How Cybercriminals Use Email Spoofing to Commit Wire Fraud

We all know to be wary of the email from the Nigerian Prince promising us a hefty payout if we help him with a favor. That kind of email scam is obvious. Yet today, most cybercriminals are far more sophisticated than that when targeting individuals who are moving lots of money on a daily basis.

Wire fraud scams succeed because consumers and real estate professionals alike are duped by a carefully spoofed email. Emails are not inherently secure. In fact, core email protocols provide no authentication mechanism, and it’s common for a phishing email to have a forged sender address. So, what looks like an innocent email from your Realtor or title agent is actually a spoofed email with fake wiring instructions.

Email spoofing is a multi-faceted tactic used by cybercriminals that leads to Business Email Compromise (BEC). Here’s how email spoofing works and how you can stop it.

Business Email Compromise

Business email compromise can take shape a variety of ways, but some of the common elements include targeting specific employees of a company with access to the company’s finances, posing as a trusted partner or authority figure, and tricking them into sending funds or downloading malware.

The malware may be used to further spy on email communications or it may be a type of ransomware that prevents the user from accessing their system and data until payment is made to regain access.

Nowadays, most title and real estate professionals are well aware of the common scams implemented by cybercriminals. Because title companies have enacted stricter wire transfer protocols among their staff to avoid payoff fraud scams, homebuyers and sellers are an attractive alternative target. The down payment stolen from the consumer may not be as lucrative as the payoff from the title company to the bank, but there are usually less barriers to stealing the average down payment of about $14,000.

The typical Business Email Compromise Scam has the following steps:

1. Identify Target
2. Email spoofing/phishing and social engineering
3. Target takes the bait
4. Funds are transferred into cybercriminal’s account

Once the funds are transferred into the wrong account, it’s usually transferred into other accounts outside of the country in a matter of hours. Even if the FBI is alerted promptly, it’s difficult to retrieve the funds, so the best way to avoid becoming a victim is to know what a successful wire fraud scam looks like.

Step 1: Identify Target

LinkedIn is a great place to build business connections, but it’s also the perfect place for cybercriminals to do their preliminary research on a Realtor or title agent. They want to leverage your connections and reputation to scam other professionals or consumers. Realtors are an especially great target for impersonation since so much of their business information is readily available online.

After doing some quick research on you and your company, a hacker can alter to the “Mail from:” part of an email to look like it’s your friendly neighborhood Realtor, a title agent, or your direct supervisor. By default, email service providers don’t check if the sending system is authorized to send on behalf of that address. These emails might contain fake instructions for wiring money into a cybercriminal’s account or a link to download malicious software onto your work computer.

A hacker only needs one person in the company to click on a fraudulent link to access your entire network. If your company isn’t conducting regular phishing attempt tests or penetration tests to confirm you have adequate staff training and technological defenses in place, you could be compromised without even knowing it.

Even if a hacker gains access to your internal system and sends fake wiring instructions to one of your title agents, best practices like calling to verify may stop the wire fraud scam in its tracks. Unfortunately, monitoring your communications means the hackers can easily pivot to another victim that is less educated. Since most homebuyers are unaware of the threat of wire fraud, they’re far more likely to send funds without calling.

Step 2: Grooming the target

Once a target or targets have been identified, techniques like spear-phishing, social engineering, identity theft, email spoofing, and attachments with malware are used. The grooming can take days or even weeks to gain the trust of the target and strike at the most opportune time in the real estate transaction.

Email spoofing is creating an email message with a forged sender address. This is because the communication protocol used by email servers called Simple Mail Transfer Protocol (SMTP) doesn’t involve authentication. As a result, phishing emails use this type of spoofing to mislead the recipient about the origins of the message. Social engineering is then used to emotionally manipulate the recipient into volunteering more sensitive information like passwords, download attachments with malware, or sending funds into a criminal’s account.

There are three common methods to spoof an email:

1. Forging the contact name and email address visible to the recipient
2. Setting up a valid email address with a name of someone in your organization
3. Creating a new email address that looks similar to the real one

In the first method, a contact’s name and email may be spoofed like this:

John.Smith <John.Smith@besttitle.com>

There are two “senders” of an email. The first is called the “envelope sender” and the other is known as the “From:” header, which is usually automatically displayed by the email client like Google or Microsoft Outlook. It’s this header that cybercriminals can forge and trick email clients into displaying a name and email address of a known business associate.

You or your IT staff can make changes to your email service setting to block these forged emails from reaching the inboxes of your employees. This is done by adding an SPF, DKIM, and DMARC DNS records to your company’s domain name.

The other method involves using the contact’s name but not the email address like so:

John Smith <john.smith34253@gmail.com>

In this example, the email is coming from a valid address the cybercriminal has registered using the same name as an executive from your company. Since this isn’t a forged email address, the SPF/DKIM/DMARC records won’t block these phishing emails.

