Every computer needs antivirus and antimalware software because you don’t want to be the reason your customer’s data gets transferred to a scammer. Be careful of licensing on antivirus since most “free” antivirus products are only free for personal use and not for business use. One great antivirus that’s free for both personal and business use and also works on both Windows Computers and Mac Computers is Bitdefender: https://www.bitdefender.com/solutions/free.html. Paying for the solution gets you a lot more benefits and a lot better protection, but at the bare minimum everyone should have antivirus. Important aspects of paid anvitirus are periodic (as well as real-time) scanning and a reporting structure so you know when there are repeat attacks.
SPF Records – If you have your own domain name that you’re sending e-mail from, SPF records tell people which servers are allowed to send mail on your behalf. This makes it a LOT harder for a spammer to send e-mail pretending to be you. When you’re sending out e-mail without SPF Records, the recipient doesn’t know whether to “trust” your e-mail so it will show your client the e-mail regardless. Once you have SPF records setup, the recipient knows NOT to trust it if it doesn’t match your SPF record and service like Hotmail, Gmail, and Yahoo are all setup to look for this and “red flag” or even send to “junk” where messages don’t match. SPF Records can be complex, but there are several sites that will help you set one up and then it’s just like adding a new site to your website: https://www.spfwizard.net/
DKIM & DMARC Records – Where SPF records tell your clients where your mail can come from, DKIM records take it a step farther and “tag” your e-mail so that the recipient can be sure the message came from your servers. These are a bit more complex to setup, but most mail providers will have instructions for how to set them up. The combination of SPF and DKIM means that a recipient will be very unlikely to receive a message that has your e-mail address but didn’t actually come from you. DMARC tells your client what to do when DKIM doesn’t “match up” (you can reject outright or send it to “junk” mail or just let it pass through). Again, most providers will “red flag” matches regardless of what your DMARC says, but DMARC gives you control on what to do.
Google Apps: https://support.google.com/a/answer/174124?hl=en
Education & Phishing Tests – The number one thing that scammers are relying on is the lack of knowledge or the trust that people have in an e-mail that they receive. Since you can’t prevent every scam from getting through, educating your team about what to look for and how to prevent scammers is one of the best ways to prevent cybercrime. KnowBe4 offers a great set of free tools to check your domain for problems, but also has a free Phishing test that you can send out to your users to see how many of your team would respond to a phishing scam. https://www.knowbe4.com/phishing-security-test-offer. Scammers use familiar names and “one off” e-mail addresses to hone in on their targets (called “Spear Phishing”) and KnowBe4’s test lets you try it out and see how vulnerable you are. You can also use Sonicwall’s Phishing IQ Test at https://www.sonicwall.com/en-us/phishing-iq-test-landing to see in more general terms how well you or your team would recognize phishing, but KnowBe4’s security test is a great one time resource for checking.
Your Own Domain Name – If you’re using a free e-mail service (gmail, outlook.com, yahoo, etc) then you’re presenting a good opportunity for a scammer to scam your clients. While a free e-mail service itself isn’t any less secure than a paid service, your clients can’t just look at the domain name to know that it came from you. your.nameI13@gmail.com and firstname.lastname@example.org look a LOT a like when a client is looking at them, but those are two different e-mail addresses. And since it’s free for a scammer to make as many e-mails that LOOK like yours as they want, they have a good opportunity for scamming your clients by making an address that LOOKS like yours. Getting your own domain name and only e-mailing out of that means that they have to invest money into getting an e-mail that looks like yours. Your own domain name will probably run you around $20 a year at most for the domain and then a small cost for e-mail services based on your needs. If you like Outlook, Exchange Online (https://products.office.com/en-us/exchange/exchange-online) offers online services that function identically to outlook.com but let you use your own domain name and run around $4.00 per user per month. If you prefer gmail, G-Suite is gmail for your business starting at around $5.00 per user per month. Combine this with the free tips above and a spammer won’t be spoofing your e-mail address at all. While they’ll still use free services to try to pretend to be you, you can combat this by educating your clients about what your e-mails look like and where they’ll be coming from.
Spam & Phishing Filter – Preventing your team from seeing phishing attempts is a great way to stop scammers in their tracks. There are a lot of robust filtering services that will catch mail before it gets to you and weed out the more obvious attempts meaning your team can focus on only the ones that get through, rather than having to filter through all of them themselves.
VPN, mobile hotspots, or “No Open Wireless Policy” – Popping on the free wireless at the coffee shop may SEEM like a great way to get some work done, but most free wireless connections are “Open” which means that they’re not encrypted. Because of this, anyone in the coffee shop (with a little bit of know-how) can see the information you’re sending. If this is an e-mail to your client, then they now have your client’s e-mail, the content of the message, what your e-mail and signature look like – they have a lot of information they need that will help them scam your client. Giving your agents a VPN they can connect to and setting it up so they always connect eliminates this security hole. If you don’t want to manage a VPN (which can be a hassle) mobile hotspots from your cell phone provider allow connections from anywhere and are setup to be encrypted. Since a mobile hotspot is unique to you, you also don’t have to worry about other people connecting to it and seeing your data. Finally, just a policy of education about not using Open Wireless to conduct business goes a LONG way towards keeping scammers from having more information about your company.
HIGHER COST, BUT WELL WORTH IT
An Expert – Having an IT expert you trust that knows the real estate industry and can help you with your e-mail, online, cybercrime, and training strategies is a priceless prevention strategy. Even if you’re small enough that you don’t need full-time IT, there are a lot of companies available locally that do consulting and will help you setup your systems in a secure way. It’s also well worth it to have someone you can call in a crisis situation to help you track down and sort out any security issues you have.