Real Estate Email Scams - Don't Get Tricked!

Every year, more than 5 million homes are bought and sold in the U.S. Given this volume, it should come as no surprise that the real estate industry is a prime target for email-based crimes. Cyber criminals are spoofing (and in some cases taking over) the email accounts of real estate agents, title companies, and others involved in the home buying process. Once the criminal gains access, he or she then uses the information gained from the hack to dupe victims into making a fraudulent wire transfer. While there are many techniques that can be used to compromise email accounts, the result with a successful attack is always the same: A massive payoff for the criminal, and a life-changing loss for the victim.

The latest real estate attack to make the news headlines is an email scam on a Supreme Court judge in New York, who lost more than $1M after being fooled by an email she thought had been sent by her real estate lawyer.

This type of attack typically begins when the criminals compromise the computer of someone who is legitimately involved in the transaction – like a real estate agent – by sending a convincing phishing email from a trusted brand that tricks them into clicking a malicious link or attachment. (Remember how John Podesta’s email account was hacked during the presidential election? He clicked on a phishing email that claimed to be from Google!). As soon as they click, the computer is infected with malware and the criminal gains access to the system, including full details about the real estate deal – e.g., the property address, the closing date, the full amount, the down payment, the name of the bank, etc. The criminal then sends an email spoof wire transfer from the compromised email account to the home buyer, with enough key details to be convincing, that informs them that there has been a last-minute change to the wiring instructions. The new instructions then have the victim wire funds directly into the cyber criminal’s bank account, which can be cleared in a matter of minutes.

In my opinion, these types of attack are much worse than business email compromise (BEC) attacks because they target individuals, who instantly lose their life savings. They are also worse than phishing attacks, both due to the amount involved as well as for the fact that with typical phishing attacks, where financial institutions are impersonated, the organization commonly reimburses their customer's losses. Instead, this type of email scam turns what should be the happiest moment of a person’s life – buying a new home – into one of the saddest. From the bank’s point of view, they were simply following the victim’s instructions, and the victim is left with no direct recourse. According to the FBI, victims typically end up filing for bankruptcy.

The recent attack on the NY State Supreme Court judge should serve as a cautionary tale; no one is safe from digital deception. Targeted email attacks are particularly pernicious because they leverage the familiar - in this case, a real estate agent known to the buyer - so it only takes a momentary lapse in judgement to become a victim. Everyone must do more to secure the identity and authentication of email.

What can you do?

If you are buying a home, don’t rely on email for information about a wire transfer – even if you are expecting it. Instead, call your real estate agent (or title company or lawyer), let them know you received the email and confirm not only that they sent it, but that the wiring instructions are correct. Once a criminal has access to an email account, it’s not that difficult for them to re-route emails to their own account, so they can change details before they forward the message on to the intended recipient.

If you are a business that’s part of the home buying process, ensure your email channel is protected. Implement a cyber security solution that prevents fraudulent emails from ever reaching your inboxes. This will ensure your system doesn’t become infected, and you don’t put your clients (or your business) at risk.