This means your employees must be vigilant in detecting this technique. To make matters worse, many email server clients only display the sender’s name by default and not the email address, especially when viewing on a mobile device.

Similarly, in the third method, a cybercriminal creates a valid email address meant to look like the real one with one small detail changed. For instance, johnsmith@besttitle.com becomes johnsmith@bestitle.com.

The email address is off by only one letter.

Again, the filters set up to block a forged email address won’t work on this phishing attempt. Be sure to train your employees on how to identify deceptive emails. Both Office 365 and G Suite can be formatted to help detect display name spoofing by providing alerts like the ones below.

Gmail

Outlook

Here is more information on setting up these security measures in Gmail and Outlook.

Step 3: Target takes the bait

Despite best efforts, security measures and the best-trained staff may still be fooled. If the cybercriminals have been keeping a close eye on the real estate deals you have pending for some time via email communications, they’ll know enough about the vendors, Realtors, lenders you work with as well as their style of communication and travel schedule.

The target receives a legitimate-looking email confirming the wiring instructions to a new bank account or they may send the target to a spoofed banking portal to download falsified payoff statements. The cybercriminals may even call the title agent with a spoofed phone number, posing as the recipient of the funds to confirm the fake wiring instructions.

Step 4: Funds are wired into cybercriminal’s account

Once the funds are sent into the account, they can be nearly impossible to recover. With the help of money mules across the world, the money is quickly transferred into other accounts.

While the FBI is taking BEC seriously and doing what they can to identify and dismantle criminal syndicates, their scams are elaborate and quickly executed. Minutes matter when you’re the victim of a wire fraud scam.

For homebuyers and sellers, contact your title agent immediately for help. The next steps will include contacting the bank to initiate a “SWIFT recall” on the transfer, filing a complaint with the FBI’s Internet Crime Complaint Center (IC3), and contacting all other banks that may have received subsequent transfers of your funds. You’ll also want to contact local authorities to file a police report.

Finally, real estate professionals will want to review if there are any breaches within their network.

To learn more about improving your title company’s security and preventing wire fraud, check out CertifID’s complete guide to understanding and preventing real estate wire fraud.

How to stop wire fraud with better email security

Since email is the source of wire fraud scams, everyone involved in a real estate transaction should be aware of how email is used by cybercriminals.

As a title or real estate professional, be sure you are following these suggestions to tighten your email security. Some of these can also be used by consumers too:

1. Do a Security Checkup

• Add or update your account recovery options
• Turn on 2-Step Verification on all your accounts, including social media
• Be careful about what apps you allow access to sensitive information
• Use a VPN if you do business over public Wi-Fi
• Turn on screen locks on all your devices

2. Update software

• Your browser, operating system, and apps should always be updated. Updates help patch security flaws. These are software vulnerabilities that hackers will target with code packaged into malware.

3. Use unique and strong passwords

• Use a password manager that will generate a unique password for each account
• Turn on Password Alert if you’re using Google Chrome to know if a site is impersonating Google.

4. Avoid installing unknown apps

• Remove any apps or browser extensions that aren’t essential to your work

5. Be suspicious of all communications

• Hackers use emails, text messages, Facebook and LinkedIn messages, spoofed phone calls, and website portals from trusted institutions and professionals.
• Check if the email address and sender name match

6. Back up old emails

• If you need to store old emails for auditing purposes, consider storing them in an external hard drive or using a document management software with built-in security

7. Check with your email provider to find your security options

• Check that your messages aren’t being forwarded to an unknown account and that no unknown people have access to your account.

8. Hire an IT advisor

• If you aren’t able to have an in-house team, work with an IT company familiar with your state’s rules on real estate compliance. An advisor can help set up a security plan and perform routine maintenance as needed.
• An advisor will also help you determine if your company’s SMTP server can be configured with better security filters with SPF, DKIM, and DMARC standards.

9. Check for any breaches

• You can put your personal and business email into HaveIBeenPwned.com to check if your account and any sensitive information like social security number, passwords you use, date of birth, and physical address has been exposed to hackers.

10. Learn how to read message headers, and trace IP addresses

• The header will contain identifiers that most email programs hide by default. The header will let you track the email’s origins via the IP address. If the IP address is located in China, but it’s supposedly from a colleague in the same building, you know something is amiss.

If you use Gmail, follow these security tips.

For Outlook users, follow these tips to protect yourself and your clients.

PropLogix will be joining forces with CertifID and Sophos for an American Land Title Association Compliance webinar on wire fraud prevention. We’ll be discussing some of the vulnerabilities inherent in the business systems we use every day and ways to combat wire fraud with technological tools and internal training. Register for the event here.