Real Estate Wire Scams Can Catch The Unsuspecting Homebuyer Off-Guard

If it’s going on in New York, it’s happening everywhere. Back in May, 2020, when the streets of New York were still mostly empty and legal processes were delayed, scammers were moving millions of stolen dollars through banks around the New York tri-state area. Domestic law enforcement agencies that handle more than two dozen types of crimes, including credit card frauds, ransomware attacks, and identity thefts received an average of more than 2,300 cybercrime complaints a day, about one every 37 seconds. So their personnel began looking for business email compromises, or BECs, a type of scam where hackers infiltrate corporate accounts to send fake wire requests, such as an invoice or a contract payment.

While BEC scams indiscriminately target all types of industries, over the past few years they’ve found a new kind of victim: the eager homebuyer. Bloomberg’s Natalie Wong reports that individuals and couples anxious to close on their dream home and inundated with paperwork and emails think they’re transferring their down payment to a title company or a lawyer handling the closing process. “Instead—by missing an impossibly subtle detail in an email, such as a spelling error or an extra character, indicating it’s a fake—they mistakenly wire tens or hundreds of thousands of dollars to a hacker.” And in a single moment, their entire nest egg is gone, along with the home they thought they were about to move into.

Alex, a BEC crime worker, noticed an attempted hack on a construction company in Long Island, in which thieves tried to steal $30,000 by sending fake statement claims. “By heist standards, it was a minuscule amount that most agencies wouldn’t have bothered to investigate,” says Wong. “But a newly attempted hack can reveal fresh clues that the culprit might have been left behind, potentially opening doors to other cases.”

Locating a scammer includes scouring email or internet addresses, bank accounts where the money is wired, and phone numbers, among other avenues. Wong reports that Alex did a wider database search to see if other complaints had indicators matching the $30,000 hack attempt, and found there were plenty. “It ended up leading to more than $9 million worth of stolen funds affecting 50-plus victims across different sectors, with real estate losses amounting to more than $2 million.”

The scammers usually engage in what Alex calls a shotgun approach. “They compile contact information for random players involved in any real estate transaction—lawyers, brokers, title agencies, mortgage lenders—then send mass phishing emails to this database, waiting for someone to take the bait,” he says. “In the email, the scammers might provide a link that leads to a website resembling the real estate agent or title company’s email login page. The duped individual will type out their credentials, which might lead to an error page. Most think nothing of it—perhaps it was merely an internet connection problem. They don’t realize they’ve sent their login information to the hacker, who now has access to their email and confidential company information. Critically, they are also able to track conversations about impending home sales with buyers, ultimately zeroing in on the specific deals they want to infiltrate.”

He goes on to say that that, however, is the easy part. What follows is a sophisticated type of social engineering, in which the scammers monitor correspondence about a specific transaction for months. Like a snake waiting to attack its prey and without tipping off anyone, they learn the minute details of a deal. And when they see a wire transfer is about to take place, they strike by jumping in with a fraudulent email to the buyer, pretending to give official instructions from the real estate or title agent. “Please wire your money to this bank account,” is a common request. The email can be sent from the compromised account or from a fake one that looks almost identical to that of the agent in the deal. And just like that, the unsuspecting buyer wires their life savings to a criminal.

It takes a homebuyer a few days to realize what just happened. At that point they reach out to their bank, title agency, local law enforcement, or a private cybersecurity company and are often told to file an IC3 complaint. “As soon as GIOC agents have the file, it becomes a race against time,” says Alex. Agents inform their contacts at various banks, credit unions, crypto exchanges, and other government agencies to freeze and recall the money before it’s cashed out or moved abroad, where it’s far harder to trace. And like a kidnapping that just took place, every minute that passes reduces the odds they’ll be able to recoup the stolen funds. “If we don’t get to it within about 36 hours, it’s pretty much gone,” Alex says. “These guys know how quickly we try to work, and they know they need to get the money out now.”

A word to the wise: As for homebuyers, you’re still largely on your own, as most victims did not receive warnings from their real estate agents, escrow/ title companies, or banks about the high risk of fraud. These entities are, for the most part, well-insulated from legal recourse. “Real estate firms usually have a boilerplate warning about fraud in their emails but don’t mention it otherwise,” says Wong. So before even considering responding to a request by mail to wire ANYONE money, check with your agent, bank, title company and or lender to see if it’s legit. Watch your emails where wire transfers are mentioned, and when at all possible, make the transactions in person or see that your personal lender checks out all the details. Because scams are still alive and well.

Bloomberg, TBWS