Business Email Compromise Fraud
The staggering cost of email fraud has reached new heights. According to the FBI, cybercriminals involved in the Business Email Compromise (BEC) fraud collected almost $3.1 billion from organizations between January 2015 and June 2016 (FBI Alert from June 2016).
Over the past few months BEC has affected over 22,000 businesses in 50 states and 100 countries. The losses from the BEC fraud have increased by 1300% since January 2015.
Real Estate Wire Fraud and Buyer Psychology
Real estate is one of the industries plagued by the BEC scam. Real estate buyers routinely wire large sums of money to close deals. Most are not trained to recognize fraudulent emails, and can be easily deceived.
The typical real estate scam does not require cybercriminals to employ sophisticated technology tools. Instead, it mostly depends on them having detailed knowledge of real estate deals, and psychology of home buyers.
Buyers have to deal with mounds of paperwork to purchase a home, and most find it very stressful. They rarely scrutinize every single document or analyze details of every transaction involved in the purchase. Instead, they simply trust the agents they hired to do it for them.
How does it Work?
It all starts with a compromised account of a real estate broker or an escrow agent. Once criminals get access to the messages (either though phishing or keylogging), they collect identifying details on each deal that is about to close. Pretending to be the buyer’s agent, they message the buyer with money wire instructions, urging them to quickly transfer funds to close the transaction. Thinking the email came from their agent, targeted buyers transfer the money requested into the hacker’s account. From there, it is either immediately withdrawn by the hackers, or transferred overseas, making it very difficult to trace and recover.
After the Fact, or Recovery Efforts
Numerous real estate associations and banks have recently issued alerts, attempting to curb the quickly spreading scam. Unfortunately, once funds are transferred into the wrong account (and are cleared out by cybercriminals), it’s often impossible to get them back. Prosecuting wire fraud is a difficult and tedious task, and the recovery success rate is very low.
While it is possible to purchase cyber liability insurance, wire fraud is rarely covered by such policies. According to the survey conducted by Betterley Risk Consultants, in 2015, only 8 out of 31 leading insurance companies covered fraudulent wire transfers. The rest argued that if funds are transferred voluntarily (even if the victim was deceived to do so), the cyber insurance liability doesn’t cover the loss.
The best way to protect buyers’ funds is to take preemptive measures by both real estate brokers and agents, as well as buyers.
Preventive Measures for Real Estate Agents and Brokers
No agent wants to intentionally compromise the safety of his or her clients. However, since agents and brokers often work alone, or out of small offices, they often don’t have a dedicated IT person to help them chose the best technology to protect themselves and their clients from electronic fraud and cyber-attacks.
There are a number of things any agent or broker should do to decrease the chances of their clients being defrauded:
- Don’t use freemium email accounts – the so-called freemium accounts (Gmail, Yahoo, etc.) often do not require additional forms of authentication, making it easier for hackers to get access to emails. Using your own domain enables you to have much better control over security features of your account, decreasing the chances of an easy hack for cybercriminals.
- Enable dual authentication – the only thing protecting your data from hackers with a regular email setup is your password. Today, passwords are very easy to crack. Two-way authentication provides an additional layer of security, safeguarding content by requiring recipients to enter information only known to them to unlock each message. The required pin can be anything from a secret password to the last digits of the recipient’s phone number, or their zip code. The best way to protect sensitive content is to use a different pass code every time.
- Use digital signatures for all messages – digital signatures use encryption to secure documents, and they authenticate the sender of messages.
- Use encryption to communicate with clients – the content of messages can be intercepted in a number of ways. It can happen when a message is delivered to the mailbox, but it can also be opened and read by unintended parties on the way to the recipient. Essentially, encryption seals the message, allowing only the intended recipient to open and read its contents. For senders, encrypting messages is usually not a difficult task with the right product. Real estate brokers and agents can choose an encryption solution which enables users to seal their messages in one simple step.
- Change password frequently – although this is a basic requirement, a lot of users simply ignore it. It’s an important step, especially if you use the same password on multiple sites. Not all organizations always fully report that they have been breached, so there is no true way of knowing if your password is still secure. Frequently changing your password is a simple and free way to bolster the security of your email system.
- Ignore/Delete Spam – while it’s wise to scan your spam folder from time to time for possible false positives, there is no need to open messages from unknown senders. By opening and downloading content of unknown messages, you can get infected with malware. The effectiveness of modern spam filters is very high. For example, Google claims that it catches 99.9% of all spam messages, with the false positive rate of only 0.05% (Wired, July 2015).
- Keep all Apps up to Date – popular software apps are frequently updated to protect users from the latest discovered vulnerabilities. It’s another simple, but important step to protect your content from potential breaches.
- Use a Firewall – firewalls are designed to block suspicious activity caused by viruses or worms. For example, your firewall can alert you if your computer gets infected, and the malicious app tries to send your information to the hacker over the Internet (such as your passwords, financial data, etc.) Firewalls are the second line of defense after your anti-virus filter.
- Prevent Hackers from Using Similar Domains – this is another inexpensive step that can protect your clients, and your organization. By buying and registering domains which sound similar to yours, you prevent hackers from using them against you. For example, if for some reason, cybercriminals are not able to hack into a targeted email account, they may set up an email address with a similar looking domain to trick the recipient into thinking that the email came from the person they know.
- Educate Your Clients – hackers rely on home buyers trusting their agents and brokers. Some buyers may simply not be aware of the possibility of email fraud. By openly communicating with them about the recent trend, and the most common ways in which wire fraud occurs, brokers and agents help home buyers stay vigilant.
If You Know Your System Has Been Hacked
There are two things which should be done immediately. First, you should contact all your clients and explain to them what happened. Their sensitive personal information is now at risk, and you are at risk of being sued if you don’t properly disclose the breach. It is especially important to warn buyers with pending transactions.
In addition, the breach should be reported to the local realtor associations and the FBI. .
Preventive Measures for Real Estate Buyers
- Pay Attention to the Details and Trust Your Instincts – a lot of things can be spoofed and look genuine, from email signatures to complete websites. However, if your instinct is telling you something is not right, examine the email further. Is the contact information in the email matches the one you have in your records? Is the email address correct? If you don’t feel right about the message you received, don’t reply to the sender. Instead, contact your broker or agent immediately.
- Always Verify Money Transfer Requests Over the Phone – the easiest way to ensure the money request came from the person you know is to talk to him or her over the phone. Obviously, it’s important to use the phone number you have in your records, rather than the one provided in the email asking you to transfer funds.
Unfortunately, there is no one simple remedy that can shield buyers from losing their life savings by transferring money into the wrong account. Insurance policies often don’t cover the loss, and the typical recovery efforts are often ineffective. A combination of technology solutions (email encryption, dual authentication, etc.) and common sense is the only way to prevent cybercriminals from defrauding home buyers. Real estate professionals and home buyers have to work together, and always double checking details of large transactions before transferring funds.
Congress is actively attempting to pass a bill H.R. 2205 which would require the real-estate community by law to encrypt all information in transit. However, until this regulation is passed professionals in this industry must be vigilant and take the proper steps to ensure their client data is safe and they are not falling prey to any scams which could have irreversible effects to the client or the professional.
Todd Sexton is President and CEO, Identillect Technologies
Latest posts by Todd Sexton (see all)
- Pokemon GO and Your Privacy - September 2, 2016
- Technology is Moving, Are You? - August 1, 2016
- Cyber Liability Insurance – A “Nice to Have” or a “Must Have”? - July 26, 2016