The scammer’s ultimate aim is to gain access to portals such as Zoopla, to place false rental property adds and obtain deposit monies from unsuspecting would-be tenants.
The scammers use the fraudulently obtained agent’s usernames and passwords to place the fake listings, with instructions for interested tenants to get in touch via an email address from which deposit monies are sought.
One such portal successfully targeted has been Lettingweb, a Scotland based portal which lists agent’s properties and also places its agent’s listings on the big national portals including Zoopla.
Lettingweb has published an incident report showing that the data breach originated from one of its client agents whose username and password had been fraudulently obtained by the hackers through a phishing email.
These phishing emails are very subtle and can easily fool someone in the agency, especially when many of the staff members have access to portals using the full login details; it only takes a second’s lack of attention to get taken in by these clever fraudsters.
This incident should remind agents across the country that staff training on the secure use of usernames and passwords is of paramount importance to prevent these types of data breaches. One simple precaution is to have a two-person staff login: one staff member knows only the username and is sworn to secrecy and likewise the other member only knows the password. Inconvenient at times yes, but it prevents any one member of staff inadvertently giving away full access to the property listing portals.
The current data breach came to light after several Edinburgh tenants searching online for suitable accommodation were coming across a spate of ‘fake flat’ scams on property websites including Zoopla and reported them.
Teacher Elly Darragh told the news website Edinburgh Live last week that she found several fake rental property postings on Zoopla under the banners of legitimate estate agents. Fortunately Elly realised that there was a scam just in time. But she was very nearly fleeced by sending a despot of hundreds of pounds for a very convincing advertisement for a deluxe flat on Edinburgh’s Lindsay Road, supposedly listed by a legitimate Aberdeen estate agent.
The upmarket flat had found its way onto the Zoopla portal under the banner of this reputable agency and understandably the teacher seeking the accommodation was keen to proceed and thought that it was safe to secure the flat by sending off her deposit payment.
Since the details of this “near-miss” incident were reported on the Edinburgh Live news websitea number of other would-be tenant readers have come forwardto report similar scamsthat they came across. These were from this same agent along with other agents, which means the scam is more widespread than first thought.
Lettingweb.com is an aggregator service used by estate agents to relay their property placings across multiple property portal websites the likes Zoopla, Prime Location and Trovit, all at one go.
Zoopla, an Aberdeen estate agent and Lettingweb have admitted there has been a data breach but both Zoopla and Lettingweb have denied that they had suffered any breach themselves, Zoopla stating:
“We’re aware that fraudsters are targeting agents with phishing emails. They do this in an effort to get agents to share their login details so they can then upload properties. We work hard to prevent this and regularly share with agents advice on how to keep their businesses secure.”