CYBER SECURITY TIPS: AVOIDING WIRE FRAUD
This is a brief summary of cyber security tips written specifically for Realtors. This summary does not cover all aspects of cyber security or wire fraud and is only meant to be used as a general educational resource. The following post is not to be taken as legal advice.
WHAT IS THE BASIC PROBLEM?
Cyber criminals will find or steal personal information with the intention of tricking or extorting individuals for their own financial gain. This is usually accomplished by first gaining access to victims’ emails.
Wire fraud specifically is becoming a rampant problem across the country. Between 2015-2017, there was a 1,100% rise in reported BEC (Business Email Compromise) Scams and a 2,200% increase in reported monetary losses. These numbers have continued to steadily rise in recent years, and since the Covid-19 pandemic began people have become especially vulnerable as they rely more and more on online services. In this blog we will provide cyber security tips and information to help Realtors protect themselves from cyber breaches and prevent themselves and their clients from becoming victims.
DOES THIS REALLY AFFECT REALTORS AND THEIR CLIENTS?
Homebuyers/sellers are great targets for cyber criminals because they’re already prepared to send and receive large amounts of money for closing purposes. This makes Realtors especially vulnerable because they play the role of “middle man” for multiple parties in real estate purchases. Cyber criminals have realized this and rather than putting in all the work to gain access to one buyer’s/seller’s email account, they tend to target Realtors’ email accounts instead. This allows the criminal to extort multiple buyers and sellers on multiple transactions. Realtors are the common thread on real estate transactions, so not only would these criminals gain information on numerous buyers, but they would also have information on buyers’ lenders, chosen attorneys, etc., making Realtors a one-stop-shop for the personal data that hackers want.
HOW DO THEY GAIN ACCESS TO A BUYER’S OR REALTOR’S INFORMATION?
Cyber criminals will typically attempt to gain access to your accounts, devices, or entire systems through social media, hacking, phishing, and malware. Some of the main ways they target Realtors are:
- Recon: Using the Internet to identify good targets for email hacking
- Cyber criminals will use professional networking websites like LinkedIn to learn about potential targets. LinkedIn can be used to find out which people are most likely to work in specific industries that have the information the cyber criminals want or to find the specific employees who handle wire transfers in a certain company.
- They will then find those individuals on social media and look for anything they may have posted that would help them hack into their email. Facebook for instance can show them maiden names, dog names, favorite teachers, etc. This info is similar to popular security questions people use to recover their accounts.
- Account infection
- This typically involves sending a spear phishing email with a malicious link. When the target clicks the link, the hacker gains access to the email account without the target ever knowing.
- Setting forwarding rules
- Once inside the email account, the hacker can arrange for the target’s emails to be forwarded to an outside email address where the hacker can monitor them without being actively inside the target’s account.
- The hacker waits for worthwhile information to come up. This is usually information on a specific closing, ie. the buyer’s contact info, the lender they’re working with, the attorney/title company handling the closing, etc.
- Send fraudulent wiring instructions
- Once the hacker has all the info they need, they may send out fraudulent wiring instructions to the buyer warning them to urgently wire funds for closing. These wiring instructions will usually come from a spoofed domain that is slightly different than the legitimate parties, but still looks similar/professional. For example they may act like the real estate agent and change john.smith@j&tbrokerage.com to john.smith@i&tbrokerage.com (notice the j changed to a i). This allows them to safely communicate with the victim without the infected party knowing. The email may even include a spoofed header from the agent or attorney’s office and will likely include private details from the closing such as a loan number in order to make the request appear legitimate.
- If the buyer ends up sending their money to the fake account, it’s often not until everyone is at the closing table that they find out what actually happened, and at that point the money is long gone.
Passwords for Sale
- This is typically a result of mega breaches — those affecting over 1 million records, such as the recent Equifax & Yahoo breaches. Once those databases are hacked they are then posted or sold on the Internet.
- Many people use the same password for multiple accounts.
- If a hacker obtains the password to one of your accounts through these means, they will then try to use that same password to gain access to your other accounts, such as your email or online banking account.
