It happened to us – hackers got into somebody’s account.
They posed as the escrow officer and tried to divert my buyers’ down payment to the wrong bank account. Their timing was impeccable too.
Six days before closing, an email was sent to the buyers that looked like a normal email from the escrow officer:
Good morning (buyers’ names),
We are getting close to closing. It is important that we get the Cash to Close to avoid delays in closing.
Please tell me when you would wire the Cash to Close.
Regards, (escrow officer’s name)
The buyer asked for the amount and for wire instructions by email – and the hacker responded three times by email and even sounded like the escrow officer. This was the tip-off though:
Please find attached the wiring instructions. It is an account of one of our subsidiary company as our main account is currently undergoing compliance audit. As such, any funds entering the account would be held for review which would grossly affect the scheduled closing date. The total closing cost is X.
The hacker asked for an amount that was within $2,000 of being accurate, and if the buyers had been in a big hurry, they might have just sent it.
Thankfully, Mr. Buyer called the escrow officer direct to verify. The escrow officer was stunned – she hadn’t sent any emails to the buyers that day!
Because no crime was actually committed, the escrow, title, and mortgage companies just shrugged it off. We won’t ever know who the hackers were, or how they got in, but to call it unsettling is an under-statement.
From my buyer:
We felt very unnerved yet relieved. I couldn’t sleep that night, knowing how close we came to losing a substantial amount of money, by nearly anyone’s standards. I personally felt helpless, because I’m not sure what I could have done to recognize this fraud. We consider ourselves pretty plugged in and so we didn’t think twice about getting a wire request from escrow.
The bottom line is, escrow and bank request a lot of items and need responses ASAP so that escrow proceeds to a timely close. Therefore buyers are, in many cases, reading highly technical documents ‘on the fly’, often from smart phone screens. In my case, this meant that I was usually just skimming documents and electronically signing without really studying the material.
The escrow company did say in their instructions that buyers should call before wiring any funds. I didn’t notice this until after the attempted theft of our money. In the future, I would like to see escrow go back to speaking with buyers more often, instead of just emailing documents for signature. It sets a more personal tone and makes buyers more comfortable in picking up the phone to talk to the escrow agent with questions, rather than always relying on electronic communication.
Some escrow companies are now encrypting their wire instructions, but they are missing the point. The hackers are way ahead of us! All they need is a copy of the purchase contract (which agents, buyers, sellers, escrow and lenders email around unsecured), and the hackers can figure out the rest.
They just pose as the escrow officer a day early, and ask the buyers to wire the down payment and closing costs to them!
You should have ignored the emails but reported the attempt the the authorities. Also look at the full headers of the email the hacker sent it might have revealed where they were emailing from.
The authorities could have worked with a bank to catch the fraudster. If they were in the US this is a federal crime.
Personally I would have loved to string the fraudster along acting stupid wasting their time and trying to get them to give their location / contact info.
Finally… considering when the email was received I bet either the loan officer or buyers email was/is hacked and the bad guy is watching everything.
Hacking an account is not even necessary. If you know who to impersonate, it is trivial to forge an email message that indistinguishable from the real thing except to a tech geek who bothers to read the headers.
This incident highlights the need to abandon public email systems for serious business. The amount of business conducted through public email has grown large enough for this type of attack to be successful often enough to be lucrative. Investment managers, title companies, mortgage lenders, anyone who is conducting high-value business through public email is a potential target. Organizations need to transition to secure, closed systems with stronger authentication. Yes, it will cost more than the “free” Yahoo or Gmail, but many people learn too late the high cost of “free.”
As an example only (not implying any recommendation) here is one such service offered by HP:
https://www.voltage.com/products/email-security/hpe-securemail-cloud/
If you check brokerage and bank web sites they provide secure messaging on their web site. All they do on the public email is to send a notice that there is a private message. Yes this means that an account will need to be set up by each client on a system run by the escrow company but…
As noted in the comments of course one could check the headers of the email message.
The FBI was contacted, but because no crime was committed, they said to fill out a form. End of their interest.
They had that part handled – the email header looked like all the rest. I don’t know if they re-routed the buyer’s responses on the way back, or if the header was just a facade.
The industry will rush for new or improved encryption or other type of secured messaging, but it is so loosey-goosey now that it will be like trying to herd cats.
I don’t get it, what was the destination account of the supposed wire? If it was US bank account, it should be easy to track down the account owners. You should contact the destination account bank. Can you post the emails you received so others can know what to look for?
Agreed – we have the wire instructions for the receiving bank – doesn’t the FBI just walk in and demand to know whose account?
The other emails sounded like an escrow officer talking – not being demanding or real efficient either (just asking about wire instructions instead of sending with this email):
Good Morning
If you could wire the funds today it would help in expediting closing.
Do you have our wiring instructions?
Regards,