Skip to content

Clark Hill 2025 Commercial Real Estate Outlook: The Number One Cybersecurity Threat Facing the Real Estate Sector

April 22, 2025

When we talk to clients about cybersecurity, it tends to conjure up images of ransomware, systems that are encrypted and inaccessible, and stolen data. For the real estate sector, ransomware isn’t the largest cybersecurity threat. According to the FBI’s 2023 IC3 report on internet crime, losses across all industries related to ransomware were approximately $59.6 million. But this number is dwarfed by losses resulting from business email compromises (“BEC’s”), which accounted for almost $3 Billion in losses in 2023 across all industry sectors. The most recent statistics focusing on BEC losses with a real estate nexus show that the total losses were $446.1 million in 2022. In other words, 2022 BEC losses with a real estate nexus were 7x higher than all ransomware losses across all industries in 2023. In fact, BEC losses with a real estate nexus have risen since 2015 at an alarming rate.

It is clear that the real threat of loss facing the real estate sector is the insidious BEC.

A BEC generally involves a threat actor compromising the email account of one or more sides of a transaction and inserting fraudulent payment instructions into the interaction, thus routing an upcoming payment to an account the threat actor controls. This process can involve spoofed email domains, faked phone numbers and other ancillary tactics that help reinforce the realism of the scam. These threat actors focus on the real estate sector because of the large sums of money changing hands electronically.

For victims of BECs where funds were sent to threat actors, recovery is uncertain.  As between the company that made the payment and the company that expected it, courts generally place the risk of loss (and therefore the liability for it) on the entity in the best position to avoid the loss.  This analysis can be extremely factually specific.  Moreover, pursuit of banking or similar institutions can be complex due to the rules surrounding electronic transfers and related instructions.  In many cases, the best hope for recovery is quick reporting and coordination with appropriate law enforcement authorities.

Overall, for companies and individuals involved in real estate transactions, combatting the scourge of BEC not only involves having key cybersecurity controls in place, but also controls regarding receiving, changing, and confirming payment instructions. Equally important is to have processes and procedures in place to quickly identify payments that may have been sent to fraudulent accounts so that proper authorities and other entities can be notified.

This publication is intended for general informational purposes only and does not constitute legal advice or a solicitation to provide legal services. The information in this publication is not intended to create, and receipt of it does not constitute, a lawyer-client relationship. Readers should not act upon this information without seeking professional legal counsel. The views and opinions expressed herein represent those of the individual author only and are not necessarily the views of Clark Hill PLC. Although we attempt to ensure that postings on our website are complete, accurate, and up to date, we assume no responsibility for their completeness, accuracy, or timeliness.

Subscribe for the latest

Subscribe

Related

Event

Webinar: Special Education Bootcamp - Compliance Foundations Under IDEA

Whether you are new to special education leadership or looking to reinforce your foundational knowledge, this interactive webinar will provide a comprehensive overview of the core compliance requirements under the Individuals with Disabilities Education Act (IDEA). Designed for school leaders who are responsible for ensuring legally sound practices, this session will offer practical tools and strategies to help participants navigate common procedural and substantive pitfalls, support sound decision-making, and build a compliant and student-centered special education program.

Explore more
Event

Telehealth Week Webinar 2025: Navigating Legal Changes and Future Trends for Healthcare Providers

Join Paul Schmeltzer, Carrie Foote, and John Howard for our one-hour annual Telehealth Week webinar, focused on the evolving legal landscape of telehealth. This session will cover key topics, including the upcoming DEA final rule on prescribing controlled substances via telehealth, federal reimbursement concerns for telehealth, and what healthcare providers need to prepare for other upcoming changes.

Explore more
Event

2025 Cybersecurity and Data Privacy Laws Summit

Join us for an immersive half-day seminar exploring the rapidly evolving landscape of cybersecurity, data privacy, and AI-related regulation. This year’s summit will feature dynamic discussions with industry leaders, offering practical insights into the tools, tactics, and legal implications shaping incident response and AI accountability in 2026 and beyond.

Explore more