What do Sam Debord and Sue Dietz share in common? At least 2 things – both work in real estate, and both have had their names used in the growing targeted phishing real estate scam. This should comes as no surprise – the real estate industry has a couple key ingredients that makes it a serious target for scammers.
The Perfect Storm for Targeted Phishing Attacks
There are two very important ingredients that make a targeted phishing attack attractive to scammers. The first ingredient is large financial transactions, which may often be sent online or by wire. Whether it’s the buyer who doesn’t consider email security when making the final payment, or the seller who might be part of a firm that doesn’t have a strict email security policy (or may be using an account compromised by another email attack), there are easy vulnerabilities that cyber criminals can exploit.
The second ingredient is a target group that is often very susceptible, either because of a lack of security awareness and training, or because of the highly emotional process of both buying and closing on the sale of a home. The pressure, enthusiasm and nerves to get a deal done on both sides is enormous, and can easily lead to irrecoverable mistakes if a malicious actor has entered the fray.
Petty Email Crime Goes Big Time
Sean Smith and Erin Wrona were one couple whose enthusiasm may have gotten the best of them, or may have fallen victim to a mistake. Ready to close their purchase of a $1.57 million home, they wired to what they believed an escrow account held by the home’s title agency. When they showed up to sign the final papers a month later, a lawyer informed them that no one at the title agency had seen the funds or even knew that the money had been sent. They had fallen victim to an imposter, who compromised an account within the title agency and sent a fraudulent email claiming last minute changes to the wiring instructions, directing the closing costs to a different account – that of a cyber criminal.
While Smith and Wrona were still able to assemble funds and purchase the home, they set upon a dangerous precedent for any title agency or real estate firm not using sufficient cybersecurity and insurance measures – they filed suit against the title agency.
Not only were they suing for $1.57 million in lost funds plus punitive damages and attorney’s fees but also close to $5 million for negligence based on the RICO Act – the “Racketeer Influenced and Corrupt Organizations” Act – in which they allege that the organization effectively aided the criminal organizations responsible for their lost funds through criminal negligence, being unaware of the commonly known cybersecurity risks present in the industry.
Typically used against the mafia, cartel members, and other leaders of organized crime, damages even several orders below this degree can bankrupt title agencies and real estate firms that receive only small percentages of the large transactions they manage. Even more astounding is how simply the title agency could have addressed their email concerns and avoided this whole fiasco. The most crucial claim in the plaintiff’s case is as simple as the following passage from the lawsuit brief:
“Upon information and belief, if Defendants did not intentionally convert the funds, then they failed to take even basic security measures to secure their email accounts, including:
a. Using an email address that requires additional forms of authentication;
b. Using digital, encrypted signatures for messages;
c. Using encrypted communication with clients;
d. Frequently changing passwords”
$7.5+ million is a steep price to pay to use a for not properly securing and changing passwords or using email encryption that can cost the average small title agency less than $1000 per year. While the jury is still out, as a business, “caveat emptor” doesn’t or at least shouldn’t be relied upon to cover negligence in securing your emails. Even if the company is found to be not guilty, there’s undeniable damage done to their reputation.
Comprised Email Accounts a Common Problem for Title Agencies
While this was a sizeable scam, it is part of a growing and frightening trend. The specific Business Email Compromise or Targeted Phishing scam (with some Email Spoofing to boot), is seeing explosive growth. The Internet Crime Complaint Center (IC3) saw a 480% increase in the number of complaints filed by title companies in 2016 that they were targeted by Business Email Compromise scam. In addition, this is likely underreported, since many agencies may not realize if they were targeted by an attack, and many others who were victimized by a successful one may seek to keep it under wraps. The modus operandi of cyber criminals here was to gain access to an email account, often through a targeted phishing attack, and find transactions that were in progress or waiting to be executed. At that point, the title agency and its customer are most vulnerable, meaning that the chances of success are at their highest and the payoff for the scammer can be significant.
Thwarting A Targeted Phishing Real Estate Attack
Paul Strohmeier and his wife nearly lost their waterfront dream home last year, but their diligence in reading their contract saved them from a near disaster. He realized that the wire transfer his title agency apparently requested was to a bank 2,000 miles away, while the closing documents he had previously received indicated that he was to close any transaction locally.
There is all kinds of advice available to end users, but it can be difficult to know what to follow. Within the real estate transaction, the buyer is placing their trust in the experience, expertise and authority of the seller and those responsible for the successful completion of the transaction. For example, the Federal Title and Escrow Company provides a few tips, including that buyers should; verify wiring instructions, verify that the email they receive is secured, verify the receiving bank’s name, and others – all placing the onus on the email receiver, and all creating more risk for the title agency itself.
Real estate firms must take preventative measures to protect their clients. Their clients aren’t legal experts, but as more attacks adopt more sophisticated technology and tactics, the industry faces upheaval if it doesn’t take action to protect its customers. Ultimately, there are easy steps to take for real estate companies and agents to protect their emails.
How to Protect Yourself and Your Clients from a Targeted Phishing Attack
Here are 5 must follows for any organization:
Cybersecurity Awareness and Training
No organization is too big or too small to have proper employee cybersecurity awareness and training. Well, because scammers are looking for opportunities – and often will go after SMBs knowing that they are less likely to have a strong plan and cyber defense in place. The bigger the company, the greater the number of malicious emails being received. The smaller company, the lower frequency, but the greater the risk that a successful attack will do irreparable damage. Your awareness and training doesn’t need to be too overbearing. Use “carrots and sticks”. Don’t make things too complex.
This is a no-brainer. Use the right email security service that will protect you from any form of spoofed email, reducing the likelihood of a successful targeted phishing attack compromising an account.
With a leading spam filter, you can stop the majority and a wide variety of email threats. Many phishing, spearing, BEC, malicious attachments, and other threats start with a spam email.
MFA (Multi-Factor Authentication)
Make sure you’ve enable multi-factor authentication. This can include vocal confirmation as one of the steps. For example, let them know that before making any financial transaction, they should call a specific number to confirm the payment is being made and to what account. Though even that is often not enough. Make sure anyone using your company email can’t reset their passwords too easily. And for any financial transactions, make sure your methods of processing money is 100% impossible to hack.
For really important emails, such as requesting funds and payment details, using secure email encryption ensures that critical emails are password-protected and require unique access rules only known within an organization, meaning they aren’t viewable to compromised accounts and important emails.
And of course, you may want to educate your client a bit about the process well in advance to ensure that anything out of the ordinary is immediately flagged by them. Make them very aware of exactly what to expect, where payments will be made, and in person or at minimum on the phone. This way, the process isn’t visible if an account is compromised, preventing hackers from gaining access to how you operate.
A little due diligence can save anyone headaches and money down the road. It appears that the targeted phishing real estate attacks are increasing in gravity and frequency. Taking the steps to protect yourself is better idea than waiting until after something bad happens. With a good ounce of phishing prevention, there are many pounds of cure to be secured.