Cybersecurity Checklist for Real Estate

Call each title and escrow company you closed with last quarter and confirm their wire-instruction policy: instructions sent via secure portal only, verbal verification to a known phone number from the title company's website, and never trust wire changes received by email. Document the verified phone number in the transaction file template.

Review the FBI IC3 wire-fraud advisory and refresh the one-page handout buyers receive at offer acceptance. Must state: escrow will never change wire instructions by email, always call the escrow officer at a number from the company website (not from the email), and confirm receipt within one hour of sending.

Compromised agent inboxes are the most common wire-fraud vector — attackers add a hidden forwarding rule to monitor a transaction, then spoof the title company. Have IT pull a forwarding-rule and delegation report from Microsoft 365 / Google Workspace for every licensed agent. Any rule forwarding outside the brokerage domain is a red flag.

Pull the MFA status report from Microsoft 365 / Google Workspace, Follow Up Boss / kvCORE / BoomTown, and Dotloop / SkySlope / TransactionDesk. Every active agent must have MFA enrolled — SMS is acceptable as a fallback but authenticator app is preferred. Disable accounts for agents who left the brokerage but were never offboarded.

Cross-check the MLS user list and Supra eKEY / SentriLock roster against current licensed agents on the brokerage roster. Departed agents with active MLS or lockbox credentials are both a security risk and a license-law issue. Submit removal requests to the local board for any mismatches.

Brokerage policy requires every executed contract, disclosure, and EMD receipt live in Dotloop / SkySlope / TransactionDesk — not on agent personal Gmail, personal Dropbox, or laptop desktops. Spot-check five recently closed transactions and confirm complete files are in the approved system.

Only the broker-in-charge and designated bookkeeper should have access to the EMD trust account portal. Agents should never have direct access — commingling and unauthorized movement are state commission violations regardless of intent. Confirm the bank's user list matches the authorized roster.

Every brokerage-issued laptop must have full-disk encryption (BitLocker on Windows, FileVault on Mac) verified active. Agent personal devices used for client work need at minimum a passcode and remote wipe enrollment (Microsoft Intune, Google Endpoint Management, or equivalent MDM).

Use KnowBe4, Hoxhunt, or your IT vendor's phishing platform to send a simulated wire-fraud or fake-DocuSign lure to every agent. Track click rate and credential-entry rate. Real-estate-specific lures (fake offer attached, fake escrow wire change) are more realistic than generic IT lures.

30-minute office meeting walking through the phishing simulation results and the quarter's real wire-fraud attempts (yours or industry-reported). Cover the verbal-verification rule, the buyer handout, and what to do if an agent suspects an account compromise. Capture attendance for the compliance file.

Pull the OAuth-app inventory from Microsoft 365 / Google Workspace and the integrations list from Follow Up Boss / kvCORE. Departed lead-gen tools, abandoned Zapier connections, and old IDX plugins commonly retain access tokens. Revoke anything not actively used.

Email the SOC 2 Type II report request to your transaction management, CRM, and eSignature vendors (Dotloop, SkySlope, DocuSign, Follow Up Boss, kvCORE). File the latest report in the brokerage compliance folder. Note any qualified opinions or open exceptions for the broker to review.

Each vendor agreement holding client PII (CRM, transaction platform, photographer cloud) should specify a breach-notification window — 72 hours is the GDPR / state-law benchmark. Flag any contract on auto-renewal that lacks this clause for renegotiation at next renewal.