Recently, CNBC reported on phishing scams in real estate, following up with an interview of PhishMe® CEO and Co-founder Rohyt Belani. Real estate is a bullseye for enterprising phishers. Often, the scammer is attempting wire fraud, trying to induce someone to make an electronic transfer of funds.
Beware emails asking for money, even if you “know” the sender.
Here’s an example reported by nbcwashington.com, where an unwitting couple buying a home in the pricey Washington, D.C., market lost $1.5 million.
Late last summer, the couple put down $200,000 on their dream home. They were waiting to go to closing when they got an email that seemed to come from their title company. They replied and in turn got a seemingly-legitimate response; so, they wired the balance of $1.5 million to the bank. But when they went to closing, they learned they had been fleeced.
Someone appears to have hacked into the title company’s computer servers and sent the bogus emails. To repeat: the emails did in fact come from the title company’s email account–just not an authorized sender, which had been compromised.
One realtor commenting online said, “When a buyer and seller indicate they do not want to go to closing, increasing the necessity to wire, or a buyer and seller desire a wire as opposed to a check, the average real estate agent does nothing to discourage wires. Wires are demanded and demanded quickly and at once.”
This tracks with the “emotional motivators” scammers normally use to trigger responses. The top emotions they play on: urgency and fear.
We’ll say it again: never wire money in response to an email. Pay attention to what you’re feeling as you read email messages—if you notice pangs of fear or panic, that’s a signal to report the email as a potential phish.
And as one mortgage expert interviewed by nbcwashington.com said, call the sender to validate any request for funds, but don’t use the phone number on the email—look it up yourself.
It happens all the time.
The duped couple’s story is just one sad example. On 9/14 there was an email credential phish that started with a message saying simply “FYI” in the subject and “fyi” in the body, but it included a full signature block of a general manager of a large Cleveland condo building.
The link in the message was realtor[.]updog[.]co, and it led to a webmail phishing page (spoofing Dropbox, Microsoft, AOL, Gmail, Yahoo); it’s another instance of threat actors working their way into the middle of transactions by gaining control of email accounts.
The National Association of Realtors is itself often spoofed in what we call “generic email” phishing pages. The well-worn ruse: you receive a message telling you to log in to view a great list of hot properties—like this page, recorded in April 2016:
In March, PhishMe recorded a phishing page that seeks to steal the credentials of real-estate professionals.
This was the landing page:
After the realtor gave up his or her login credentials, this phishing attack had a second step to steal the Gmail password:
The above message then automatically loaded the following screen:
And when the victim clicked on the “Log-in Here to View Document” button, they got this pop-up for collecting whatever email account password the victim entered:
There’s too much at stake to be careless.
Along with spear phishing and ransomware, BEC is among the most effective forms of phishing. While few consumer transactions are as large as you see in business, home buying is an exception—it’s often the biggest purchase people make in their lives, especially in a high-dollar market like D.C.
When you’re paying six- or seven-figure sums for anything, especially a home that embodies your dreams, it pays to pay attention. You’ve got too much to lose. And undeserving criminals stand way too much to gain.
Don’t ever miss another phishing threat – sign up for PhishMe® Threat Alerts today and receive updates on new and emerging phishing and malware threats, delivered straight to your inbox free of charge.