How To Avoid Becoming a Victim of Real Estate Rip-Offs
THOUSANDS OF HOMES ARE SOLD every day across the country. People who have worked hard and saved for years to purchase their dream homes are boxing up their belongings, preparing to put down new roots, and getting ready to make what will probably be the biggest financial transaction of their lives. Unfortunately, it only takes a cybercriminal a few minutes to spoil the American dream for a hopeful homebuyer.
One of the most rapidly growing and financially damaging business email compromise scams targets people working in the real estate industry: buyers, sellers, real estate agents, mortgage brokers, bankers, and title insurance companies.
Problems begin to arise when a cybercriminal compromises an email account of someone involved in the transaction—such as the buyer, seller, real estate agent, or closing attorney—and then creates a domain that is nearly identical. He’ll send an email to the buyers or someone at the title company, providing them with new bank account information for a down payment, closing costs, or the final purchase price.
In many of these cases, the stolen money isn’t wired overseas, because that request would cause a big red flag for the would-be homebuyer. Instead, the bad guys will use a mule account to acquire the stolen funds before sending it overseas.
In July 2018, the FBI’s Internet Complaint Center (IC3) reported that cybercriminals were increasingly stealing funds from the real estate sector, including title companies, law firms, real estate agents, buyers, and sellers. IC3 reported that fraud reports from people who were victimized by BEC scams involving real estate transactions increased by 1,100 percent from 2015 to 2017.
And, in the same time frame, the money lost to such scams increased by 2,200 percent, peaking at more than $18 million during the quarter ending in October 2017. In 2017 alone, IC3 reported receiving more than nine thousand complaints of online real estate fraud that resulted in losses of more than $56 million. In only the past few years, I’ve seen dozens of victims in Nashville, Tennessee, with losses totaling millions of dollars.
Businesses of all sizes have fallen victim to this BEC scam, and the cyberthieves are even tricking some very smart people. In June 2017, New York State Supreme Court Justice Lori Sattler was scammed out of more than $1 million after she was duped while trying to sell her apartment and buy another one. According to published reports, Sattler was attempting to purchase a new apartment when she received an email that she believed was sent by her real estate attorney.
The person claiming to be Sattler’s lawyer instructed her to wire $1.057 million to a specific bank account. Her stolen money was then forwarded to Commerce Bank of China, according to the reports. In August 2017, a Washington, D.C., couple was scammed out of $1.5 million as they prepared to purchase their dream home.
The couple, both of whom were federal government workers, planned to use an inheritance to purchase a bigger home for their family. They put down a $200,000 down payment and were preparing for closing when they received an email that appeared to come from their title company. They replied to the email, which instructed them to wire the remaining $1.5 million to a bank account.
But, when the couple arrived at the attorney’s office on the day of the closing, they were informed they’d been scammed. Investigators discovered that a cybercriminal had hacked into someone’s email account at the title company and spoofed an email to the couple.
The victims notified the FBI and sued the title company in hopes of recovering their stolen money. They were still able to purchase the home with the rest of their inheritance, the published reports said, but they never saw that $1.5 million again.
After the first traumatic experience, victims of real estate BEC scams usually don’t fall for them again—but it should never have happened in the first place.
When an email account is compromised, the bad guys read all the emails and it doesn’t take them long to figure out how a business operates. In one of the cases I investigated, the victim was a title insurance company. Title insurance protects buyers and mortgage lenders against defects or fraud with a title when a property is sold or transferred; a title company researches records to ensure that there are no undisclosed heirs to the property, unpaid taxes, pending legal action, errors, or fraud associated with the title.
This particular company outsourced most of its information technology infrastructure to a capable IT provider, which clearly understood information security. They had an excellent firewall established for the company and also installed an effective enterprise-level information security suite. The title company was better protected than most small companies.
Unfortunately, the bad guys were able to obtain the username and password for a real estate agent, whom we’ll call Amanda. She was representing clients who were in the process of selling a home. Amanda had a Gmail account with an email address of [email protected] (only an example) and did not have two-factor authentication turned on.
How did the bad guys gain access to her Gmail account? She might have clicked on a link she shouldn’t have clicked on, which would have allowed the cybercriminals’ malware to install a keylogger on her computer and steal her password. Or maybe there was an unreported data breach at a large supermarket, gas station, department store, or pharmacy, and Amanda’s username and password were among the ones stolen. Then the bad guys probably could have counted on Amanda being among the 60–70 percent of the U.S. population that uses the same password for every online platform.
This scenario probably sounds familiar to you by now, because it’s the genesis for almost every cybercrime. Armed with Amanda’s username and password, the cybercriminals could have easily logged into her Gmail account. If she had only installed two-factor authentication on her Gmail, the crooks wouldn’t have been able to break into it.
While reading Amanda’s emails, the bad guys discovered that she represented a couple that was getting ready to close a real estate transaction, and that Amanda was communicating with a woman we’ll call Beverly at a title company. The cybercriminals learned the closing date was only a couple of days away.
So, the bad guys registered an email account at a free email provider in the name of [email protected], and they were ready for business. They broke back into Amanda’s Gmail account and set up a simple forwarding rule. Any email that the title company sent to Amanda’s Gmail account would be forwarded to them.
