Anatomy of Mortgage Spear-Phishing Campaigns
According to new numbers from the U.S. Commerce Department released recently, new home builds and sales are rising, which could mean a big opportunity for mortgages and unfortunately, cyber criminals.
Increasingly, malicious hackers are spoofing emails as part of a spear-phishing attack designed to trick home buyers into wiring money into the hacker’s bank account. The FTC even issued a consumer advisory, warning of scammers phishing for mortgage closing costs.
“Hackers have been breaking into some consumers’ and real estate professionals’ email accounts to get information about upcoming real estate transactions. After figuring out the closing dates, the hacker sends an email to the buyer, posing as the real estate professional or title company,” Colleen Tressler, Consumer Education Specialist, Consumer Education Specialist, FTC wrote.
The bogus email says there was a last-minute change to the wiring instructions, and tells the buyer to wire closing costs to a different account. But it’s the scammer’s account.
This nightmare scenario could have substantial financial consequences for the homebuyer, who could end up losing the house, a whole lot of money, personal information, and much more.
In a new report, phishing experts at Campbell, Calif.-based Barracuda Sentinel dissected a recent incident where an attacker attempted to interfere with a mortgage closure.
“Sadly, this is a real scenario, and as spear phishing attacks continue to increase — people, businesses, and brands should be on high alert,” Asaf Cidon, spear phishing behavior researcher for Barracuda, said. The recent attack attempt, made at the eleventh hour of a mortgage deal, tried to trick a home buyer into wiring a large payment into the wrong hands.
According to the case study, all seemed to be going according to plan until the day the buyers needed to wire funds. They received an email from their mortgage company stating they switched banks, and to follow the updated wiring instructions in the email attachment.
“This is certainly a curious message that should raise questions from homebuyers, especially considering that it’s asking for funds to be wired differently than what was originally expected,” the report conveyed. “There’s plenty of evidence that mortgage scams continue to bring in revenue for criminals so anyone buying a home needs to be aware of the risk.”
Fortunately, in this instance, the message raised a red flag and the client immediately called his mortgage agent to investigate before proceeding. “When the client took a closer look at the actual sender’s email address, the domain didn’t match the one listed in the real mortgage agent’s email signature. The attackers spoofed the domain to appear like it was an actual message from the client’s mortgage agent.” An easy way to tell if the domains match is to hover a cursor over the sender’s address and a window appears identifying the actual address.
In addition to the spoofed domain, the attacker included an attachment and asked the client to follow the instructions inside to make the wire transfer. “If the request itself isn’t odd enough, there’s always a risk involved to opening an attachment. Even though the attacker is clearly trying to convince the homebuyer to wire money, an attachment like this could contain other malicious activity such as ransomware or other types of malware. When in doubt, don’t open attachments,” Cidon and his team emphasized in the report.
The homebuyer did everything right to avoid a cyber catastrophe. They questioned the initial request, identified the spoofed domain, and immediately called the mortgage agent to confirm that the message was in fact a scam. More alarming was the mortgage company’s reaction. “They mentioned that it’s a wide-spread problem, but they didn’t seem interested in considering the issue any further,” the Barracuda study reported.
There have been several news reports of similar incidents, where unfortunately the phishing victims were not as fortunate.
Barracuda Sentinel protection delivered as a cloud service and combines three layers: an artificial intelligence engine that stops impersonation attempts and spear phishing attacks in real time; domain fraud visibility using DMARC authentication to protect against domain spoofing and brand hijacking; and anti-fraud training including simulated attacks for high-risk individuals in the organization.