Subscribe

Commercial real estate | June 2024 CRE prepares for rising fraud and cybercrime threats

Learn about the latest fraud and cyberthreats, how to defend against attacks, and what to do if you’re a victim of cybercrime.

Joe Pella is head of National Commercial Real Estate at Truist, and and Lisa Consoldane is Treasury Consultant for Truist. Ryan Mercer is a Cyber/E&O specialist for McGriff Insurance Services, LLC.

While the economy has experienced its share of ups and downs over the past few years, the threat of fraud and cybercrime has only moved in one direction--up. Attacks ranging from simple check-washing schemes and direct cyberattacks, to risks from compromised third-party providers, have plagued organizations of all types, and commercial real estate (CRE) businesses are no exception. Protecting organizations from a wide range of fraud and cyber threats has become a core component of risk management.

Payments are distinctly susceptible to fraud.

Fraud attacks from payments continue to intensify; in 2023 alone, nearly 80% of organizations reported attempted or actual payment fraud, up from 65% in 2022. While a quarter of businesses reported losses of less than $25,000, 19% exceeded $100,000. Nearly one third did not recover any amount of the loss.Disclosure 1

Checks remain the method of choice for fraudsters, who used checks in 65% of payment fraud events or attempts.Disclosure 1 Though organizations increasingly use alternative payment methods, check fraud is still prevalent at many commercial real estate businesses. There's been a recent resurgence in check washing fraud. Perpetrators often intercept checks from incoming or outgoing mail, and then wash away the payee’s name—and sometimes the dollar amount— giving them a signed and dated “blank” check.Disclosure 2 Thanks to sophisticated desktop publishing software, counterfeit checks are becoming more prevalent too.Disclosure 3 Despite the many risks associated with checks, 70% of organizations have no immediate plans to stop using them.Disclosure 1

ACH debits and credits account for a combined 52% of payment fraud. Criminals deceptively obtain business checking account and bank routing numbers to make unauthorized ACH payments (19%) or ACH credits (33%).Disclosure 1 ACH credits are involved in 47% of business email compromise (BEC) fraud events, replacing wire transfers as the most common tool for BEC fraud.Disclosure 1

Wire transfers are targeted in 24% of all payment fraud events. This represents 39% of incidents in which criminals use BEC or another form of social engineering to transfer funds to a fake or unauthorized bank account.Disclosure 1 With access to an email account, an imposter then poses as a key employee or third-party partner and communicates false payment instructions.

Commercial credit cards account for a fifth of the total payment fraud events and attempts sustained by organizations.Disclosure 1 Sometimes employees misuse their corporate credit cards for personal transactions, but business credit cards are also vulnerable to use by criminals outside an organization, who may use lost and stolen cards or account information to make purchases or withdraw cash.

Most common fraud tactics

Business email compromise represents the greatest vulnerability for companies, with 63% experiencing some form in 2023.Disclosure 1 It usually happens through social engineering attacks in which criminals successfully guess or steal email credentials. This allows them to deceive employees, leading them to make fraudulent payments, provide sensitive information, or open email attachments that deploy malware. Accounts payable departments, the target of 59% of BEC attacks, are especially susceptible.

Imposters can also compromise a business's email by creating an email address or website that appears to be legitimate. Customers are deceived to share passwords, reveal bank information, or make payments to a scammer. Fraudsters who target your customers in this way create reputational risk and damage the relationship of trust your business has worked so hard to build.

Most fraud—everything from forged checks and stolen credit cards to more complex outsourcing schemes—comes from external sources. Our CRE clients tell us that, while BEC continues to be a serious threat and is favored for direct attacks, third party partners—like title companies, law firms, brokers, and financial institutions—also create risk exposure for organizations when information they retain on your business or its customers is compromised. 

Recognize rising cyber risks.

