Incognito — March 2022: How Your PII Impacts the Housing Market

Welcome to the March 2022 issue of Incognito, a monthly newsletter from DeleteMe that keeps you posted on all things privacy and security.

Here’s what we’re talking about this month: 

• Real estate. How Personally Identifiable Information (PII), the housing market, and scams go hand in hand and how to avoid having your house stolen. 
• Recommended reads, including “LinkedIn Phishing Scams Up by 232% Since February.”
• Q&A: What are dark patterns? Are they actually bad?

If you know someone who might enjoy learning more about data privacy, feel free to forward them this newsletter.

House prices may be soaring, but that hasn’t stopped Americans from going on a “near-record homebuying spree” during the pandemic. In fact, the sudden shift to hybrid work models combined with relatively low interest rates and pandemic savings have prompted more people to consider buying second and even third homes.

However, potential home buyers were not the only ones busy during the last few years. Amidst the chaos of the COVID-19 crisis, criminals also ramped up their activities, including identity theft. For example, in 2020, about 49 million Americans fell victim to identity theft, costing victims a total of almost $56 billion.

While identity theft is most commonly associated with drained bank accounts, few realize that as long as criminals can access people’s personal information, including their real estate data, they can also steal their homes.

Your Real Estate Data Is (Very) Public

In the US, the real estate recording system is based on open access. That means that any information about a home purchase is public record.

Anyone can perform a property record search to find out things like who the owner of a home is, how much they paid for it, when they purchased it, its square footage, property deeds, terms and conditions of a mortgage loan (if applicable), tax liens (if applicable), and even the owner’s personal history, like if they’re divorced or facing bankruptcy.

Real estate records are easily available. 

Individuals can access this data through entities like the county courthouse, city hall, and county clerk recorder’s office. 

• In many cases, people don’t even have to leave their homes to find this data, as most agencies upload their records online. 
• Data brokers also collate this information, which they get from deed registrations, magazine subscriptions, phone connections, and the US Postal Service. However, data brokers also have other, very personal data on individuals, like their race/ethnicity, income, and presence of children, among other things.
• Real estate property data + other personally identifiable information (PII) = Identity theft waiting to happen.

Exploiting the New Kid on the Block

At the very least, moving home will lead to predatory junk mail, targeted ads, and spam calls. This is because data brokers place people they know have bought a new home into “new movers” lists. These lists are frequently sold to furniture and appliance dealers, doctors and dentists, lawn maintenance services, and other businesses.

Experian, a data broker and credit reporting company, that has information on over a billion individuals, sells a “new movers mailing list” to local businesses so that they can get to “know prospective clients, including trade-up homebuyers, apartment renters, corporate climbers, and retirees.”

A Bigger Issue: Real Estate Scams

Identity theft. If a criminal can get their hands on your personally identifiable information, including your Social Security number, they can potentially trick a bank or a mortgage broker into thinking they are you and take out a mortgage loan in your name.

For example, in late 2021, seven individuals were sent to prison for stealing the identities of absent homeowners with no mortgages, falsifying loan documents, and opening bank accounts in their names. They then used the loan money to buy luxury cars and other expensive items.

Deed fraud. Using personal information found online, criminals can impersonate a homeowner to transfer the title of their home to themselves. While abandoned and vacation homes are the prime targets for this scam, some criminals will go after occupied homes as well. In the latter scenario, a homeowner may not realize what has happened until they go to sell the home or receive notice of eviction. In 2020 deed theft netted scammers $547 million.

Once a criminal has obtained a person’s home title, they can:

• Live there. Although this is rare, it does happen with unoccupied properties.
• Rent or sell the property. Once again targeting unoccupied properties, this type of scam can provide criminals with regular monthly payments from clueless tenants or profit from a home sale to a legitimate buyer.
• Apply for a home equity line of credit. Opened in the victim’s name, this allows the criminal to take out equity against a home and not make the payment.
• Refinance a mortgage. Here, criminals cash out the equity, taking the difference. Because criminals won’t pay the new mortgage, victims can end up facing foreclosure.

Foreclosure rescue scam. This scam starts with criminals identifying homeowners that have fallen behind on their mortgage payments through the internet or public foreclosure notices in newspapers. The criminal (or “rescuer”) then contacts the homeowner, assuring them that they can help them save their home. In the end, they usually make a profit from fees or direct mortgage payments, while the victim loses their home to foreclosure.

