Business email compromise (BEC) scams are some of the most potent threats to cybersecurity around the globe — and the threat is not letting up anytime soon. While ransomware attacks often grab the headlines, BEC scams are just as pervasive. Cybercriminals carry out BEC scams by "either spoofing an email account or website, sending spear-phishing emails, or using malware," according to the FBI.
Real estate is one of the industries significantly hit by BEC scams. Data from the FBI's Internet Crime Report 2021 revealed that "about 13,638 people were victims of wire fraud in the real estate and rental sector in 2020 — a 17% increase over 2019 — with losses of over $213 million." As a result, real estate and rental wire fraud were ranked No. 7 out of over 30 types of fraud monitored and reported by the IC3.
Another report, by the National Association of Realtors, showed that the real estate industry saw $6.9 billion in victim losses in 2021, with more than an estimated 2,300 average complaints daily. Undoubtedly, real estate wire fraud is one of the most common types of cybercrimes in the US today.
There are several reasons why BEC scams work. Tyler Adams, CEO and co-founder of Texas-based SaaS platform CertifID, recently discussed with Dark Reading three major ones and how to get ahead of them.
1. Information on Real Estate Transactions Is Public
Whether they are targeting Fortune 500 companies or small real estate offices, BEC scam actors gather information to soften the target and make it more vulnerable to attacks. Usually, BEC scam victims receive a spoofed email on behalf of a party involved in a real estate transaction, with instructions directing them to change a payment type or location to a fraudulent account. Once the funds are deposited, they're rapidly withdrawn, making recovery difficult or impossible.
According to Adams, a major reason why attackers can successfully gather information on their targets is because all the information for real estate transactions is public.
"With a simple search online, you can see every house that's for sale, who the real estate agent is — and sometimes the seller themselves — and even the title/escrow companies that service the local market," he said.
Adams noted that information like the one above leads to targeted phishing attacks that result in BEC. "This makes it easy for fraudsters to impersonate mortgage lenders as part of a real estate closing, in hopes of having the payoff wire transfer redirected to the fraudster's bank account," he said.
In addition, the two parties involved in real estate transactions are expected to trust each other, and there's often a lot of information divulged in that process. Malicious actors exploit that trust by weaponizing the public information against unsuspecting businesses and individuals.
2. Many Communications Are Electronic
Adams pointed out that lots of different people communicate electronically in the real estate industry. The average real estate transaction has six different people or parties, all communicating electronically to align on the details of the closing and transfer of funds, he noted. This often presents several loopholes that threat actors can exploit.
One of the ways attackers leverage electronic communications in real estate is through impersonation, Adams said.
"Sometimes it's realtor impersonation — such as a first-time home buyer getting an email from what appears to be their real estate agent but is instead a fraudster with details for where and when to send the money," Adams said. "Oftentimes it's lender impersonation."
He noted that a common fraud is impersonating a mortgage lender, fooling a buyer into sending their wire transfer to the scam artist instead of their lender.
3. Transactions Are Temptingly Big
The payday for fraudsters is huge, Adams said. Measured by revenue, the market size of the US real estate sales and brokerage industry is $226.8 billion in 2022 alone, according to research firm IbisWorld. That's a per-year average growth of 4.9% from 2017 to 2022, the report states. The large volume of daily transactions in real estate makes the industry a juicy target for attackers.
This is why one of CertifID's major areas of practice is the small and midsize business (SMB) space, according to Adams. SMBs often lack the infrastructure to effectively monitor the daily volume of real estate transactions and the resources to recover from an incident when it occurs.
"There are millions of small and medium-sized businesses all across the United States that don't know how to leverage advanced API-based platforms to stay protected against cyberthreats. And one payoff from any of these cybercrimes can put such companies out of business," he said.
Restoring Trust by Verifying Identity
CertifID says it has developed the technology and expertise needed to track how money moves across the real estate industry, with the aim to restore trust in the industry. In an intricate system that involves knowing all the parties involved in every transaction, it's essential to prioritize identity verification, Adams said.
"If we're going to do a transfer transaction, we've got to know that you are who you say you are, because if you're at all being impersonated, then we can't trust any of the information," he says.
CertifID says its PayoffProtect product validates mortgage payoff wiring instructions, authenticating parties and bank wire information in real estate transactions. Its broader platform addresses the specific needs of real estate agents, title agents, and law firms.
Trust is one of the cardinal points in the real estate industry. Every single home that's for sale is online, and attached to it is a real estate agent who has a phone number and email address. They want to be contacted by as many people as possible because they want to sell that home, and they don't know whether a buyer is legit or a fraudster.
"Given real estate transactions are a fertile ground for BEC, and the impact these frauds have on the livelihoods of individuals and businesses, we'll continue to support this industry until we've made a significant impact in the fight against fraud," Adams said.