Real Estate Wire Transfer Scams

Earlier this month, the NJCCIC reported on an aggressive phishing campaign targeting several New Jersey State agencies that regularly communicate with law firms. Aside from law firms, other parties involved in real estate transactions—including agents, title agencies, and buyers—are still at risk of being targeted. Unlike generic phishing scams, business email compromise (BEC) phishing scams are a highly targeted form of social engineering, often incorporating preliminary reconnaissance on potential victims and using a variety of impersonation techniques to pose as someone the target should trust. The NJCCIC continues to receive reports of real estate scams, specifically wire transfer scams, impacting law firms and buyers. According to the FBI’s 2022 Business Email Compromise and Real Estate Wire Fraud report, the Internet Crime Complaint Center (IC3) received BEC-related complaints with claimed losses exceeding $2.4 billion in 2021 compared to $360 million in 2016. Threat actors are likely to change tactics and increase their targeting as spring approaches. 

Like any business or organization, real estate businesses, such as law firms, market their services on websites and social media platforms to attract clients. Unfortunately, threat actors also take notice. Threat actors can perform reconnaissance and search for and weaponize this publicly disclosed data, including history, bios, photos, email addresses, client lists, reviews and testimonials, and branding. They use a variety of impersonation techniques, including email spoofing and look-alike domains, to convince their target that they are known and trusted sources, such as attorneys and paralegals. To make email messages appear more legitimate and believable, they spoof the trusted source’s name or email address and send requests for information or financial requests associated with a specific transaction to buyers. These requests typically instruct the buyer to perform a wire transfer and transfer the closing costs to an account under the threat actor’s control. The attorney’s signature in the spoofed email may contain information obtained from the law firm’s website or social media platform. The subject and body of these emails often portray a sense of urgency in an attempt to have targets provide sensitive information or immediately wire money before they have an opportunity to fully review the email’s content and question its legitimacy. Red flags to look for include poor spelling or grammar, the appearance it was sent via a mobile device, and the sender identifying themselves in a nontypical way, such as using full names or their first name when they prefer their middle name. If successful, funds are transferred to the threat actors before the fraud scheme is detected.

Threat actors also target and gain unauthorized access to legitimate email accounts of attorneys, paralegals, real estate agents, title agency representatives, or homebuyers by using compromised account credentials. They send spearphishing emails with links to spoofed webpages requesting user account credentials that, if entered, are sent to the threat actors. The stolen credentials are used to access the email account to peruse previous conversation threads and send convincing emails on the victim’s behalf. 

Compromised email accounts contain a wealth of information, including historical records of email conversation threads containing personally identifiable information (PII) and various forms of identification (e.g., driver’s license, Social Security number, passport, birth certificate, property tax bill, bank statement, paycheck with name, W-2s, auto insurance card, and employee ID). Additional real estate information includes legal documentation, wire transfer information, parties involved (including attorneys, real estate agents, brokers, title companies, escrow services, and third-party vendors), settlement statements, closing disclosures, and preclosing transactions. One part or a combination of this information can be used to commit further malicious activity, such as identity theft and fraud.

The US Secret Service and CertifID released an advisory highlighting a sharp increase in impersonation scams and wire fraud associated with vacant and unencumbered properties. Threat actors search public records to identify real estate free of mortgages and liens, impersonate real property owners, seek to sell the property under market value for cash quickly, and make excuses to conduct the entire transaction virtually before the real owner finds out through the lender. The Virginia Department of Professional and Occupational Regulation also issued a similar warning to real estate brokers about a rise in fraudulent real estate scams in Virginia and neighboring states. Additionally, threat actors are engaging in fraudulent schemes by setting up fraudulent companies that resell timeshare properties and send unsolicited offers of timeshare property sales to brokers via postal mail or phone call.

Recommendations

The NJCCIC highly recommends those involved in real estate transactions educate themselves and others on these malicious tactics and remain vigilant during and immediately after the closing process. Exercise extreme caution with any emails or other communications requesting the recipient click a link, open an attachment, divulge sensitive data, or wire funds. Any email requests should be confirmed via a separate means of communication, such as over the phone. Users are highly encouraged to enable multi-factor authentication (MFA) on all accounts that offer it. Additionally, real estate businesses, including real estate attorneys and title agencies, are advised to implement new policies aimed at preventing fraudulent wire transfers and other scams. For example, forbid the sharing of wire transfer account information via email and instead utilize video chat applications, phone calls from trusted numbers, or in-person meetings. Additionally, buyers should never trust email as the sole source of instruction for wiring money related to these transactions and instead receive confirmation of these details in person or over the phone. Furthermore, use digital escrow services to safeguard the interests of real estate buyers and sellers.

If you unintentionally wire money to a fraudulent account, immediately notify your supervisor, banking institution, the FBI, and the US Secret Service so they may attempt to stop the wire transfer. Unless the fraudulent transaction is discovered quickly (typically within 48 hours), it can be difficult, if not impossible, to return the stolen funds. The NJCCIC also encourages users to view the publication, Don’t Be Fooled: Ways to Prevent BEC Victimization, for additional tips and information about BEC campaigns and how to reduce victimization. If your PII has been compromised, please review the Identity Theft and Compromised PII NJCCIC product for additional recommendations and resources, including credit freezes and enabling MFA on accounts.

Organizations are advised to implement filters at the email gateway to identify and block emails using known phishing tactics and those from suspicious IPs, create an email gateway rule to flag communications in which the “reply” email address is different from the “from” email address, and identify emails that come from external sources outside their network by marking them with an “external email” tag in the subject and body since these emails should be given additional scrutiny. Furthermore, create a policy and procedure to identify and report BEC emails, including periodic employee awareness training; establish policies and procedures that require any requests for highly sensitive information or large financial transactions be authorized and approved by multiple individuals via a secondary means of communication beyond email; and implement Domain-Based Message Authentication, Reporting, and Conformance (DMARC) to reduce the risk of email spoofing.