Clark Hill 2025 Commercial Real Estate Outlook: The Number One Cybersecurity Threat Facing the Real Estate Sector

When we talk to clients about cybersecurity, it tends to conjure up images of ransomware, systems that are encrypted and inaccessible, and stolen data. For the real estate sector, ransomware isn’t the largest cybersecurity threat. According to the FBI’s 2023 IC3 report on internet crime, losses across all industries related to ransomware were approximately $59.6 million. But this number is dwarfed by losses resulting from business email compromises (“BEC’s”), which accounted for almost $3 Billion in losses in 2023 across all industry sectors. The most recent statistics focusing on BEC losses with a real estate nexus show that the total losses were $446.1 million in 2022. In other words, 2022 BEC losses with a real estate nexus were 7x higher than all ransomware losses across all industries in 2023. In fact, BEC losses with a real estate nexus have risen since 2015 at an alarming rate.

It is clear that the real threat of loss facing the real estate sector is the insidious BEC.

A BEC generally involves a threat actor compromising the email account of one or more sides of a transaction and inserting fraudulent payment instructions into the interaction, thus routing an upcoming payment to an account the threat actor controls. This process can involve spoofed email domains, faked phone numbers and other ancillary tactics that help reinforce the realism of the scam. These threat actors focus on the real estate sector because of the large sums of money changing hands electronically.

For victims of BECs where funds were sent to threat actors, recovery is uncertain.  As between the company that made the payment and the company that expected it, courts generally place the risk of loss (and therefore the liability for it) on the entity in the best position to avoid the loss.  This analysis can be extremely factually specific.  Moreover, pursuit of banking or similar institutions can be complex due to the rules surrounding electronic transfers and related instructions.  In many cases, the best hope for recovery is quick reporting and coordination with appropriate law enforcement authorities.

Overall, for companies and individuals involved in real estate transactions, combatting the scourge of BEC not only involves having key cybersecurity controls in place, but also controls regarding receiving, changing, and confirming payment instructions. Equally important is to have processes and procedures in place to quickly identify payments that may have been sent to fraudulent accounts so that proper authorities and other entities can be notified.

This publication is intended for general informational purposes only and does not constitute legal advice or a solicitation to provide legal services. The information in this publication is not intended to create, and receipt of it does not constitute, a lawyer-client relationship. Readers should not act upon this information without seeking professional legal counsel. The views and opinions expressed herein represent those of the individual author only and are not necessarily the views of Clark Hill PLC. Although we attempt to ensure that postings on our website are complete, accurate, and up to date, we assume no responsibility for their completeness, accuracy, or timeliness.