Closing day has finally arrived and no one is more excited to be done with the arduous and overwhelming process of purchasing a home than you, the buyer. You, your spouse, and your three young children are all abuzz with anticipation of leaving your old home and starting fresh in a new one. As you tape up the last moving box and heave a sigh of relief, your smartphone receives a notification. It’s the title agent, apparently there was a problem with the account address sent to you in the wire transfer instructions and a new address has been provided.
Your eyes quickly scan the email for any obvious signs of foul play but everything seems legitimate. The sender’s email address is the one you’ve seen in your inbox every day for months. Confident that this is a genuine communication from your title agent, you go ahead and wire the funds over and enjoy a moment of peace as the realization washes over you that the long and stressful process has finally come to a close and now all that’s left is to walk through the door of your new home.
Unfortunately, your new home is not yet yours and the real estate transaction is not yet finished because that email from your title agent was not, actually, from your title agent. What you’ve just experienced is called a Business Email Compromise (BEC), a type of cyber-attack which is not only extremely stressful and onerous for everyone involved, it is also relatively easy for an attacker to pull off.
Much of what makes mortgage closings so attractive to threat actors is that it is a high-pressure transaction with a narrow closing time-frame, large wire amounts, and multiple human parties, each of whom can be socially engineered and manipulated. The high pressure, major stakes, and potential for human error from multiple ends makes this an opportunity-rich environment for a threat actor looking to take advantage of the chaos. Not only that, but every party, every email, and every document exchanged during the process is part of the attack surface and, in a typical residential closing, that surface is wide open.
The BEC attack begins with the attacker selecting a target. This stage of the process is the most simple because the contact info of those involved in real estate closings (loan officers, title agents, real estate attorneys, escrow officers, etc.) can almost always be found on listings, company websites, and public records.
The next step is to gain access to that person’s email account. More often than not, the method employed for this task is phishing (the attacker hits the target with a fake login page which captures the target’s credentials upon entry), however some attackers simply purchase stolen credentials from the dark web.
After breaking into the target’s email account, the attacker will then use his ill-gotten access to read emails and learn as much as he can about the transaction (e.g., the closing date, the purchase price, the buyer’s name, the attorney, the title company, the wire instructions, etc.).
Now that the attacker has access to the target’s email account and has gathered some valuable intel, the last step for the attacker is to send a single email, typically right at closing. Anyone who has been through a real estate transaction knows how chaotic and stressful closing can be, even when there are no problems. In this situation, however, closing is about to turn into a nightmare of a whole different genre.
The buyer is a bundle of raw nerves and everyone is ready to see this transaction, typically months in the making, get put behind them. The attacker sends one email made to look like it came from the title company or the attorney informing the buyer that the wire instructions have changed and providing a new account number for the transaction. The email may be sent using the target’s email account which makes it nigh impossible to distinguish from a legitimate communication or it may be sent from a spoofed address made to look identical. The end result is the same in either case.
The buyer receives the email, sees that it’s “legitimate” and wires the money to the new account address. Depending on the type of transaction, this could be anywhere from $20,000 to over $500,000. This amount is wired directly to the attacker and then it is subsequently withdrawn from the fraudulent account within hours. By the time the real title company calls to ask where the buyer’s wire transfer is it’s already too late. The money is gone and the chances of recovery are slim to none.
What makes a BEC attack, or any attack involving a real estate transaction, so particularly pernicious is the breadth of data vulnerable to attack. Anyone who has ever reviewed a loan file or participated in a real estate transaction can tell you that the loan documents paint a very clear and comprehensive picture of the borrower’s life, financial or otherwise. The 1003 (Uniform Residential Loan Application) by itself contains the borrower’s name, address, phone number, social security number, demographic information, employment information, assets and liabilities, and other sensitive, valuable data.
With just the loan application, the promissory note, and the chain of email communications, the threat actor now has the ability to map the entire transaction to choose the weakest link of all involved parties to impersonate, to use the borrower’s employment and income information to profile them, to learn how much money is moving and when, to learn the writing styles of the parties for the purpose of mimicking a trusted party, and to swap out the account address in the wire instructions for the new, fraudulent address.
Indeed, an attacker who gains access to a loan file has successfully obtained virtually everything he needs to execute an effective attack, even if the closing date has already passed. While the attack in this article involves capitalizing on the high pressure of the closing date to steal a wire transfer in real time, the volume of sensitive and valuable data in a loan file leaves the borrower in a compromised transaction vulnerable to many different kinds of attacks, some which may take place months or even years after the transaction. Threat actors, including insider threats, may simply write down the relevant data and sell it on the dark web. Savvy enough attackers may use multiple pieces of the stolen data to impersonate the borrower, steal their identity, gain access to their accounts, and/or even spoof the victim to target other individuals in the victim’s life.
Mortgage closings are such a wide-open and target-rich attack surface with so many vulnerabilities and potential weak points that it can be overwhelming to consider. However, there are some practical controls which can be implemented that can break the attack chain.
One step that would stop the entire attack chain from the very beginning is to always verify the wire instructions with the sender verbally. If you receive updated wire instructions, even if they were sent from an email address you trust, call the sender and verify that they sent the instructions and that the address is written correctly. If the sender has no idea what you’re talking about, you know you just dodged an expensive scam.
A more comprehensive step which would patch the vast majority of vulnerabilities leading to successful cyberattacks is effective, universal training. Every single person who touches a transaction must be trained in security awareness so that, when a red flag is raised, everyone involved sees it clear as day and no one is caught off-guard.
It is also imperative to use secure, encrypted document portals for sensitive transaction details rather than simply emailing them back and forth. While an attacker who has gained access to the email account of one of the involved parties may unfortunately already have access to enough information to cause serious damage, the damage is mitigated significantly with each document that is kept hidden in a secure document portal and away from the attacker’s prying eyes. If all sensitive data exchanged by all parties throughout the entire duration of the transaction were exchanged only through a secure document portal, threat actors targeting mortgage loans would lose a great deal of their leverage.
It is easy to see how much risk there is in conducting large financial transactions electronically and it can be shocking to consider just how much vulnerability is inherent to the process and exposed throughout it. A threat actor who successfully compromises the business email of a party involved in a mortgage transaction has essentially acquired a golden goose; not only can they rip off the down payment, they can sell the PII, impersonate the borrower, and/or use the stolen data to defraud the victim for years after the fact. The upside, however, is that a little vigilance and good data hygiene is often all it takes to form a sort of immunity to attacks like this.