Cybersecurity Attacks in the Real Estate Sector: Business Email Compromise

February 18, 2019

Cybersecurity Attacks in the Real Estate Sector: Business Email Compromise

By: Charly Shugg

Business Email Compromise (BEC) is a sophisticated scam which targets businesses that regularly perform wire transfer payments. The Email Account Compromise (EAC) component of BEC targets the individuals that perform wire transfer payments. Over a five-year period from 2013-2018, the FBI reported a domestic and international exposed dollar loss of over $12.5 billion due to BEC/EAC crimes.[1] 

In 2017, a Public Service Announcement from the FBI warned of a BEC trend targeting a variety of profilesin the real estate sector, including buyers, sellers, title companies, law firms and agents.[2] The announcement highlighted the growing cybersecurity risks in the real estate industry. Between 2015 and 2017, victim complaint data indicated that the number of BEC/ EAC victims from real estate transactions rose more than 1,100 percent. These victims accounted for a nearly 2,200 percent increase in reported monetary loss.[3]

In July of 2018, the FBI released the following in a subsequent Public Service Announcement:

BEC/EAC actors heavily targeted the real estate sector in recent years. Victims participating at all levels of a real estate transaction have reported such activity to IC3. This includes title companies, law firms, real estate agents, buyers and sellers. Victims most often report a spoofed e-mail being sent or received on behalf of one of these real estate  transaction participants with instructions directing the recipient to change the payment type and/or payment location to a fraudulent account. The funds are usually directed to a fraudulent domestic account which quickly disperse through cash or check withdrawals. The funds may also be transferred to a secondary fraudulent domestic or international account. Funds sent to domestic accounts are often depleted rapidly making recovery difficult.

WHAT TO WATCH FOR

All parties in a real estate transaction chain are potentially vulnerable to BEC/EAC attack. Real estate listing sites and other sources make a wealth of information publicly available. Therefore, attackers have easy access to potential victims’ information. 

Understanding the inherent vulnerability of email-based communication is critical. One of the latest attack trends is the compromise of individual email accounts through focused spear phishing (the practice of sending emails while posing as a trusted sender in order to get targeted individuals to reveal confidential information) performed on individuals involved with financial decisions. A popular tactic involves compromising individual email account credentials.

In this scenario, a spear phishing email is sent to a targeted individual (a financial decision-maker) containing what appears to be a legitimate OneDrive link to an encrypted document. Upon clicking the link, the user will see log-in options on the fraudulent OneDrive page, including login banners labeled “Login with Office 365,” “Login with Outlook” and “Login with Other Mail.” Once the user enters their email credentials using one of these selections, the information is captured by the attacker. The user is then provided with a fraudulent real estate marketing document to make it appear to have been a legitimate process. Now that the attacker possesses the user’s email account credentials, the attacker can log into the user’s account and view the inbox information to gain intelligence regarding the flow of money and usual transaction processes. On Office 365 email accounts, attackers have even been known to discretely set up automatic forwarding rules, make changes to email privileges and to delete certain incoming emails so that the authorized user is unaware of email communication occurring on their email account.

WHAT CAN YOU DO?

Your best means of risk mitigation is to secure your email account as much as possible and to establish secondary means of communication for fund transfer purposes. Most email providers have options for users to activate two-factor authentication. This typically involves entering additional data, such as a code transmitted through text message, to login to an account. Using two-factor authentication, even if a user gets tricked into providing their email account credentials, the second level of authentication makes it unlikely that an attacker will gain access to a user’s email account.

Real estate professionals should also consider establishing a secondary means of authentication for the distribution of funds. Many firms adhere to financial audit best practices that involve confirmation of any fund distribution, or changes to method of payment, or account information through verbal communication and/or a separate person.

It is important to remember that being proactive can help mitigate the reputational and financial risks to your business posed by BEC. Another way to protect yourself and your real estate business is to have an assessment of your network and operations done by a qualified cybersecurity professional who will help you identify weak and vulnerable areas.

IF YOU ARE COMPROMISED:

The FBI advises victims of BEC/EAC to act quickly and to do the following if you have discovered a fraudulent transfer. First, contact your financial institution immediately requesting the funds be recalled. Different institutions have different policies; real estate professionals should understand in advance how their financial institution is willing to help recover funds. Next, contact law enforcement – and since most financial institutions fall under federal regulations, your local FBI office would be the first stop. Law enforcement may or may not be able to assist the financial institution in recovering funds, however, filing an incident occurrence may assist both the financial institution and law enforcement in future recovery efforts. Lastly, file a complaint for BEC/EAC victims at complaint.ic3.gov.

Click here to learn more about Marks Paneth's comprehensive range of cybersecurity and risk mitigation solutions.


[1] FBI Public Service Announcement, I-071218-PSA, Jul 12, 2018

[2] FBI Public Service Announcement, I-050417-PSA, May 04, 2017

[3] FBI Public Service Announcement, I-071218-PSA, Jul 12, 2018