In the bustling world of real estate, where transactions, communications, and operations are primarily conducted online, the protection of financial security has never been more critical. A couple of weeks ago we got to chat with Secret Service Agent, Stephen Dougherty, about the threats against us and actions we can take to protect ourselves and our clients. Here are our key takeaways from our conversation:
The U.S. Secret Service (USSS), primarily known for its protective missions (Stephen mentioned the ones like you see in the movies with big action scenes), but at its inception the USSS was created for the security of the economic structure of the U.S. in 1865.
Initially the USSS was established to combat the rampant counterfeit currency problem – a staggering 75% at the time. The USSS’s mission evolved and by 1902, protective duties were included.
At the dawn of the digital age in the late 20th century, their focus also extended to the realm of cyber threats. The Global Investigative Operations Center (GIOC) epitomizes this evolution, serving as the nexus for tackling large-scale and multi-jurisdictional cyber investigations, including those affecting the real estate industry.
1. Understanding Business Email Compromise (BEC) in Real Estate
BEC stands out as a menacing cyber threat, with real estate transactions being prime targets. The modus operandi? Intercepting and weaponizing crucial financial documents, such as HUD statements meant for property purchases. The ripple effect is vast:
- Disrupted property sales
- Homebuyers losing their dream homes
- Real estate firms facing reputational damages and financial losses
- Overall diminished trust in digital real estate transactions
- This menace has spiraled to such an extent that from global real estate conglomerates to individual homeowners and brokers, everyone is vulnerable. Over the last six years, these cyber onslaughts have siphoned over 100 billion dollars from the global economy.
2. BEC typically unfolds in the following manner:
- Regular Email Correspondence: The attacker monitors regular email exchanges related to property sales or leases.
- Interception: Gaining unauthorized access to an agent’s or buyer’s email, the criminal observes transaction details.
- Domain Spoofing: They emulate a legitimate entity, perhaps a title company or realty agency.
- Spoofed Email: Using the details, they convince victims to divert fund transfers, often disguising it as a ‘new’ down payment instruction.
- Successful Transaction: The unsuspecting party, believing the communication is genuine, sends funds to the criminal’s account.
Beware: These fraudsters have mastered the art of timing, often striking during the peak of summer when many are on vacation or the holiday season when they know people are paying less attention or are even out of office. They can see and are aware of out-of-office vacation notifications.
3. BEC Attack Tactics to Be Aware of:
Addition of @gmail.com, @yahoo.com
Display Name masking & google dot matrix
- Email service providers allow a display name to replace actual email address
- firstname.lastname@example.org reverts back to email@example.com because the period isn’t recognized
Spoofed email address
- firstname.lastname@example.org vs email@example.com (the R and N look like the M in Mike)
- Lincoln@email.com vs. lincoln@emailcome (2nd one has capital i, but looks like L)
Changed/spoofed domain names
- www.secreworld.com vs www.securevvorld.com (the 2nd has two V’s making it look like a W)
Full email account takeover and VPN access through hacking
And with the advent of AI, the challenges only seem to be amplifying…
4. Emerging Trends in Cyber Fraud
Real estate, a traditionally brick-and-mortar industry, has been briskly navigating the digital transition. But with this metamorphosis come emerging threats. Today’s world of real estate cyber fraud is akin to an ongoing blockbuster thriller, rife with dramatic twists, high-tech gadgetry, and cunning villains. Here’s a sneak peek into the latest episodes:
Crypto Scams: The rise in cryptocurrency usage is not all roses. Criminals exploit it, especially for ‘hopping’ (direct, second hop, third hop) to launder funds, leaving only digital footprints.
The Exploitation Surge: Buyer’s closing funds aren’t the sole target anymore. Fraudsters will make the most of a situation and go after seller net proceeds, real estate commissions, and whatever else they can find.
The ‘Pig Butchering’ Scam: An unsettling name, and the scam is just as sinister. With the allure of cryptocurrency investments, many are drawn into scams where they can lose their life savings.
Phishing 2.0: Gone are the days of glaringly obvious phishing attempts. Today’s cybercriminals use sophisticated websites, armed with AI, ensuring they slip through the most stringent of filters.
Deepfakes & AI: It’s not all sci-fi anymore. Criminals now employ Deepfakes, AI, and Machine Learning to impersonate sellers, peddling lands they don’t own. Imagine a voice filter that can specifically mimic an elderly woman with emphysema as USSS Agent Stephen Dougherty once saw in a case – that’s the unnerving reality.
Phishing Kits – DIY Cybercrime: No tech background? No problem! With ‘Phishing as a Service’, one can simply buy a kit to start scams for as low as $50.
Indiscriminate Targets: If money is involved, consider it at risk. Every industry, every transaction, is fair game. It’s a matter of when, not if.
ChatGPT and other Open AI Platforms: This AI tool generate crafty attack emails and other iterations created since can bypassing the security barriers ChatGPT has.
Spoofcard & Simswap: Criminals can hijack your phone number and shut down your ability to use your own phone line.
Deepfake Voice Cloning: With just three seconds of audio (that can be taken from a voicemail, an online video, a phone call), one’s voice can be replicated, leading to unthinkable scams where you might think a family member, friend, or co-worker is calling you in need.
Phone Snatching Syndicates: While not yet as widespread in the U.S., the trend is unsettling. In a span of mere hours thieves can steal your phone, hack into apps, and drain your bank accounts.
5. Roadmap to mitigating Incidents
Swift action can salvage a compromised transaction. Immediate steps include:
- Contact the victim’s bank immediately – TIME IS MONEY – they have the ability to take swift actions like reverse wire or freeze the account
- Move communications to out of band or alternate comms (get out of email and pick up the phone)
- Contact U.S. Secret Service
- Call local Secret Service Field Office https://www.secretservice.gov/contact/field-offices
- If the local field office isn’t able to take quick action you can contact the GIOC BEC Mission Desk BECDesk.firstname.lastname@example.org
- File IC3.gov complain www.ic3.gov & FTC Consumer Sentinel Complaint www.ftc.gov – tracks investigation and gets FBI involved
- Consult with internal or 3rd party IT services to locate and mitigate compromises
- Make vendor/client/3rd party notification if needed
So what Action Can We Take NOW?
Increase Vigilance: Always cross-check online communications, especially those involving financial transactions.
Team Training: Keep your team updated on the latest cyber fraud methodologies.
Inform Your Clients: Integrate cyber threat precautions into your buyer and seller packets, discuss during meetings, and always reaffirm the protocols during key transaction milestones.
Have a Response Strategy: Should things go awry, a well-outlined plan can significantly minimize damage.
Prioritize Security: Ensure all accounts have strong, unique passwords. Regularly update and review security protocols.
Cyber fraud is set to cast an even larger shadow in 2023, specifically over the real estate sector. To thwart this, agents, brokers, and clients alike must amp up their vigilance and training. Establishing a practiced incident response plan and leveraging resources like the U.S. Secret Service can be pivotal. In the age of rapid digitalization, sometimes going analog by picking up the phone to verify can be the best defense.