Protect your clients and listings against lockbox vandalism

The following eMemo was issued last week and contains important information to help you avoid potential lockbox security threats.

The FVREB, along with Real Estate Boards across the province, is alerting members to exercise greater vigilance as incidents of lockbox vandalism continue to rise. At least six police reports have been filed, with as many as 20 known attempted breaches. Two cases have resulted in theft of property, with multiple instances of keys stolen from lockboxes, including the most recent case at a strata property which resulted in a REALTOR® being personally responsible for more than $5,000 in damages to have the building rekeyed.

Email is the entry point

Thieves use email phishing schemes to access Realtors’ personal information. The hackers then use this information to gain entry into victims’ accounts, where they pose as Realtors to request a showing via Touchbase for a property, or simply log into the unsuspecting Realtor’s account on the SentriLock website and use the victim’s credentials to generate an access code for a lockbox.

Protect your information

The high level of industry professionalism and knowledge employed by the perpetrator(s) calls for an equally stringent and collective degree of vigilance on our part. Since email is the primary point of entry, the most important action you can take is to adopt safe email practices:

  • Do not open links from unknown senders or from those whose identity you cannot confirm.
  • Be suspicious of any official looking email message that asks for personal or financial information.
  • Before clicking on a link, see if it is safe or not by hovering over the link to see where it directs you.
  • Be suspicious of the emails or text messages sent to you in general. Check where they came from or if there are grammatical errors.
  • Check your email account to see if your emails are being forwarded without your knowledge. If you don’t know how to do this, contact your email provider.
  • Malicious links can also come from friends who have been infected too, so be careful.
  • Be guarded when communicating through TouchBase, taking extra steps to authenticate unknown/unfamiliar senders by double-checking the contact info with their brokerage, the Board office, Google, etc.
  • Ensure the phone number and email address associated with your Touchbase account is correct. Reset your password.
  • Change your email and Sentrilock account passwords. Do not use the same password for both accounts.
  • Do not generate One-Day Showing codes. A perpetrator who gains access to an unsuspecting Realtor’s account can use a Touchbase account to request a One-Day Showing code to gain access to your lockbox.
  • Consider generating CBS (Call Before Showing) codes for your lockboxes – but do not publish these codes anywhere. Please contact the Board if you require more information on CBS codes.

What action is the Board taking?

The FVREB and its counterparts have convened numerous meetings in the past weeks to establish measures to protect members and counter potential threats, without unduly disrupting Realtors’ day-to-day operations. Among the actions taken:

  • Suspension of reciprocal lockbox privileges. Automatic reciprocal lockbox privileges have been temporarily suspended for all BC Real Estate Boards except CADREB, FVREB and REBGV. Access to properties in the other Board jurisdictions can be obtained only by calling your Board office, prior to planning a visit to show properties outside the Lower Mainland. While we regret the inconvenience, the security of our members and their clients outweighs the convenience as we continue to assess the threat.
  • Touchbase updates/changes. All phone number changes made by members on their Touchbase account are being verified with members daily by Helpdesk.
  • One-device policy. Boards which had not already done so have instituted a one-device policy, so that only one device can be registered.
  • New devices. Members who need to register a new device must do so by contacting their Board office directly to undergo identity screening and authentication to set up the device.
  • Account updates. No changes or updates can be made to account settings without prior identity verification by the Board office.
  • Multi-factor authentication. Discussions are underway with SentriLock and Clareity to incorporate multi-factor authentication measures for account access.

This issue affects all Realtors and their clients regardless of jurisdiction and so we call on all members to exercise added vigilance and caution when it comes to sharing information with colleagues. If you experience a lockbox breach or related act of vandalism, please:

  • Immediately contact your local law enforcement authorities.
  • Notify the Managing Broker of your brokerage office.
  • Notify your Real Estate Board office.