Wire Fraud Attempts Involving Residential Real Estate Transactions Are on the Rise
CHRISTIE’S International Real Estate hosted a conference in Buenos Aires last month for the owners of affiliated residential real estate companies. They presented information on the state of the global financial markets, with a specific focus on the equity markets and residential real estate; on trends in digital marketing; and on the demographics of real estate buyers and sellers. Perhaps their most interesting topic was a presentation from the FBI on cybercrime and wire fraud.
The FBI Points To Increased Cybercrime and Wire Fraud
As a matter of national security, the name of the FBI presenter and his presentation slides are not available. That’s unfortunate because the information he shared was both fascinating and frightening. Cybercrime, usually involving wire fraud and email phishing campaigns, is on the rise. Unwitting real estate agents and their clients represent an increasing number of the victims of such crimes.
The most straightforward execution of wire fraud in residential real estate occurs when a hacker “spoofs” the email address of a real estate agent, escrow officer, or lender and then arranges for the wire transfer to a bank account in the hacker’s control. Often, the initial fraudulent wire transfer is in the exact amount of the actual cash funds due to escrow. The funds are sent to a “money mule” bank account that’s in the hacker’s control.
How Cybercriminals May Be Targeting Real Estate Transactions
Email Hacking and Phishing Scams
There are two key steps in this process. The first step involves gaining access to the email account of the real estate agent, escrow officer, or mortgage loan officer. Alternatively, the criminal convinces one of these participants to compromise sensitive information about a transaction.
Gaining access is easier than the victims may ever suspect, especially for those professionals who use personal email addresses in business. Most phishing scams usually begin with a seemingly innocuous email that promotes a special offer or presents a compelling reason to click through to a webpage. Once the user clicks on the link, it often opens to what appears to be a business website or even a social media page. Then the user is confronted with a page from their email service provider prompting them to sign (back) into their email account.
That page, however, is fake. The page is not from their email service provider at all. It is a spoof page, designed only for the hacker to gain the username and password to the victim’s email account. Once the hacker has access to an email account, a waiting game begins. They may log in at off-hours to prevent any warnings that there are multiple users logged into the account simultaneously. They monitor the user’s email traffic for upcoming or pending transactions.
In this example, the hacker could be monitoring an entire transaction, right up until the buyer is expected to fund an escrow account. At that point, the hacker simply logs into the hacked real estate agent or loan officer’s email account and sends the unsuspecting buyer a closing statement, along with wire transfer instructions. These instructions are usually accompanied by some urgent prompting to wire the money quickly.
The unsuspecting buyer then wires the money. Since the dollar amount matches the closing statement and the correspondence has come from their trusted agent or escrow officer, they are none the wiser. Meanwhile, they’ve sent their money to the hacker, not to the escrow or title company that they intended. This example is just one scenario in which a hacker might be able to prompt a buyer to wire money to a fraudulent or “money mule” bank account.
Other scenarios involve email spoofing. In this method, instead of gaining access to a legitimate email account, the hacker “spoofs” the identity of one or more of the parties in the transaction. The party spoofed could be either the real estate agent, mortgage lender, escrow officer, or even the buyer or seller.
Examples of “spoofing” include using a separate email address to impersonate one of the parties. Some cases of spoofing involve using slight spelling variations of a person’s name. For instance, firstname.lastname@example.org instead of email@example.com. Or, the hacker may use the same username added to a different domain. For example, if a buyer or seller were to receive an email from firstname.lastname@example.org instead of email@example.com, provided the names and titles of the email account owner were identical, the client may well assume the emails came from the same person.
In this instance, the hacker doesn’t need to do the heavy lifting of gaining access to an email account; they can simply spoof an email account and effectively impersonate one of the parties involved in the transaction.
Either way, the buyer receives a valid-looking email with wiring instructions and perhaps even a closing statement. The buyer wires the money and often it takes days to discover that their funds were sent to the wrong account. This action – the wire transfer from the buyer to the bank account listed on the fraudulent wiring instructions – is known in FBI terms as “The First Hop.”