- Many people also use popular phrases/words, so sometimes hackers will pick the most popular password in the database and try it on hundreds or thousands of random accounts.
- Criminals impersonating vendors
A criminal will send an invoice for a product or service you ordered and received, but will change the payment details so that they receive the funds instead of the real vendor. This could include invoices for anything from a pest inspection to full closing costs.
- Fake invoices for non-existent services
There are so many parties involved in a real estate transaction, and some criminals try to take advantage of this by invoicing clients for services that were never even ordered. Some buyers who are unfamiliar with the home-buying process may simply pay the invoice without investigating it further.
- Double payment/billing
In this situation, a criminal may request a new earnest money deposit, stating that the original had never been received even though it really had. They may also request the buyer’s closing funds a day ahead of the closing, and since the buyer is expecting to pay it anyway they oblige. Once they’re at the closing table they realize they’re being billed for closing costs again because the first recipient was fraudulent.
HOW TO KEEP YOURSELF AND YOUR CLIENTS SAFE
- Use multi-factor authentication
- This is offered on almost every major platform on the Internet. Use at least Dual Authentication for everything, not just your email.
- An example of multi-factor authentication would be using each of the following in order to log in:
- Something you know, ie. a password
- Something you have, such as a one-time PIN that is texted to you when you try to sign in to an app on your phone
- Something you are, such as facial recognition, a fingerprint scan, etc.
- Always verify all wiring instructions by phone
- Don’t ever rely solely on email communication.
- When you call in, use a trusted phone number — fake wiring instructions will change the phone number in the header, so make sure you’re calling the right one.
- Take your time
- These scams usually involve a sense of urgency — it is important to slow down and take the time to verify everything regardless of the deadline you’re given. Scammers will urge you to act quickly in order to prevent you from thinking too much about what you’re doing.
- Be careful on social media
- Don’t post about specific closings you have coming up or tag clients you’re working with.
- Look at the email addresses of people who contact you and verify they are safe and verified email addresses.
- Use a passphrase instead of a password
- A passphrase is 15+ characters and can involve an entire sentence rather than one or two words or jumbled letters and numbers.
- Passphrases take much longer to guess on quantum computers and therefore aren’t worth the time.
- Be password smart
- Use different passwords or passphrases for each of your accounts.
- Change your passwords often.
- Use anti-virus software and scan often
- Verify your wire over the phone upon completion to ensure it has been received by the correct party
- Authenticate the email address before clicking anything inside the email
- Ensure the sender is the person you mean to be speaking with and not a spoofed email address.
- Don’t ever click links sent to you from people you don’t know
- Instead of clicking the link in an email or text, navigate to the website directly and search it from there
- For example, if a Realtor gets a text from a possible client with a link to Zillow for a house they’d like to see, rather than clicking the link the Realtor can just manually go to Zillow.com and search for the address mentioned.
- Don’t ever play the middle man with wiring instructions
- A Realtor should never receive wiring instructions for a transaction.
- The buyer should receive the wiring instructions directly from the attorney’s office and should never give them to anyone else, even other individuals involved in the transaction.
WHAT TO DO IF YOU OR YOUR CLIENT HAS BEEN A VICTIM OF WIRE FRAUD
- Call your bank immediately to initiate a kill chain
- A wire can sometimes be recalled if the bank is notified of fraud within 72 hours
- Change all your passwords immediately
- Report the fraudulent transaction to local law enforcement
- Report the fraudulent transaction to the FBI via www.ic3.gov
- This website compiles data from multiple wire fraud cases to create a larger case against one criminal that would therefore be easier to prosecute
- Check your email settings to ensure no one has added a forwarding address without your knowledge
We’ve created a wire fraud notice to help our agents inform their clients about the risks associated with wiring funds and how to protect themselves. This document is not necessary for closing with our office, it is just for your own use and to help you make sure you’ve properly informed your clients. Click here to download the wire fraud form.
Visit the FBI’s Scams and Safety page
Visit the FBI’s Common Scams and Crimes page
Visit the FBI’s Business Email Compromise page
By: Geoffrey K. Middleton
Attorney at Law
Written in May 2021