Then the criminals sent an email to Beverly from their spoof email account. The subject line said, “Change of Plans,” and the message read, “Hi, Beverly, hope all is well. My clients just called and they want the proceeds of the sale to be wired to a different bank account.
I hope this isn’t too much of a pain in the butt. Please tell me what I need to do. Have a blessed day.” Since the bad guys had access to Amanda’s emails, they were able to write the email as if it came from her, using the same language, structure, and closing phrase.
Beverly quickly responded to the email, “This happens all the time, Amanda. Just send me the new bank account information.” Once Beverly received an email from the fake [email protected] address with the new bank information, she replaced the sellers’ account with the one controlled by the cybercriminals.
The closing went off without a hitch at the attorney’s office, but then, a few days later, the sellers complained that they still had not received $250,000 from the sale. The title company discovered that the money had been sent to a bank in Texas, and that’s when the finger-pointing started.
By the time I was called in to help about ten days later, the money was long gone. I contacted the bank and my contact there provided me with the account history and a fake West African passport, which the thief had used to open the account.
He’d even gone to the Texas Secretary of State’s website and registered business in one of the seller’s name, and the state provided him with a legitimate tax ID number. Then the bad guy, armed with the fake passport and real tax ID number, went to the bank and opened an account. As soon as the stolen money was wired to the account, he cashed it out in ten cashier’s checks ranging from $18,000 to $25,000.
Each of the cashier’s checks was written to someone different; the names matched the ones on the criminal’s fake passports. Once those checks were cashed, most of the money was sent to Nigeria. Our law enforcement partners were essentially chasing ghosts, and the money was already overseas.
The title company discovered it was legally obligated to pay the sellers their stolen money. It could have gone after Amanda, but she was only a part-time agent and didn’t have much money. She lost her commission on the sale, though, and her reputation as a dependable real estate agent was damaged forever. Beverly was fired for her mistake, even though she was only following the procedures that were in place at her employer. Someone always gets fired in these cases, remember?
Going back to the important points I made earlier:
1.Once your money is stolen, it is hard to recover.
2. The FBI’s chances of identifying the cybercriminals and putting them in jail are surprisingly low.
3. This type of crime could be prevented about 90 percent of the time.
How could this crime have been stopped? If Amanda had installed two-factor authentication on her Google account, the interlopers would have never gained access to it. But Amanda shouldn’t get all the blame, either. If the title company had implemented one simple policy, the entire mess might have been avoided.
It should have had this rule in place: any changes to the distribution of proceeds from the sale must be accompanied by a follow-up telephone call for verification. But even that policy could probably use a little more tweaking. What if Beverly had sent an email to [email protected] and said, “You know the policy; you need to call me.”
Then the bad guys might have called pretending to be Amanda with a cold, or they could have sent an email saying, “I can’t get to the phone, but my assistant will call you in a few minutes.” Or, even better, Beverly could have forwarded the “Change of Plans” email to Amanda at the address she knew to be correct instead of replying to the new mission-critical (and spoofed) message.
It’s up to the title company to develop an airtight policy to prevent millions of dollars from being stolen. If it doesn’t make necessary changes, it might continue to be victimized.
It’s so important that proper policies are in place and that they are shared with all third parties. A five-alarm siren needs to sound anytime someone wants to change bank account information. Everyone in the company needs to be suspicious of such changes and follow up with foolproof verification that doesn’t involve email or text.
There was a time when people had to appear in person at real estate closings, but technology has spoiled us and we’re too accustomed to a streamlined business process. But it’s our insistence on being fast and efficient that has gotten us into all of this trouble. The criminals are winning. They’ve stolen billions and billions of dollars—and that’s only what’s been reported.
I have drafted a simple and realistic policy for real estate transactions, which is this: A title company must tell all its employees that any changes to bank information must be verified, but not by email or text. The title company employees must pass this information to real estate agents, closing attorneys, buyers, and sellers.
That way, there won’t be any surprises. Executives need to explain to every one of their employees that, if they fall victim to a BEC scam, they’re going to be fired. That might sound harsh, but these victims don’t have to be victims. A little caution and common sense will correct some of these problems.
If a client is located out of town, you better know what he or she looks like and then have a videoconference to verify any changes to the closing process. Will this slow thing down? Of course, but it’s better to be safe than sorry, especially when it comes to potentially losing millions of dollars.
When I was still working for the FBI, I shared this policy suggestion during one of my presentations to real estate executives. A woman in the audience complained that it would be too difficult to implement. I understood and joked that
nobody wants a guy from the federal government telling the private sector how to do its job. But it’s all about prevention, and if someone calls the FBI after the crime has already been committed, there’s sadly little it can do.
Unfortunately, many real estate agents are using unsecured AOL and Yahoo! accounts to do business, and they’re using these accounts to communicate with homebuyers and sellers every day. The bad guys will continue to target the real estate sector as long as these companies continue to do business as usual.
But what about you? What are you going to do the next time you buy or sell a house and a title company or real estate broker sends you an email instructing you to send 20 percent of your down payment to a certain bank account and routing number? If you’ve read this far, you’re hopefully going to pick up the phone and verify or, better yet, go to the office in person.