Do Email Scammers “Stay Home” During COVID-19?

In a recent press release, the FBI announced that they anticipate a rise in business email compromise schemes related to the pandemic. Unfortunately for us, bad guys don’t take time off…even during a national crisis.

Business email compromise (BEC) can take many different forms, but the punchline is that the fraudsters try to gain access through your email to passwords, accounts, and other personal information. As it applies to the real estate industry, wire fraud accounted for roughly 1.8 billion in losses in 2019.

The more “high profile” examples of fraud come in a variety pack. Here are the most common according to the FBI:

Business E-Mail Compromise (BEC): A sophisticated scam targeting businesses working with foreign suppliers and companies that regularly perform wire transfer payments. The scam is carried out by compromising legitimate business e-mail accounts through social engineering or computer intrusion techniques to conduct unauthorized transfers of funds.

Data Breach: A leak or spill of data which is released from a secure location to an untrusted environment. Data breaches can occur at the personal and corporate levels and involve sensitive, protected, or confidential information that is copied, transmitted, viewed, stolen, or used by an individual unauthorized to do so.

Denial of Service: An interruption of an authorized user’s access to any system or network, typically one caused with malicious intent.

E-mail Account Compromise (EAC): Similar to BEC, this scam targets the general public and professionals associated with, but not limited to, financial and lending institutions, real estate companies, and law firms. Perpetrators of EAC use compromised e-mails to request payments to fraudulent locations.

Malware/Scareware: Malicious software that is intended to damage or disable computers and computer systems. Sometimes scare tactics are used by the perpetrators to solicit funds from victims.

Phishing/Spoofing: Both terms deal with forged or faked electronic documents. Spoofing generally refers to the dissemination of e-mail which is forged to appear as though it was sent by someone other than the actual source. Phishing, also referred to as vishing, smishing, or pharming, is often used in conjunction with a spoofed e-mail. It is the act of sending an e-mail falsely claiming to be an established legitimate business in an attempt to deceive the unsuspecting recipient into divulging personal, sensitive information such as passwords, credit card numbers, and bank account information after directing the user to visit a specified website. The website, however, is not genuine and was set up only as an attempt to steal the user’s information.

Ransomware: A form of malware targeting both human and technical weaknesses in organizations and individual networks in an effort to deny the availability of critical data and/or systems. Ransomware is frequently delivered through spear phishing emails to end users, resulting in the rapid encryption of sensitive files on a corporate network. When the victim organization determines they are no longer able to access their data, the cyber perpetrator demands the payment of a ransom, typically in virtual currency such as Bitcoin, at which time the actor will purportedly provide an avenue to the victim to regain access to their data.

Being a victim doesn’t just hurt you!

As a real estate agent, falling victim to an email scheme doesn’t just affect you. You also have a responsibility to protect your clients. In many cases of wire fraud, the scheme is initiated from an agent’s compromised inbox. The bad guys lurk for days, weeks, months or longer just waiting for signs that a closing is about to occur. When the title company or lender emails about closing details, the time is right to social engineer faulty wire instructions to send out to your client with details they picked up from your hacked account…yikes!

The effects of falling victim to wire fraud may be profound and life altering as Aaron Cole and has family unfortunately discovered.

Wire Fraud Warning – WFG National Title from WFG National Title on Vimeo.

So, what can you do?

On a positive note, protecting yourself and thereby protecting your clients is a tactic that may be leveraged to your advantage. Explaining to your potential clients about what you do to protect their most sensitive information is just as important as explaining your marketing plan.

Protecting yourself from being hacked just takes a little common sense and the proper amount of skepticism when scrolling through your inbox.

• Be skeptical of any changes to wiring instructions or recipient account information. You should always caution your clients to verify wire instructions with their title company over the phone and using a verified phone number from their website.
• Check that the URL in emails is associated with the business it claims to be from. Simply hovering your mouse over the URL will tell you the destination.
• Check for mis-spellings in copy and hyperlinks. I don’t know why bad guys haven’t considered taking a copywriting class.
• Verify the email address of the sender. Bad guys are good at changing a character or two when social engineering email addresses.

In addition to the tips above, you can further protect yourself by using apps and online services that leverage two factor authentication, biometric or PIN-based logins. If the services you use don’t, consider looking elsewhere. Password managers such as Dashlane, Lastpass and 1Password are also good choices for creating ridiculously hard to crack passwords that don’t require you to remember them each time you log in.

Don’t trust your own discerning eye?

Lucky for you there’s now a service that is helping real estate agents, lenders and title companies better protect themselves against the threat of scams. WESTproctect 411 is a service that simply allows you to forward a suspicious email along with any accompanying attachments to one of their security professionals. They will do the clicking for you and report back on whether the email is safe or compromised. It’s kind of like having your own info security team without all the fuss of extra desk space.