Cybersecurity Checklist for Real Estate

Call each title and escrow company you closed with last quarter and confirm their wire-instruction policy: instructions sent via secure portal only, verbal verification to a known phone number from the title company's website, and never trust wire changes received by email. Document the verified phone number in the transaction file template.

Review the FBI IC3 wire-fraud advisory and refresh the one-page handout buyers receive at offer acceptance. Must state: escrow will never change wire instructions by email, always call the escrow officer at a number from the company website (not from the email), and confirm receipt within one hour of sending.

Compromised agent inboxes are the most common wire-fraud vector — attackers add a hidden forwarding rule to monitor a transaction, then spoof the title company. Have IT pull a forwarding-rule and delegation report from Microsoft 365 / Google Workspace for every licensed agent. Any rule forwarding outside the brokerage domain is a red flag.

If a forwarding rule or unauthorized delegation was found, treat the account as compromised: force password reset, revoke all active sessions, re-enroll MFA, and review sent-mail for any wire instructions sent from that account. Notify any clients in active transactions on that account by phone — not email — to re-verify wire info before closing.

Pull the MFA status report from Microsoft 365 / Google Workspace, Follow Up Boss / kvCORE / BoomTown, and Dotloop / SkySlope / TransactionDesk. Every active agent must have MFA enrolled — SMS is acceptable as a fallback but authenticator app is preferred. Disable accounts for agents who left the brokerage but were never offboarded.

Cross-check the MLS user list and Supra eKEY / SentriLock roster against current licensed agents on the brokerage roster. Departed agents with active MLS or lockbox credentials are both a security risk and a license-law issue. Submit removal requests to the local board for any mismatches.

Shared accounts (front-desk reception, listing photo upload account, social media schedulers) accumulate former-staff knowledge. Rotate passwords through the brokerage password manager (1Password, Bitwarden, LastPass) and confirm any departed staff have been removed from the vault.

Brokerage policy requires every executed contract, disclosure, and EMD receipt live in Dotloop / SkySlope / TransactionDesk — not on agent personal Gmail, personal Dropbox, or laptop desktops. Spot-check five recently closed transactions and confirm complete files are in the approved system.

Only the broker-in-charge and designated bookkeeper should have access to the EMD trust account portal. Agents should never have direct access — commingling and unauthorized movement are state commission violations regardless of intent. Confirm the bank's user list matches the authorized roster.

Every brokerage-issued laptop must have full-disk encryption (BitLocker on Windows, FileVault on Mac) verified active. Agent personal devices used for client work need at minimum a passcode and remote wipe enrollment (Microsoft Intune, Google Endpoint Management, or equivalent MDM).

Pick a closed transaction from 90 days ago and restore the full file from backup. State commissions require retention of three to seven years depending on jurisdiction; an untested backup is the same as no backup. Document restore time and any missing artifacts.

Use KnowBe4, Hoxhunt, or your IT vendor's phishing platform to send a simulated wire-fraud or fake-DocuSign lure to every agent. Track click rate and credential-entry rate. Real-estate-specific lures (fake offer attached, fake escrow wire change) are more realistic than generic IT lures.

30-minute office meeting walking through the phishing simulation results and the quarter's real wire-fraud attempts (yours or industry-reported). Cover the verbal-verification rule, the buyer handout, and what to do if an agent suspects an account compromise. Capture attendance for the compliance file.

Agents must know who to call within 15 minutes of a suspected compromise — broker-in-charge, IT vendor, and the title company on any active transaction. Post the escalation tree in the office and pin it in the team Slack/Teams channel. Time-to-report is the single biggest factor in wire-fraud recovery via FBI Financial Fraud Kill Chain.

Pull the OAuth-app inventory from Microsoft 365 / Google Workspace and the integrations list from Follow Up Boss / kvCORE. Departed lead-gen tools, abandoned Zapier connections, and old IDX plugins commonly retain access tokens. Revoke anything not actively used.

Email the SOC 2 Type II report request to your transaction management, CRM, and eSignature vendors (Dotloop, SkySlope, DocuSign, Follow Up Boss, kvCORE). File the latest report in the brokerage compliance folder. Note any qualified opinions or open exceptions for the broker to review.

Each vendor agreement holding client PII (CRM, transaction platform, photographer cloud) should specify a breach-notification window — 72 hours is the GDPR / state-law benchmark. Flag any contract on auto-renewal that lacks this clause for renegotiation at next renewal.

Broker-in-charge sign-off closes the review and creates the audit trail for the next state commission file inspection. Capture the overall posture rating, any open remediation items, and the broker's signature.