Open conference room
Fraud Protection

Managing Cyber Risk in Commercial Real Estate

Commercial real estate investors and companies, as well as brokers and agents, are prime targets for cyber criminals looking for treasure troves of valuable information. Learn how to help protect your business.
October 25, 2017

Personal information about buyers, sellers and tenants—which is included in rental applications, credit reports, leases and rental agreements—is the lifeblood of cyber schemes. This information includes names, Social Security numbers, birth dates, addresses and driver’s license numbers. Some commercial real estate companies are also vulnerable to attack because they maintain large amounts of cash on their balance sheets to acquire and finance real estate properties.

“It is critical that real estate companies implement cybersecurity tools and employee training, continually update antivirus software and properly monitor their systems to remain resilient, vigilant and secure,” said Al Brooks, Head of Commercial Real Estate for Commercial Banking.

A major concern about cyberattacks on real estate firms is the fact that criminals can access an entire network’s data for thousands of clients from around the country and the globe. “Hackers can use many different entry points to access a company’s system, gather information and then use it to steal data and money,” said Mike Kelly, Business Information Security Officer for Commercial Banking.

Increasing Sophistication and Complexity

In one type of scheme, criminals target real estate companies through phishing attacks. Hackers obtain sign-in credentials by tricking employees into typing their credentials into a fake transaction management website and then immediately forwarding them to the real website where their credentials work. However, the hacker now has their login information and can access the system to review transactions.

If the employee uses the same password for email, the criminals can direct emails to bypass the employee’s inbox and go directly to them. At that point, criminals can send spoof emails to request wire transfers to bank accounts they control.

Criminals are expanding their targets using business email compromise, a scheme where criminals create a fake look-alike email domain. For example, criminals may use to target the legitimate email domain

By sending phishing emails pretending to be from company executives or vendors, criminals can fool employees who don’t notice the change in the email address or authenticate the transaction request before making the wire transfer. Additionally, cyber criminals can modify how their name initially appears in emails. If an email seems suspicious, hover over the sender’s name to display the actual address.

Quick Tip

Cyber criminals can modify how their name initially appears in emails. If an email seems suspicious, hover over the sender’s name to display the real address from which the email was sent.

What Can Be Done?

Many real estate companies are unprepared for a cyberattack and do not have internal controls and procedures in place to help stop or prevent one.

However, with stronger controls and security measures, they can mitigate the risk to themselves, their employees and their clients by implementing these practices:

  • Conduct cybersecurity training for all employees, especially for those who have authorized access to payment controls.
  • Install and maintain up-to-date security and firewall protection on all company computers and laptops.
  • Test employees using different cyberfraud scenarios and find out if they’re able to detect suspected phishing emails or other cyberattacks. This will help determine if additional training, new systems and protocols need to be established.
  • Ensure employees create strong passwords using special characters, symbols and upper and lowercase letters. These passwords should be different for email and transaction systems and should not be linked.
  • Avoid using public Wi-Fi connections for personal or professional business, especially on a laptop that stores or has access to sensitive information.
  • Train employees to be the first line of defense to protect companies from cyberattacks. If something feels wrong, employees should be empowered to escalate to a manager and take precautions to verify that the request is legitimate.

Each company or organization must determine how to best protect itself against cyberfraud activities and select the cybersecurity best practices most appropriate to its needs.

“There’s a lot that can be done to prevent or detect cyberattacks to eliminate or minimize the damage caused,” Brooks said. “It’s important that companies are proactive and prepared in order to protect themselves and their clients.”


Related Services

Fraud Protection

Commercial Real Estate


To receive additional content related to commercial real estate, please complete the form below:


Get In Touch

For inquiries regarding commercial real estate financing solutions, please complete the form below.


Credit is subject to approval. Rates and programs are subject to change; certain restrictions apply. Terms and conditions subject to commitment letter. Products and services provided by JPMorgan Chase Bank, N.A. © 2017 JPMorgan Chase & Co. Member FDIC. All rights reserved.

© 2017 JPMorgan Chase & Co. All rights reserved. J.P. Morgan and Chase are marketing names for certain businesses of JPMorgan Chase & Co. and its subsidiaries worldwide (JPMC). Any example of cyber or other fraud or loss in this material is for illustrative purposes only; any similarity to any actual event or person is unintended and unfounded. This document was prepared exclusively for the benefit and internal use of the party to whom it is delivered (each, a ‚Äúrecipient). The content is not intended as, nor shall be deemed to constitute or contain, advice on which the Recipient may relay; does not constitute in any way other than as expressly authorized by JPMC. This document is not intended, nor should it be relied upon, to address every aspect of the subject discussed herein. The Recipient is responsible for determining how to best protect itself against cyber threats and for selecting the cybersecurity best practices that are most appropriate to its needs. JPMC assumes no responsibility or liability whatsoever to any person in respect of such matters, and nothing within this document shall amend or override the terms and conditions in the agreement(s) between JPMC and the Recipient.
Equal Housing Oppurtunity

Copyright © 2018 JPMorgan Chase & Co. All rights reserved.