The steady stream of high-profile data breaches in the news reflects a steep increase in cyberattacks, and commercial real estate organizations make ideal targets. Not only do they often collect and store sensitive customer data, but they can be involved in high-dollar transactions and may lack the strong, state-of-the-art security systems found in other industries. What’s more, CRE businesses often work with multiple third parties who may have insufficiently robust or outdated cybersecurity protections.

Data breaches, when hackers steal and sell or expose sensitive personal and financial information, leave a business’s customers at risk of identity theft and financial loss.

Ransomware attacks, where criminals encrypt an organization’s data and hold it for ransom, halting business activity and financial processes, are among the most feared threats. They can make normal operations impossible until the hackers get what they want and, hopefully, restore the data.

Third party cyberattacks happen when cybercriminals gain access to your company by compromising a partner organization. Recognize that each third-party partner represents a unique cyber risk to your organization based on their security measures and their level of access to your systems. 

Shore up your defenses.

Preventing damage to your real estate business demands a comprehensive strategy supported by actions that address people, processes, and technology. While risk reduction strategies often overlap, distinct security measures tailored to the most common threats can reduce your business’s risk.

People:

People form the foundation of your fraud defense. Implement these steps to lower your overall risk of fraud.

Educate all employees to recognize these red flags.

  • Wire payment instructions that may be fraudulent
  • Directions to deviate from normal wire procedures
  • Impersonation of leaders or colleagues
  • Emails, phone calls or texts that may be phishing, especially:
    • Demands for immediate action (e.g., funds transfers)
    • Requests for sensitive information
    • Communications outside of regular business hours
    • Emails and texts that contain spelling or grammatical errors


Train staff to verify changes to standard procedures and other suspicious requests. Verify phone numbers and contacts to confirm any email, text, or phone call that includes a change of instructions or contacts.

Work with partners you know and trust to ensure that they adhere to rigorous security measures. Monitor vendor authorizations and level of access.

Processes:

Efforts to thwart check fraud, the #1 source of payment fraud, will likely yield the highest return in risk reduction. Take these steps:

When possible, replace checks with safer forms of payment.

  • Commercial cards
  • Mobile payment apps
  • Your bank’s online bill pay service
  • ACH for repetitive or large payments (e.g., you can make most state and federal tax payments online). Make sure you’ve set up ACH controls to ensure new payees are properly authorized.

When you must write checks

  • Use a pen with indelible or permanent black ink that can’t be removed through check washing.
  • Give outgoing mail directly to your letter carrier or drop it off inside your local post office—not a blue box or any other outdoor collection point.
  • Use a trackable delivery service and/or require a verified signature upon receipt for larger transactions.
  • Explore your bank’s Positive Pay offering. This service validates checks by comparing posted checks to your issued check data and flags any non-matching checks as exceptions.
  • Frequently monitor transaction histories and bank balances online.

Reconcile bank accounts regularly

  • Daily reconciliation is best.
  • Identify and report any discrepancies to your bank as soon as possible. 

Technology:

Cybercriminals continue to devise bolder schemes to attack businesses. Take these protective measures to help protect your company against the operational disruptions, reputational risk, and financial consequences that a cyberattack can bring:

Adopt cybersecurity best practices.

  • Keep all technology systems, devices, and software updated with current security protections
  • Implement Multi Factor Authentication (MFA) for all remote access to your network and access to your email environment
  • Regularly back up data.
  • Make sure only authorized individuals have access to devices and sensitive data.
  • Use single sign-on systems (SSO).
  • Require strong passwords along with the most stringent security for administrative accounts.
  • Protect Privileged Service Accounts—accounts that run applications and other automated services.
  • Obtain cyber insurance.
  • Establish a cyberattack response plan.


Assess vulnerabilities in your third-party providers.

  • Identify and minimize threats. Conduct thorough due diligence on third-party vendors to ensure you understand each partner company’s security stance and risk factors. 

Craft your response plan now.

Even with protective measures in place, it’s impossible to prevent fraud and cyberattacks with 100% certainty. 

