We’ve merged with C3 Integrated Solutions! Learn how our merger will accelerate your CMMC compliance Read more >>

Aerial photo of a bunch of residential houses

Why the Real Estate Industry Is a Prime Target for Hackers

Ryan Heidorn of Steel Root and EJ Whaley of email security company GreatHorn break down the anatomy of the wire fraud scams plaguing the real estate industry.

July 2, 2019

This article by Ryan Heidorn and EJ Whaley was originally published in Infosecurity Magazine.

In recent years, business email compromise (BEC) scams targeting the real estate industry have exploded, with a 1,110% increase in phishing-driven real estate victims between 2015 and 2017.

In 2017 alone, the total financial damage equaled nearly one billion dollars ($969 million) stolen from home buyers and agencies. In 2018, according to the FBI’s recent 2018 Internet Crime Report, the total amount of money lost due to cyber scams, specifically targeting the real estate industry, equaled $149,458,114. There’s no doubt that these numbers are staggering. So, why are cyber-criminals so heavily targeting the real estate market?

  • For one, when buying a home, there’s a sense of urgency, especially in the current real estate boom.
  • There’s also uncertainty. Home buying is not only complicated, but for most people it’s a life event that happens only a handful of times.
  • There are many parties (lenders, brokers, insurance agents, the seller, the buyer) involved in the process, so there’s a lot of complexity. Everyone is operating under high-pressure, highly inflexible deadlines that leave them vulnerable.
  • Lastly, there are high-value transactions that involve transferring big sums of money to people/institutions with no previous interactions.

IT and cybersecurity leaders from all industries can gain valuable insights on how to fortify their own security postures against advanced phishing and social engineering tactics by looking at recent attacks against realtors, agents, and homebuyers and how they unfold. Here’s how cyber-criminals build and execute targeted phishing attacks, and why they’re so successful.

Step 1: Identify a target organization
The first thing an attacker often does is perform reconnaissance, or research, to identify softer targets. This usually involves identifying the agencies, attorneys, and/or lenders working in and around areas with robust real estate markets. Some of the common factors that are taken into consideration are the number of employees, statistics on transactions or holdings (whether in dollars or volume), and public references from past or current clientele.

If available, IT and security infrastructure configurations may also be taken into consideration. Attackers will gather this information from sources like LinkedIn, public data records, and even by visiting the target organization’s website.

Step 2: Research the victim
Once a specific organization is identified, the attacker will select an individual to target at that organization. Attackers will gather intelligence on the target from public and social platforms to get a feel for the person’s interests, relationships, and communication style. Again, this target can be anyone within the transactional chain including an agent, attorney, lender, or even a developer.

Step 3: Craft the attack
After an individual target has been identified and researched, the attacker will typically send a “door knock” email to colleagues of the targeted individual. Usually this “exploratory” email is in the form of an inquiry—expressing interest in a property, requesting loan information from a broker, retaining legal services, etc. This request is usually responded to promptly, but in responding the colleague may unwittingly hand over valuable information such as, the format of the email signature used in the organization along with any logos, color schemes, or website links.

These email formats coupled with information found on the website from Step 1 are critical in crafting a believable phishing email. Once they have this information, it’s easy for the attacker to modify the signature of the sales executive to resemble that of the person they want to impersonate and reach out to their intended target identified in Step 2.

Step 4: Strike at the right time
If the attacker sends the phishing email at the end of the day, or any time after normal working hours, it’s likely that the target will be viewing it on a mobile device rather than on a computer. The mobile interface will only show the picture and name of the impersonated person sending it – and not the actual email address, which is usually a Gmail address set up by the attacker.

Since the email is coming from a consumer email service, it will pass the email authentication checks that many organizations rely on to block spam or direct brand impersonations. From this, a perfectly believable email is delivered to the target’s inbox loaded with a malicious link, fake lead form inquiry, DocuSign business service impersonation or other mechanism to steal credentials.

Step 5: Expand the attack radius
Now that an agent, lawyer, lender, or developer is compromised, cyber-criminals can make their move. They will observe communications between parties regarding on-going transactions, identify high-value deals, and get a sense of key dates. This time also gives attackers an opportunity to gauge tone, grammatical tendencies, and commonly used phrases to craft an even more compelling and urgent request for funds.

Oftentimes these messages will come from addresses designed to fool the recipient. For example, if the purchaser is working with Robin Doe from RE/MAX, the attacker might send the wire transfer request from robindoe.remax@gmail.com or something similar. Cyber-criminals will choose a critical time, such as shortly before a closing date, to email the buyer and try to get the person to wire funds.

Many buyers are already feeling a little frazzled or stressed around their real estate closing and are vulnerable. If the money does gets wired, it’s usually irrecoverable after a day or two.

Attackers rely on confusion, fear, and urgency to convince someone to authorize a wire transfer. However, if organizations institute and enforce business processes around wire transfers or data divulgence, such ploys are quickly foiled.

Consider for example, a simple requirement that wire transfers need to be confirmed by voice, not email. Such relatively simple processes, if followed diligently, take the bite out of most phishing attacks. Cyber-criminals follow this similar pattern to engineer many of the high-profile data breaches that have recently made headlines.

Related Articles

C3 and Steel Root company logos

C3 Integrated Solutions and Steel Root Merge to Help the Defense Industrial Base (DIB) Manage Technology, Security, and CMMC Compliance

November 16, 2022

Industry veteran Marc Pantoni joins as CEO; new capital investment from M/C Partners enables combined entity to further develop and expand its platform approach to CMMC-focused managed services for the...

Learn More
Team Portrait of Steel Root Partners 2022

From Our Founders: The Evolution of Steel Root

November 16, 2022

When we started Steel Root in 2016, the problem of cybersecurity was already front and center for businesses of all sizes. Our mission was simple: help businesses implement IT and...

Learn More
Steel Root logo surrounded by red sunburst graphic

Latest release of our CMMC Reference Architecture is here!

September 21, 2022

Semi-annual update to Steel Root's managed compliance offering includes security and usability improvements, enhanced administrative controls, and updates to compliance implementations to help customers prepare for CMMC.

Learn More
Photo of a desk with a laptop computer, open journal with a pen, and a computer mouse on a leather mouse pad.

Be a Security Champion for your Organization

May 18, 2020

Taylor Hall shares tips to help you carry the banner of digital security for your company.

Learn More
Photo of a business storefront with a sign that says Gibson Sotheby's International Realty

Real Estate: Fighting Wire Fraud and Improving IT

October 24, 2018

Learn how one of Boston’s top luxury real estate firms took steps to protect its business, agents, and clients against scams and onsite technology downtime.

Learn More
Open padlock emblazoned with the word Equifax

Equifax Hack: How to Secure Your Credit

September 12, 2017

Advice on how consumers should respond to the massive Equifax breach that exposed the personal information of hundreds of millions of Americans.

Learn More