Speaking to a multi-family-office real estate investor, he mentioned that his colleague mis-sent $125 million in a San Francisco commercial real estate transaction closing, with the funds ultimately routing off to Nigeria. Yes, $125 million!
How did this happen? He explained that in the days leading up to the closing, there is a flurry of emails from lawyers, various other parties, title insurance closers, and sometimes these are coming in every minute with various comments, document edits, and more about the deal closing.
Everyone is moving fast, as a closing like this pays out nice commissions, and time can kill deals. In haste, people are clicking, opening email, editing docs, replying, replying-all… with money on their minds.
In the midst of this, a cybercriminal was eavesdropping on one of the lawyers’ email accounts, and could see the details of the transaction; and could even see the actual documents.
Injecting himself into the email flurry, the cybercriminal purchased a lookalike domain (domain with one letter off from one of the other parties involved) and cleverly tucked this in the hidden “reply-to” field of the email structure.
The cybercriminal then sent the email looking like it was FROM the actual party but with the REPLY-TO going to the cybercriminal’s lookalike domain address. The cybercriminal then, on this particular email, appended a version of the agreement draft that was authentic OTHER THAN the bank account number for the closing funds to be wired.
The bank was the same, bank location, bank routing number… all the same. The account number was different. This document then became the “next version” that was circulated by all the parties for the next week up to the closing.
At closing, the cybercriminal’s bank account was now baked into the closing documents, and the $125 million was sent… to the closing (cybercriminal) bank account in the USA, and then swiftly routed to another bank, then another, then ended in the cybercriminal’s hands.
There were two main tactics used in this, both of which could have been seen if ANY of the parties had been using the RPost PRE-Crime™ technology.
But this was how it worked in relatively “old” days. Today, the cybercriminals are focusing on multi-party impostor schemes. This is when one cybercriminal poses as multiple separate professional service providers (e.g., lawyers, realtors, insurance professionals) all in the same transaction.
One person poses on both sides of a transaction. We’ll call this Multi-Party Poser, or Multi-Party Impersonation scheme. And, we’re seeing this via tactics where AI Clones are being combined with the abovementioned more traditional professional service provider Lookalike Domains.
Perhaps closer to home in terms of deal size, witness what happened in this fairly recent consumer real estate fraud. To summarize, a couple in New Jersey just had their offer on their new home accepted and had to make the necessary down payment.
But then things took a dark turn. Cybercriminals got wind of the impending sale due to one of the parties having a compromised email account (note to readers, RPost’s Eavesdropping AI would have detected, alerted, and pre-empted this had any of the lawyers, realtors, sellers or buyers been using it).
The cybercriminal then purchased lookalike domains of the buyer’s lawyer and another for the seller’s lawyer, and then built an email thread of back and forth with in context communications (information gleaned from the compromised email account), (fake) lawyer to (fake) lawyer email replies, then the poser lawyer for the buyer forwarded the thread to the buyer’s real estate agent, and in the (fake) email thread the real estate agent (real) could see the lawyers (fake) indicating it was time to fund the down payment. The (real) real estate agent then notified the buyer to fund with funding details from the (fake) lawyer email thread.
Yes, we’re not just talking about a standard phishing scheme; we’re talking about an entire email string between multiple accounts managed by one impostor. This is sophisticated. And with GenAI it will be even more powered up this year.
The imposter pretending to be the couple’s attorney said the down payment due date had been moved up and that payment needed to be made ASAP. The (real) real estate agent — from her real corporate email address — responded to that message, saying she spoke to the mortgage company and confirmed the funds should be wired. The buyers went on to wire the down payment to the cybercriminal’s bank account losing over $30K. Attempts were made to recover the funds, but as we see time and time again, once the money is gone, it really is gone forever.
The big reveal here is that cybercriminals are now playing both sides of a transaction to create a fake back-and-forth email string. The cybercriminal forwards the (fake) email string to one of the legitimate parties (in this case the buyers’ agent), who replies-all, adding an aura of legitimacy to the email string.
Multiple parties to the transactions were fake.
RMail’s PRE-Crime™ would detect these situations, these crimes in progress and provide insight to thwart them. It would have identified the compromised and lookalike email accounts and pre-empted the wire transfer. PRE-Crime™ is designed to prevent, detect and disarm wire fraud attacks targeting you at your own email account, and even at your clients’.
Technically speaking, this is a form of cybercrime categorized as Business Email Compromise (BEC). It is one of the leading causes of wire fraud, one of the most financially damaging vectors of cybercrime. Sophisticated, socially engineered scams like the one just mentioned targets businesses conducting legitimate invoice, escrow, redemption, and other fund transfers, aiming at diverting payment to fraudulent bank accounts.
While some cybersecurity solutions help protect organizations from miswiring their own funds, they remain exposed to scenarios where it’s their clients falling for these scams. RMail PRE-Crime™ module harmoniously extends your existing email security systems, adding elegantly easy encryption, unique BEC targeted attack detection, and more, with AI to extend DLP automation.
Contact RPost to learn more.
October 08, 2024
October 04, 2024
October 01, 2024
September 24, 2024
September 17, 2024