How will you respond if your business is attacked? Every minute is precious. It’s important to formulate a detailed response plan that you’ll, hopefully, never have to deploy. Position yourself for a quick and effective response with these steps:

  1. Designate an incident response team to develop and maintain your detailed response plan. Include representatives from key operational areas, not just IT.
  2. Find external resources and experts who can offer valuable knowledge and advice to guide you through a crisis. Your plan should specify who you’ll call for crucial support, including:
    • Cyber incident response firm
    • Data forensics experts
    • Data privacy legal counsel
    • Cyber insurance broker
    • Communications and public relations professionals
  3. Practice implementing your plan under various scenarios. Periodic drills can help you uncover gaps and barriers to implementation. Use what you learn to improve the plan. Test runs will help you activate your plan faster and reduce stress levels if a real incident occurs.
  4. Maintain an easily accessible copy of the response plan offline, knowing a cyberattack could lock you out of your systems and email accounts.

Know what to do after a cyberattack.

In the aftermath of a serious cyberattack, it can be hard to know how to proceed—even with a comprehensive response plan in place. Use this to-do list to help you tackle the many urgent priorities in a logical manner:

  • Contact your insurance broker immediately if you suspect your organization is undergoing a significant cyberattack and verify insurance policy incident notice requirements. Your broker can work with your cyber insurance carrier to define proper first steps and an optimal process to engage carrier-approved vendors. This step ensures you’ll have the right resources, charging appropriate rates while adhering to policy terms and conditions, so you receive your full policy benefits.
  • Activate your incident response team. Make sure that all the people you’ve designated to perform or oversee tasks are ready to respond. 
  • Engage your legal team. Some organizations will involve approved data breach counsel at the onset, to determine appropriate actions that fulfill legal obligations, manage potential liabilities, and prepare for the possibility of future litigation or regulatory investigation.
  • Identify the threat, and isolate affected systems, to prevent further damage.
  • Resolve the vulnerability that allowed the incident immediately, if possible.
  • Assess the damage and implement the appropriate response plan.
  • Formulate an action plan to address the most urgent priorities: Mitigate the impact of the incident, repair systems, restore data, and strengthen security.
  • Collaborate with forensic investigators and other incident response experts to manage the negotiation process, prepare for any payment demands, and assist in restoring full operational status.
  • Preserve documentation to assist law enforcement. Restoring data is important, but so is maintaining evidence that could identify the attackers and lead to their prosecution.
  • Report the incident to all appropriate law enforcement and regulatory agencies. They may be able to assist in the investigation.
  • Talk to an insurer-approved public relations and communications team to establish appropriate messaging about the incident with internal and public-facing audiences.
  • Comply with legal requirements to notify those affected by the incident. Offer credit monitoring and/or identity theft restoration services as approved by your insurer and advised by your breach counsel.

Safeguard your organization from fraud and cyber-attacks.

Keeping your real estate business safe demands the right team. Talk to your relationship manager to understand how Truist can bring its commercial real estate industry insight and experience to help reduce your risk of fraud—and respond appropriately to cyberattacks—protecting your company and your customers.

Purple Paper

Transforming macroeconomic uncertainty into opportunity

Our latest Purple PaperSM focuses on the future and what business leaders can do to mitigate risks while harnessing opportunities.

Download the Purple Paper (PDF)
Client stories

Baking purpose into commercial real estate development

One nonprofit’s secret to navigating complex real estate deals.

Ongoing advisory helps affordable housing developer close complex deal.

View all client stories

Related resources

Commercial Real Estate

CRE insurance market showing positive movement in 2024

Commercial Real Estate

7 emerging areas that are attracting real estate investors

Strategic Advice

Why digital transformation is essential for business growth

Component ID : "accordionGridLayout-1396148670"
Model : "disclaimer"
Position : "left"

Disclosure 1 2024 AFP Payments Fraud and Control Survey Report, Association for Financial Professionals, 2024.

Disclosure 2 Mike Timoney, Why is check fraud suddenly rampant?, Federal Reserve Bank of Boston, August 23, 2023.

