Business Email Compromise: Phishing for Real Estate Deals

Buying or selling a home is a stressful process involving buyers, sellers, two sets of real estate agents, banks, mortgage brokers, title companies, insurance companies and lots and lots of arcane paperwork. What could possibly go wrong?

Many phone calls, text messages and emails later, you’re finally approaching closing day. You finally get an email from the title company with wire instructions for the down payment, and you wire the money in time for closing. Except you have no idea whether that email actually come from the title company. You just wired a very large sum of money to an untraceable third party. This probably happened on a Friday, and within a couple days the money has disappeared into the dark depths of the criminal underworld.

What you just experienced is a Business Email Compromise (BEC) scam. According to the FBI, BEC scams are a $12 billion industry and growing, and real estate transactions are an attractive target due to the large sums of money involved. The FBI Internet Crimes Complaint Center (IC3) reports that in 2017 alone, there were 9,645 cases of real estate fraud, and almost a 2200% increase in the monetary loss between 2015 and 2017.

The Rising Threat of BECs

So what exactly is BEC and how do hackers get away with it? BEC is a type of email fraud that targets individuals through social engineering and email spoofing. The email usually comes from what appears to be a legitimate third party or an internal employee, usually an authority figure like the CEO or CFO, inducing the target to authorize or initiate wire transfers to a bank account controlled by the perpetrator. The money is then quickly transferred out of that account, often spread out to multiple accounts from where it’s very difficult to trace.

Wire transfers cannot be reversed, and even in cases involving fraud, they can only be reversed if the receiving account still has the funds, which is almost never the case. So that money is lost for good. This is what makes BEC such an attractive method for cybercriminals.

Real estate as a sector has been a target for scams that span the gamut from wire transfers and home inspection to mortgage and title / deed frauds. You can learn more about real estate scams here.

Social Engineering at Work

BEC scams target individuals who are primed for compromise – usually involving stressful situations like a real estate transaction where you deal with a large network of relatively new third parties, like bank employees, title agents, and brokers. There is almost always an element of urgency, such as the impending closing date. The language used in the email is designed to play on these vulnerabilities.

These techniques are known as social engineering, with the attacker exploiting basic human nature to trick them into sharing information, clicking on a malicious link, or sending money. Sometimes the email includes personal information that is used to gain the recipient's confidence – like a reference to a recent vacation they took, or congratulating them on a recent promotion. This information is not hard to glean from social media. But how does the email get there in the first place?

Email Security Needs to Evolve

The problem with email is that the sender can put any “From:” address in the email header, pretending to be anybody. (There are techniques like DKIM and SPF checks that can be used to prevent this, but they’re not widely used). In the simplest case, they can pretend to be an employee at the title company, using a fake email address. Individuals won’t detect this unless they attempt to reply to this email address.

Alternately, it may be a real email account that hackers have taken control of using leaked passwords. (There are troves of leaked email addresses and passwords out there on the dark web). Most traditional email security systems focus on filtering spam, detecting malware within attachments and identifying phishing links. BEC attacks punch through all these defenses because they look like legitimate communication and contain no embedded malware. So what can security officers at organizations do to prevent this type of compromise?

Besides training your employees on effective security hygiene, this has been a difficult problem to solve – until now. Advances in Natural Language Processing (NLP) and Natural Language Understanding (NLU) have made it possible to understand both the content and context of email communication and apply deep learning algorithms to effectively detect such compromises and prevent fraud. Check out this whitepaper on Securing the Human Layer that explains how Armorblox solves the rapidly evolving security challenges to help keep your organization safe from BECs.