Online criminals are targeting the real estate industry. In fact, they consider the industry to be low-hanging fruit. I recently contributed a few best practices on how to protect yourself against wire fraud scams and other cybercrime in the Inman News piece, “Scam steals closing money by hacking agent, escrow email.” Let’s examine the crime a bit more closely.
A real estate transaction includes a substantial amount of money. In many instances, the funds are transferred utilizing a wire transfer. Typically, transfers are encrypted and extremely secure. So, where is the vulnerability?
Here’s the scam
An online criminal hacks into a real estate professional’s email account. This is facilitated via a phishing scam or social engineering. In some cases, the perpetrator will even create inbox rules and filters to keep incoming messages out of sight.
I worked on a previous case where the perpetrator obtained a list of real estate agents’ email addresses and created a malicious email promoting a broker’s open house. When a user clicked on the call-to-action in the email, they were taken to a form prompting them to enter their email credentials – inadvertently giving their information to the hacker.
Once the perpetrator gains access to the real estate professional’s account, they sit back and monitor the conversation flow unbeknownst to the user. They may also try to gain access to the client’s email account as well. When the perpetrator learns the closing details, they quickly send an email to the client (from the agent’s account) with fake wire transfer instructions. The client inadvertently wires the money into the criminal’s fake account, which is then cleaned out and the hacker is never to be seen. You can imagine how detrimental this could be.
It’s important to note that the techniques are growing increasingly sophisticated. I have recently learned of two new practices that make the wire transfer scam appear more legitimate and even more difficult to detect:
- Hoping to further deceive real estate professionals, hackers are purchasing and using domain names that are similar to the legitimate ones used by lenders. I have seen examples where just one additional character was added to the domain name. This subtle difference may go completely undetected on a smaller screen such as a phone.
- Hackers are now using Internet phone numbers such as Google Voice to enhance the scam. They will include the number in the email and/or wire transfer instructions prompting the client to call. The bad guy is on the other end of the call and confirms that the changes in the wire transfer are indeed legitimate, but of course they are not.
I recommend using two-step verification or multi-factor authentication to secure email. Both Google Apps and Microsoft Office 365 support the technology. I have it enabled on multiple accounts – across multiple platforms. The additional layer of security requires a user to enter not only a username and password but typically a verification code as well. The code is sent to the user’s mobile device via SMS or using a mobile app for verification. For a bad guy to gain access to an account, they would also have to have access to the mobile device.
Here are some other simple tips you can use to protect yourself:
- Real estate agents should never email or text their buyer’s wire transfer instructions.
- Do not click on suspicious hyperlinks or attachments in an email.
- Have up-to-date antivirus and security apps installed on your computer. Both Mac and PC users are susceptible to phishing scams.
- Use different passwords across multiple services (email, social media platforms, online banking, etc.).
- Passwords should be: the minimum of eight characters, alphanumeric, include capitalization and special characters.
- If managing dozens of email passwords seems like a daunting task, a password manager application can help. I recommend LastPass, 1Password, or KeePass. I tested and wrote about these three apps for Inman News in a piece covering the Heartbleed bug.
Wire fraud is a real threat to the real estate industry with serious consequences. I have worked with the FBI, state police, and industry processionals on this crime. I believe we are at a fork in the road and real estate pros must decide between security or convenience.
Below is a video of Jessica Edgerton, National Association of Realtors® Associate Counsel, reiterating the scam and discussing the importance of security. Edgerton also discusses a popular rental scam and includes government resources for reporting cybercrime.