This article by Ryan Heidorn and EJ Whaley was originally published in Infosecurity Magazine.
In recent years, business email compromise (BEC) scams targeting the real estate industry have exploded, with a 1,110% increase in phishing-driven real estate victims between 2015 and 2017.
In 2017 alone, the total financial damage equaled nearly one billion dollars ($969 million) stolen from home buyers and agencies. In 2018, according to the FBI’s recent 2018 Internet Crime Report, the total amount of money lost due to cyber scams, specifically targeting the real estate industry, equaled $149,458,114. There’s no doubt that these numbers are staggering. So, why are cyber-criminals so heavily targeting the real estate market?
- For one, when buying a home, there’s a sense of urgency, especially in the current real estate boom.
- There’s also uncertainty. Home buying is not only complicated, but for most people it’s a life event that happens only a handful of times.
- There are many parties (lenders, brokers, insurance agents, the seller, the buyer) involved in the process, so there’s a lot of complexity. Everyone is operating under high-pressure, highly inflexible deadlines that leave them vulnerable.
- Lastly, there are high-value transactions that involve transferring big sums of money to people/institutions with no previous interactions.
IT and cybersecurity leaders from all industries can gain valuable insights on how to fortify their own security postures against advanced phishing and social engineering tactics by looking at recent attacks against realtors, agents, and homebuyers and how they unfold. Here’s how cyber-criminals build and execute targeted phishing attacks, and why they’re so successful.
Step 1: Identify a target organization
The first thing an attacker often does is perform reconnaissance, or research, to identify softer targets. This usually involves identifying the agencies, attorneys, and/or lenders working in and around areas with robust real estate markets. Some of the common factors that are taken into consideration are the number of employees, statistics on transactions or holdings (whether in dollars or volume), and public references from past or current clientele.
If available, IT and security infrastructure configurations may also be taken into consideration. Attackers will gather this information from sources like LinkedIn, public data records, and even by visiting the target organization’s website.
Step 2: Research the victim
Once a specific organization is identified, the attacker will select an individual to target at that organization. Attackers will gather intelligence on the target from public and social platforms to get a feel for the person’s interests, relationships, and communication style. Again, this target can be anyone within the transactional chain including an agent, attorney, lender, or even a developer.
Step 3: Craft the attack
After an individual target has been identified and researched, the attacker will typically send a “door knock” email to colleagues of the targeted individual. Usually this “exploratory” email is in the form of an inquiry—expressing interest in a property, requesting loan information from a broker, retaining legal services, etc. This request is usually responded to promptly, but in responding the colleague may unwittingly hand over valuable information such as, the format of the email signature used in the organization along with any logos, color schemes, or website links.
These email formats coupled with information found on the website from Step 1 are critical in crafting a believable phishing email. Once they have this information, it’s easy for the attacker to modify the signature of the sales executive to resemble that of the person they want to impersonate and reach out to their intended target identified in Step 2.
Step 4: Strike at the right time
If the attacker sends the phishing email at the end of the day, or any time after normal working hours, it’s likely that the target will be viewing it on a mobile device rather than on a computer. The mobile interface will only show the picture and name of the impersonated person sending it – and not the actual email address, which is usually a Gmail address set up by the attacker.
Since the email is coming from a consumer email service, it will pass the email authentication checks that many organizations rely on to block spam or direct brand impersonations. From this, a perfectly believable email is delivered to the target’s inbox loaded with a malicious link, fake lead form inquiry, DocuSign business service impersonation or other mechanism to steal credentials.
Step 5: Expand the attack radius
Now that an agent, lawyer, lender, or developer is compromised, cyber-criminals can make their move. They will observe communications between parties regarding on-going transactions, identify high-value deals, and get a sense of key dates. This time also gives attackers an opportunity to gauge tone, grammatical tendencies, and commonly used phrases to craft an even more compelling and urgent request for funds.
Oftentimes these messages will come from addresses designed to fool the recipient. For example, if the purchaser is working with Robin Doe from RE/MAX, the attacker might send the wire transfer request from email@example.com or something similar. Cyber-criminals will choose a critical time, such as shortly before a closing date, to email the buyer and try to get the person to wire funds.
Many buyers are already feeling a little frazzled or stressed around their real estate closing and are vulnerable. If the money does gets wired, it’s usually irrecoverable after a day or two.
Attackers rely on confusion, fear, and urgency to convince someone to authorize a wire transfer. However, if organizations institute and enforce business processes around wire transfers or data divulgence, such ploys are quickly foiled.
Consider for example, a simple requirement that wire transfers need to be confirmed by voice, not email. Such relatively simple processes, if followed diligently, take the bite out of most phishing attacks. Cyber-criminals follow this similar pattern to engineer many of the high-profile data breaches that have recently made headlines.