There’s real money to be made in real estate. And in 2020, we anticipate the potential for profit will continue to attract cybercriminals as they attack real estate transactions, which are mostly carried out through their favorite channels: emails, websites, and attached documents. To uncover the top cyberattack trends—and detail necessary safety tips—we examined more than 600 U.S. real estate transaction attack attempts and here’s what we uncovered.
Cybercriminals have significantly shifted their attack scope and expanded their net to go after all the players involved in real estate transactions including: agents, buyers, inspectors, insurance agents, and even contractors. Anyone involved in any stage of a real estate transaction needs to know they could potentially be hit with attempts to steal funds and compromise deals. Specifically, bad actors often use fake business email compromise (BEC) messages, spoofed emails, or more recently, they take over the email account of someone in the real estate attack chain to con their victims into acting (this is referred to as email account compromise by the FBI, or EAC). According to the United States Federal Bureau of Instigation (FBI)’s Internet Crime Complaint Center (IC3), over US$26 billion was lost around the world to BEC from June 2016 and July 2019.
While cybercriminals have been going after the big payoffs at the end of real estate transactions for years, the expansion into more targets suggests they are looking to expand their successes. According to our research, attackers varied widely from being very focused and sophisticated to less capable actors using social engineering exclusively. The people behind these attacks run the gamut from known attacker groups to one-off individuals and employ a broad arsenal of tactics and tools, including:
- Social engineering
- Malware, specifically banking Trojans and information stealers
- Compromised personal and business landing pages
- Weaponized attached documents
- Email thread hijacking
- Phishing portals themed around individual agents/agencies
- Financial/wire fraud
Here are six attack attempt examples, including spoofed Office 365 and DocuSign phishing emails to lure victims into clicking. We’ve also provided four ways to stay safe while completing real estate deals in 2020.