How to Avoid Real Estate Scams

• Keep an eye on your property deed’s status. Do this regularly to ensure no one is attempting to take over your ownership rights. If you notice any suspicious paperwork or a signature that isn’t yours, look into it immediately. 
• Review your home equity line of credit. Periodically check your credit reports to confirm that criminals have not opened a home equity line of credit in your name.
• Question all unusual communications. If you’re contacted by a mortgage company you don’t recognize, investigate the matter further, even if the mail is addressed to someone else. Reading what she thought was “junk mail” is exactly how one woman discovered her home was stolen.
• Be wary of missing bills. Missing bills or automatic withdrawals that no longer happen could indicate a change in deed status. If you don’t live in a property, get your bills redirected to you.
• Keep your personal information off the web. Don’t overshare on social media, be wary of the things you post on forums like Reddit, and continuously remove your name from data brokers and people search sites. The less you share online, the less information data brokers will be able to acquire about you, making you a less attractive target for identity theft.

Recommended Reads

Our recent favorites to keep you up to date in today’s digital privacy landscape.

Apple Is Working on Air Tags’ Privacy Features After Reports of Stalking

By connecting to nearby Apple devices, Apple AirTag trackers can help people find their keys and wallets. However, they are also increasingly being used to stalk individuals without their consent and steal luxury vehicles. In response, Apple has issued a statement notifying iPhone users of upcoming software updates that will alert them of unknown AirTags and make it easier to locate them.

Google Plans to Stop Cross-App Tracking Android Users

Following in Apple’s steps, Google recently announced that it would end cross-app tracking on Android devices. Instead, the tech giant is designing a new system that it claims will promote user privacy while at the same time keeping advertisers happy. However, Google made it clear that nothing will change for at least two years, giving the advertising industry ample time to prepare.

LinkedIn Phishing Scams Up by 232% Since February

LinkedIn phishing scams have grown by a whopping 232% since February 1st, 2022. Taking advantage of “The Great Resignation,” scammers are replicating LinkedIn email messages. Although the emails look a lot like they come from the social media site (with subject lines like “You appeared in 4 searches this week.”), the webmail address is obviously fake, and clicking on the malicious link brings victims to a site that harvests their LinkedIn credentials.

500 e-Commerce Sites Compromised with Credit Card Skimmers

Hackers compromised around 500 e-commerce shops, including Segway, by installing credit card skimmers on sites running an outdated version of the e-commerce platform Magento CMS. When shoppers entered their credit card details, the information was sent to attacker-controlled servers. The frequency of these types of attacks has grown in the past five years, as has their sophistication.

You Asked, We Answered

Here is a question one of our readers asked us last month.

Q: When logging in to a site, is it better to use an existing social media account (like Facebook or Google) or email address? 

A: Logging in with an existing account may be easier, and from a security perspective, it may even be safer. However, from a privacy perspective, it is not recommended.

The reason why is that when you log in to a website with another account, you are, in most cases, permitting data sharing between the two sites. For example, when you use Facebook to log onto a site/app, it can ask Facebook for up to 40 different permissions, including access to your timeline, photos, and friends’ list.

Clearly, then, you should only use social media sign in with sites/apps you trust. It’s also a good practice to keep a close eye on your preferred social network’s privacy policy.

If, however, you’re worried about giving away your email address (which, with scams and phishing attacks soaring, is totally justifiable), consider using a masked email when signing up for sites/apps you don’t entirely trust.

Q: What are dark patterns? Are they actually bad?

A: Dark patterns are practices that trick users into taking action on a website/app/email/form/etc. that they didn’t necessarily intend to/want to take. 

Sometimes, dark patterns can be attributed to poorly designed UI and UX experiences rather than deliberate manipulation. Other times, these deceptive practices are intentionally built into the UI.

Examples of dark patterns include:

• A streaming service that automatically charges you after a trial expires.
• An ad that pops up on a website/app and that you can’t exit because the “x” is too small for you to see.
• A sign-up process that makes you think you have to provide certain personal data to create an account with a website/app, when, in fact, you do not (for instance, the messaging board Reddit asks you for your email address, but few people realize they can just click “Continue” to register without one).
• A countdown clock that manipulates users into making quick decisions (popular on e-commerce sites).
• A pop up that guilts you into signing up for something or makes you feel stupid for not doing so (for example, a 20% discount code that you can get by sharing your email. The alternative is to click “I don’t want 20% off.”)

You can see more types of dark patterns on darkpatterns.org, a website by UX specialist Harry Brignull who came up with the term in 2010, with real-world examples (“Hall of Shame”) from Google, Facebook, Amazon, LinkedIn, Apple, and more.

Back to You

We’d love to hear your thoughts about all things data privacy.

Get in touch with us. We love getting emails from our readers (or tweet us @Abine or @DeleteMe).

Don’t forget to share! If you know someone who might enjoy learning more about data privacy, feel free to forward them this newsletter. If you’d like to subscribe to the newsletter, use this link.

Let us know. Are there any specific data privacy topics you’d like us to explore in the upcoming issues of Incognito?

That’s it for this issue of Incognito. Stay safe, and we’ll see you in your inbox next month.