“Business Email Compromise” Attacks – What they are and how you can avoid them

business meeting table with woman typing email on laptop

Business Email Compromise (BEC) attacks are on the rise around the world, and every industry is affected. The FBI’s Internet Crime Complaint Centre (IC3) estimates that more than $26 billion has been lost from BEC fraud over the past three years. But, increasingly, the real estate industry is becoming a high-value target. BEC attacks involving real estate transactions soared by more than 1000% between 2015 and 2017 alone. 

What are BEC attacks? 

These attacks are sophisticated phishing scams, which typically involve the impersonation of CEOs, senior figures within organizations, real estate brokers or other parties to real estate transactions. Email accounts are compromised, and businesses or individuals are directed to transfer funds to an account. Those involved are usually in the midst of a transaction for a property or some other pending deal, and so they think they’re making a legitimate transaction. 

Imagine this scenario: You’re ready to close and a scammer impersonates you via email to redirect the buyers to send their deposit to an offshore account. The buyer’s deposit is lost, never to be recovered. The property deal is off because the seller didn’t get the deposit, and the buyer is royally angry that their hard-earned dollars have gone offshore instead of toward their dream home. 

Scammers are targeting individuals involved in pending property transactions, because the stakes are so high. With down payments upwards of 10-20% for properties, these criminals can hit the jackpot even if a small number of their scams work. 

According to the FBI, bank accounts in China and Hong Kong are the main destinations for fraudulently-obtained funds; however, there’s also been an increase in accounts tracking back to Mexico, Turkey and the UK. Law enforcement has linked some BEC scams to international organized criminal groups. 

Variations on the Typical BEC Attack

Rerouting of deposits or payments for properties isn’t the only method of Business Email Compromise attacks. The FBI has reported cases of the compromise of legitimate business email accounts, where personal information, wage and tax statements are requested. Hackers then send the HR or Payroll staff a request to vary the employee’s bank account using the employee’s email, which results in wages funneled into a fraudulent account, instead of the employee’s own account. 

Real-Life Cases

Scammers are finding new and innovative ways to take advantage of others for criminal and personal gain. There have been cases reported in the US where buyers have lost their entire life savings through Business Email Compromise attacks. 

CNBC reported a case in early October where a son won an auction for a house in Texas for his elderly parents. However, just prior to closing, a scammer sent an email to the son pretending to be his real estate agent. The email contained changes to the wiring instructions. Thinking the instructions came directly from his agent, he promptly sent the funds to the new bank details. It wasn’t until closing day that the title company called to  follow up on payment, and then it was clear that the family had been a victim of a BEC attack. 

There was a similar case in Washington D.C., where a couple received a message from their title company to transfer funds of over $1 million ahead of their home purchase. The couple sadly found out a month later that the instructions were not from their title company. The subsequent investigation found that a hacker had taken over the title server’s emails. 

How Every Agent and Broker Can Protect Against Business Email Compromise Attacks 

Business Email Compromise attacks can cause devastating financial losses, and you can suffer reputational damage that may never be recoverable. Are your emails and systems safe? 

Here are some tips for all agents and brokers to follow:

  • Never conduct business over public Wi-Fi.  Always use a VPN.
  • Never click on an attachment from anyone you don’t know — even if it looks like another agent or broker. Verify that the person is an agent or broker by researching them online, and then call the phone number you find online to confirm the individual contacted you.
  • Be very clear with your clients about how you will communicate and how the transfer of funds will occur. Provide written wire instructions on a physical piece of paper whenever possible. Advise the client how any unforeseen changes to the settlement plans would be communicated. Plan to call the client if wire instructions change. This can help to prevent a catastrophe if a BEC hacker does make it through your IT security systems and sends a fraudulent email to a client. 

Insurance Protection for Real Estate Brokers and Agents

The cost of having inadequate protective measures is significant. Sixty percent of small businesses are forced to close within six months of a cyber attack. But you can avoid financial setbacks arising from a BEC attack if you have the right insurance. 

Your CRES E&O + ClaimPrevent® policy can include Cyber Liability Coverage. Real Estate offices can also add Business Owner’s Policy to include general liability, buildings and property coverage, loss of business income, and more. Contact CRES at 800-880-2747 for a confidential discussion. We can review your insurance needs and tailor a solution to suit your real estate business.

This blog/website is made available by CRES Insurance Services for educational purposes to give you general information and understanding of legal risks and insurance options, not to provide specific legal advice. This blog/website should not be used as a substitute for competent legal advice from a licensed professional attorney in your state. Claims examples are for illustrative purposes only. Read your policy for a complete description of what is covered and excluded.

Originally Published November 26, 2019

Category: ,

Colorado Realtors®: it's time to renew your E&O policy. CRES Real Estate E&O FAR EXCEEDS the coverage of the group… https://t.co/vl5H04831b Property damage, injury and theft are just 3 risks if Realtors® allow unescorted access to a listing. Learn risk mi… https://t.co/429zNfjTu9