Disclosure 3 Check Fraud / Counterfeit Checks, Department of Banking and Finance, State of Georgia, accessed May 5, 2024.

Disclosures

Truist Bank, Member FDIC. © 2024 Truist Financial Corporation. Truist, the Truist logo and Truist Purple are service marks of Truist Financial Corporation.

Equal Housing Lender

Investment and Insurance Products:

  • Are Not FDIC or any other Government Agency Insured
  • Are Not Bank Guaranteed
  • May Lose Value

TRUIST is a service mark of Truist Financial Corporation (Truist) and its affiliates.

Services provided by Truist Financial Corporation (Truist) affiliates: Banking products and services, including loans and deposit accounts, provided by Truist Bank, Member FDIC. Trust and investment management services provided by Truist Bank. Securities, brokerage accounts and /or annuities offered by Truist Investment Services, Inc., an SEC registered broker-dealer, and member FINRA and SIPC, and a licensed insurance agency. Investment advisory services offered by Truist Advisory Services, Inc. and GFO Advisory Services, LLC, SEC registered investment advisers. Some insurance products offered by Truist Investment Services, Inc. Other insurance products offered by McGriff Insurance Services, LLC (McGriff), Kensington Vanguard National Land Services, LLC (Kensington Vanguard) and Crump Life Insurance Services, LLC (Crump). Truist Life Insurance Services (TLIS) is a division of Crump, Arkansas License #100103477. Variable insurance material is for broker-dealer or registered representative use only. Variable products distributed by P.J. Robb Variable (PJRV), LLC, Arkansas License #100110185. Member FINRA.

McGriff, Kensington Vanguard, Crump, TLIS, and PJRV are not affiliated with Truist Financial Corporation or any of its subsidiaries.

Truist Securities is a trademark of Truist Financial Corporation. Truist Securities is a trade name for the corporate and investment banking services of Truist and its subsidiaries. All rights reserved. Securities and strategic advisory services are provided by Truist Securities, Inc., member FINRA and SIPC. Lending, financial risk management, and treasury management and payment services are offered by Truist Bank.

Mortgage products and services are offered through Truist Bank. All Truist mortgage professionals are registered on the Nationwide Mortgage Licensing System & Registry (NMLS), which promotes uniformity and transparency throughout the residential real estate industry. Search the NMLS Registry.

Comments regarding tax implications are informational only. Truist and its representatives do not provide tax or legal advice. You should consult your individual tax or legal professional before taking any action that may have tax or legal consequences.

"Truist Advisors" may be officers and/or associated persons of the following affiliates of Truist, Truist Investment Services, Inc., and/or Truist Advisory Services, Inc. Truist Wealth, International Wealth, Center for Family Legacy, Business Owner Specialty Group, Sports and Entertainment Group, and Legal and Medical Specialty Groups are trade names used by Truist Bank, Truist Investment Services, Inc., and Truist Advisory Services, Inc.

Applications, agreements, disclosures, and other servicing communications provided by Truist Bank and its subsidiary businesses will be provided in English. As a result, it will be necessary for customers to speak, read and understand English or to have an appropriate translator assisting them. Truist offers the following resources for consumers that have Limited English Proficiency:

  • Multilingual teammates available at our Multicultural Banking Centers
  • Materials for some products and services are available in Spanish, Korean, Vietnamese, Mandarin, and other languages spoken in the communities we serve.
  • Phone assistance in Spanish at 844-4TRUIST (844-487-8478), option 9. For assistance in other languages please speak to a representative directly.

New York City residents:

Translation or other language access services may be available. When calling our office regarding collection activity, if you speak a language other than English and need verbal translation services, be sure to inform the representative. A description and translation of commonly-used debt collection terms is available in multiple languages at http://www.nyc.gov/dca.

  • Limited English Proficiency Support
  • New York City residents

Borrowers with Limited English Proficiency (LEP) needing information can use the following resources:

Site footer

Footer Navigation

Banking products
About Truist
Resources
Support

© 2024, Truist. All Rights Reserved.