Important security update: from credential theft to social engineering
Last year, the real estate industry faced a surge of cybersecurity attacks where bad actors utilized compromised agent credentials to access MLS systems. These breaches were primarily used to launch phishing campaigns and fraudulent rental listings.
Cotality played a leading role in identifying and responding to the threat.
Cotality quickly identified a pattern of coordinated attacks and was among the first to alert the industry. By implementing a rapid response, including a password reset initiative that the majority of the industry ultimately followed, Cotality set the standard for proactive defense. We then went a step further, collaborating with all clients to enable Multi-Factor Authentication (MFA). MFA is a core safeguard for account security and a standard requirement in today’s security environment.
The evolution of the threat: social engineering
Security is a moving target. As digital defenses have strengthened, bad actors have shifted their focus to a more vulnerable area: the human element. We are now seeing a more sophisticated approach, where attackers bypass technical controls by targeting MLS administrative staff through social engineering. The typical attack pattern involves:
- Impersonation: The attacker contacts the MLS or Association via email or phone, pretending to be an active agent.
- The request: They request an "urgent" change to critical contact information, such as an email address or phone number, often citing a travel emergency or a technical lockout.
- The takeover: Once these changes are made at the administrative level, they flow into downline systems. The attacker then uses the new contact info to trigger password resets, redirect MFA challenges, and seize full control of the agent's account.
Practical steps MLSs can take
Since this threat relies on manipulating people rather than software, your best defense is a set of standardized verification protocols that apply regardless of your tech stack.
Staff training & "red flag" awareness: Train MLS staff to look for signs of social engineering: extreme urgency, pressure to bypass security protocols, or atypical communication styles.
Direct to standard system methods: Before manually changing info, direct the requester to use the standard self-service tools available in the system. To the extent possible, verify if they attempted these standard methods before providing manual assistance.
Establish a "call-back" identity policy: Never update an agent’s email or phone number based solely on an incoming request. Call the agent back using the phone number already on file in your records to verify the request is legitimate.
Email verification: If an inbound request comes from an email that does not match the one on file, send a verification email to the original address on file. You do not need to notify the requester; simply perform the check as a standard security protocol.
Modern verification questions: Historically, some clients used "secret questions." This is no longer recommended as these answers are often easily found online.
- Instead: Engage the requester in general conversation about the local market or real estate.
- Use "out-of-wallet" questions: Develop questions based on information you have available that only the agent should know (e.g., their license expiration date, the name of their managing broker, or specific office details).
Implement a "cooling off" period: For high-risk changes (like email or MFA phone numbers), implement a 24-hour delay before the change becomes active.
Secure identity verification: If an agent cannot be verified via phone, you may require a digital copy of their state-issued ID or real estate license.
- CRITICAL: Only use this method if you have a secure, encrypted means for the agent to transfer this info (such as a secure upload portal).
- DO NOT ask for or accept copies of photo IDs via standard email.
Maintain a centralized audit trail (keep notes): Every request to change sensitive contact information should be recorded.
Where to record: The best place for this is the "Notes" or "Activity" section of the agent’s profile within your administrative system.
The golden rule: Always check the agent's notes before processing a change. If you see multiple recent inquiries or failed verification attempts, it is a major red flag for an ongoing hijacking attempt.
Why it matters: This prevents "channel-hopping," where an attacker hangs up on one staff member who is following protocol and calls back to try their luck with someone else.
Summary: why vigilance matters more than convenience
At the end of the day, personal vigilance matters most. Following the right steps every time may feel inconvenient, but that small effort is far less costly than the weeks of remediation and reputational damage caused by a compromised credential.
Trust your instincts. If something feels off or out of character, take a moment to verify it. If you suspect an attempted account takeover, alert the agent directly and, if needed, contact their managing broker to help protect the entire office.
MLSs are the gatekeepers of some of the most important and sensitive data in real estate. That’s why building better habits and technology around security is a daily requirement.
Have questions or want to strengthen your security approach? Your Cotality representative can help you make the most of your Clareity Security tools. You can also email us at sales.res@cotality.com.
