Real estate wire transfer fraud is just one example of the many common and devastating cyber risks we face. Cyberattacks are growing and evolving at a staggering rate.
William and Nancy Skog had cherry-picked an impeccable, perfect, river-front residence in Wilmington, Illinois. Exhilarated by the thought of moving into their dream home, the Skogs could practically see their new lives—watching the tranquil riverboats cruise by and listening to the water birds sing. There was one final step needed to finalize their purchase—wire $307,000 in closing costs to their real estate attorneys. Having received an email with payment instructions sent from what looked like a legal assistant at the firm, William and Nancy wired over their entire life savings—$307,000. Their new life was about to begin. Days later, however, the couple sat across from their lawyer at the closing table and learned their payment never arrived. The Skogs immediately panicked. If their attorneys didn’t get the money, who did?
Let’s take a closer look at the details of the wire transfer scam. All $307,000of the Skogs’ hard-earned cash had vanished without a trace. Fraudsters, impersonating their real estate attorneys, had pocketed the entire wire transfer. Almost everything in the closing cost email the Skogs had received looked genuine. The email signatures appeared authentic (because the bad actor copied and pasted the real one), the file attachment had the attorney’s actual letterhead, and the details of the real estate transaction were accurate.
How could a bad actor obtain all of this information? A variety of attack methods and vectors could have been used: including compromising one or more email accounts of those involved in the transaction, pretending to be a prospective client and emailing the fi rm to obtain a response and thus an email signature, or finding the attorneys’ letterhead via an Internet search.
Bad actors use automated hacking software that scans data breach dumps for email addresses of people working in a specific industry, such as real estate. Once they collect a list of email addresses, they send phishing emails (an email-based, social engineering attack) to obtain the victim’s email account password fraudulently. Once they have the password and successfully gain access, they research and monitor real estate transactions in flux. When the timing is right, bad actors send an email to home buyers with “new” wire transfer instructions. It can be easy for victims to believe the malicious email is legitimate, since it can actually be sent from the authentic (hacked) account of one of the real parties involved.
WARNING The best method of protection is to not trust email and to be extremely cautious when receiving emails requesting money.
Despite the scam’s convincing elements, there were indicators something was wrong. The fraudulent email used unorthodox sentence structure, such as “. . . and have us set ready your closing.” Notice anything yet? But beyond suspicious grammar, what could have tipped the Skogs off to the fake email sent by the bad actor? The sender’s email address and links might have contained clues. Hovering over any links in the email could have produced red flags, like different or similar-looking URL addresses (for example, RealEstate.com versus the malicious URL RealEstate-co.com ).
Next, the circumstances themselves were reason enough to be wary. Cyberattackers and scammers target their victims in moments of heightened emotion. People are often distracted and/or overwhelmed when scared or elated. In the case of the Skogs, the adversary recognized an opportunity when the Skogs were buying their dream home—a scary and thrilling life event. It was the perfect storm of emotions to render the Skogs vulnerable and allow the scammers to steal the couple’s hard-earned life savings successfully when they least expected it. The couple’s only saving grace was their daughter, who purchased the home for them.
The Skogs’ tremendous loss to real estate wire transfer fraud is indicative of a growing epidemic. In 2016, the FBI found that $19 million in real estate transactions were “diverted or attempted to be diverted” by bad actors, and that amount increased to practically $1 billion in 2017—a 5,163 percent increase in just one year. 2 The cruelest part of real estate wire transfer fraud is the rare chance of ever recovering stolen funds. According to James Barnacle, chief of the FBI’s Money Laundering Unit, “I don’t want to set false expectations for consumers. The chance of recovery here is slim.”
Real Estate Wire Transfer Fraud Prevention Steps
Now that you’ve learned the life-shattering reality of real estate wire transfer fraud, here are some essential prevention steps:
■ Before performing a wire transfer, confirm the exact closing instructions with your real estate broker, attorney, or both, in-person, over video or on the phone. (Remember to validate their phone number first.)
■ Verify all emails received are genuine. Look out for red flags indicating a phishing email attack, and be suspicious of clicking any email links or opening any file attachments. (You will learn more about phishing email attacks in Chapter 4 and Chapter 5, as well as how to protect your email in Chapter 12.)
■ Review other payment options that can potentially provide more protection than a wire transfer, like a cashier’s check.
■ Initiate a test wire transfer for $100 and confirm the intended recipient received the wire transfer.
■ Don’t use insecure Wi-Fi to access or send email communications about sensitive transactions. (See Chapter 15 for safe web browsing practices when using public Wi-Fi.)
■ Secure your email account with two-factor authentication, and use a strong and unique password for each of your accounts. (See Chapter 15 for details on protecting web access and passwords.)
■ Consider using a secure method of file transfer and storage. Use a paid version of Box.com or similar trusted cloud environment. This will allow you to transfer files securely and control which email addresses can access the files.
■ Check to see whether your financial institution has insurance available for purchase to protect you from wire transfer fraud liability. Banks are just starting to sell policies for wire transfer fraud protection up to a certain amount. Because there’s no standardized, one-size-fits-all policy, check the fine print for variations among banks.
If You’re a Victim of Wire Transfer Fraud
If you’ve fallen victim to a real estate wire transfer scam, here are immediate incident response recommendations:
■ Call the bank that sent the transfer to discuss your options.
■ Alert the bank on the receiving end to discuss your options.
■ Notify local law enforcement, and file a police report.
■ Notify your local FBI field office, and file a complaint.
■ Visit the FBI Internet Crime Complaint Center (IC3) and file a complaint online at https://www.ic3.gov/default.aspx.
Real estate wire transfer fraud is just one example of the many common and devastating cyber risks we face. Cyberattacks are growing and evolving at a staggering rate, but by continually practicing the handful of basic protection techniques you’ll soon learn, you can strengthen your cybersecurity with ease.
About the Author:
Bart McDonough is the author of Cyber Smart: Five Habits to Protect Your Family, Money, and Identity from Cyber Criminals and CEO and Founder of Agio, a hybrid managed IT and cybersecurity services provider. Prior to founding Agio, Bart worked at SAC Capital Advisors, BlueStone Capital Partners, OptiMark Technologies, Sanford Bernstein and American Express. Bart attended the University of Oklahoma and received his undergraduate degree from the University of Connecticut.