The “First Hop”
Surprisingly, the account on the receiving end of this wire transfer often belongs to yet another unsuspecting victim. These bank accounts are called “money mule” accounts. The owners of these accounts are often unknowingly participating in the fraud. They are encouraged to receive the money and then immediately further it along via other means, such as Western Union or via wire transfer. These money mule victims are often “romance victims.” A romance victim is someone who’s had an ongoing romantic relationship with the hacker, often entirely online. The perpetrator then enrolls the victim in helping out in some way involving the money.
The premise used by cybercriminals might go something like this: “My mom is really sick and going into surgery, but I can’t send the money from my account (for whatever reason). Can I wire it to you and have you send it on? I’m going to send $50,000, but the surgery is only for $45,000, so you keep the $5,000 in your account, and then I’ll come visit you in a few weeks, and we can go have fun together.”
The victim, unaware of the circumstances, then receives the funds and helpfully wires them along to the “next hop.” The perpetrator typically ceases communicating with the romance victim at this time, perhaps until many months later, after the proverbial dust has settled. If both wire transfers happen quickly enough, the funds are increasingly difficult for law enforcement to recover.
The average robbery nets the robber under $1,000. The average bank robber steals around $7,000. The average wire fraud nets criminals about $137,000, and often much more.
Wire Fraud Attempts Involving Residential Real Estate Transactions Are on the Rise
The perpetrators of this type of cybercrime are located all over the world. Half of the adults on the planet have a smartphone and internet access. The allure of making hundreds of thousands of U.S. dollars by hacking or spoofing a few email accounts while having anonymous, online romantic relationships is powerful.
“The first thing you can do is to make sure that all of the agents in your company only use their company email address in business dealings.”
– An F.B.I. Expert on Cybercrime and Wire Fraud
How You As A Consumer Can Protect Yourself From Cybercrime
For starters, personal email accounts are more susceptible to phishing scams. People use personal email addresses for personal reasons. You’re more likely to follow links and log in to other online accounts using your personal email address. If, for example, you get an official-looking email from your favorite online store saying that you have a store credit, you’re more likely to click on the email, especially if you know you have an account with that store or company.
Perhaps more importantly, most personal email accounts aren’t employing extra security protocols such as two-step authentication, mandatory password changes, or key fobs.
The likelihood that you’ve been the target of a phishing campaign or email spoofing is close to 100%. If you haven’t changed your email password in a while, and especially if access to your personal email doesn’t require two-step authentication (i.e., confirmation via phone or text message), then there could be someone monitoring your email account right now.
Personal email accounts are simply more spoof-able than professional ones. Anyone can register an email address with a slightly different spelling of your username or domain name. The varying degrees of spoof-ability provides for countless attempts to impersonate you.
How Hawaii Life Protects Our Clients From Cybercrime
At Hawaii Life, we take critical steps to protect our clients’ identities, financial information, and financial transactions. At Hawaii Life, we recognize that the use of multiple email addresses by our Hawaii Life team – even one personal and one business address – opens the door for clients and vendors to be unwittingly duped by the use or introduction of other similar email addresses by parties with nefarious intent.
To avoid email compromise, data breach, malware, phishing, and spoofing, Hawaii Life insists that company employees, agents and brokers only use their company email address for business transactions (for example firstname.lastname@example.org). This preventive measure is absolutely critical. Our decision to do so has little to do with branding or our clients’ familiarity of use, but rather, to protect our clients, agents and business partners from the types of cybercrime described here. At Hawaii Life, we are careful to communicate warnings about the use of personal email accounts to our agents and brokers, staff members and partners. In doing so, we hope to mitigate the risk to our agents of being unwittingly impersonated to their clients or our service providers.
As a company, we insist that all communications with our clients should transpire using our team members’ business email account because our company email accounts employ added security measures designed to protect the username and password of the Hawaii Life account holder. At Hawaii Life, we also use two-step authentication to ensure that the user has verified their identity via text message or a phone call. Our email provider also details active account usage right in the company inbox. If someone else is simultaneously accessing a company email address, the account holder is notified immediately from within their company Inbox. Finally, we maintain a policy that only the escrow company should provide wire transfer instructions to our clients. For our clients benefit, we advise them to call and verify the accuracy of wire transfer instructions by speaking directly and in-person with their escrow officer or mortgage broker.
Should you have any questions or concerns about email fraud as it relates to your interactions with any of our partners, Hawaii Life agents or brokers, please don’t hesitate to contact us using our website’s Chat feature, or by phone at 1-800-370-3848.