As much as we all like to believe we’re savvy about attackers’ latest online fraud, phishing, and email scams, here’s a variation of one that’s shocking, potentially devastating financially—and that, surprisingly, many people aren’t aware of.
For Tina Brown and Phil DeMarco, it started in December 2017 when they decided to sell their home in New Jersey and purchase a new home in Colorado. The New Jersey sale was set to close on a Friday, the proceeds of which would be applied to the Colorado home, scheduled to close the following Monday. A week prior, the couple received an email from their realtor instructing them how and where to wire-transfer the closing funds, adding that she would be too busy to take phone calls for the next few days and they should reply to her only by email.
Many buyers, in their eagerness to follow instructions to the letter so they can get into their new homes quickly, have followed similar wiring instructions and found themselves not only without a new home but stripped of their entire life savings—stolen by scammers. It nearly happened to Brown and DeMarco, too, who initially forwarded the wiring instructions they received to the New Jersey title company. But almost immediately, they became suspicious of the email and called their realtor, who wasn’t too busy to pick up the phone and who told them she had sent no such email. The couple immediately notified the title company of the fraud.
In this case, timing and some healthy skepticism saved Brown and DeMarco. The attackers tried to pull off their scam a few days too early but were unsuccessful because the funds weren’t available—the New Jersey sale hadn’t closed yet. Had it closed the day the couple forwarded the wiring instructions to the title company, they would have lost everything.
“The scary part is how convincing the email was because it consisted of a carefully crafted thread of emails back and forth between our loan officer, title company, and our realtor,” said Brown. “And all of the names, addresses, phone numbers, and signature blocks were correct. Of course, as it turned out, the messages were all fake.”
To pull off this type of scam successfully, scammers first need all the right information about a pending real estate sale. They often get it by breaking into the email account of one or more of the parties involved. Turns out that’s not so difficult, given the enormous number of data breaches in the last few years that have dumped millions of stolen email usernames and passwords onto the Internet for attackers to use. (Visit https://haveibeenpwned.com/ to see if your own email account credentials have been stolen.) Brown noted that the scammer’s email messages mysteriously disappeared from her Inbox and moved to her Deleted folder within hours of receipt, indicating that her email account might have been compromised.
When attackers can’t break into email accounts, they just spoof email addresses instead. Being technically savvy consumers, Brown and DeMarco did some digging and discovered the scammers had used one of many questionable online email services—in their case, one run by a group of hackers in Germany—to impersonate all parties involved and make the emails untraceable.
Scammers often make their emails more convincing by either phishing the intended victim first, or adding details gathered from information that’s freely available online from company websites, syndicated real estate websites that include details about a property from the multiple listing services, and social media sites where people volunteer all kinds of personal information. If scammers don’t know the exact closing date of a real estate deal, no problem; it’s typically 30-45 days after the buyer has accepted an offer, and that’s easy for scammers to determine if they’re monitoring a property.
Despite many regional and national news outlets covering this scam, it seems to be growing. The FTC considered it serious enough to issue warnings in 2016 and 2017. Brown and DeMarco’s realtor, Christine Miller, said, “We had heard about it but hadn’t experienced it. Now, suddenly it’s gotten really bad.” An attorney for the Colorado Association of Realtors agreed, explaining that the emails are more convincing now with their involved conversation threads, and personalized details. They also have far fewer telltale grammar and spelling errors we have come to expect in email scams. Miller adds, “We’re informing all our clients of this scam and ensuring they understand that we never send wire instructions by email, nor does the title company.”
This particular home-buying scam is just one variant of many that fall under the umbrella of “Business Email Compromise (BEC),” which include any scam targeting businesses that regularly perform wire transfer payments. The Internet Crime Complaint Center (IC3), a multi-agency task force that includes the FBI, has been tracking all types of BEC scams (not just real estate) since 2013. In the US and internationally between October 2013 and December 2016, there were over 40,000 incidents that totaled $5.3 billion in “exposed dollar loss”—that is, dollars actually stolen and attempted stolen.1
We’ve written extensively on F5 Labs about impersonation fraud, phishing scams, and security awareness training, all of which are relevant to this topic. Real estate firms and title companies, at the very least, should warn their clients of the prevalence and sophistication of this scam and advise clients not to just be aware but to be on the lookout for it. Additionally, they can help clients by ensuring they understand the exact closing process, the parties involved, the manner in which they will be contacted, etc. Clients who have any doubts should be encouraged to call the known, legitimate phone numbers of agents and other representatives, especially regarding settlement funds or wire transfers.
In general, all organizations should be diligent about providing employees security awareness training about all types of scams, including email fraud, phishing, social engineering techniques, and malware. Here are a few tips to pass on to users:
Fortunately, this story had a happy ending for Brown and DeMarco, but for many others, it does not. With this particular scam, timing is everything. Potential victims should immediately contact the financial institution handling the wire transfer. In addition, they should report the crime to the FBI, and file complaints with the Internet Crime Complaint Center and the Federal Trade Commission.