Internet hackers and scammers have found a great business opportunity in 2020. Fears over the COVID-19 pandemic have caused some to drop their guard and open emails that offer aid and information. And that, the Federal Bureau of Investigation fears, is going to increase what the FBI calls business email compromise (BEC).
There are many types of BEC schemes, all out to gain access to a company’s accounts by capturing their login information through disguised emails or through wire fraud. In 2019 alone, this activity caused a loss of approximately $1.8 billion.
Real estate agents are favorite targets because their computers can be a gateway to their clients, with the real prize being access to closing transactions. Wire fraud schemes are often initiated from the compromised inbox of an agent who innocently clicked on a scammer email disguised as useful tips or a valuable promotion.
With heightened fears over coronavirus, guards may be lowered even further when the news concerns the pandemic.
The scammers are patient. Once access to a client’s communication is achieved, they will lurk in the cyber-shadows for days, weeks, months or longer, reading the email exchanges until the title company or lender signals that a closing will take place. They then engineer bogus wire instructions for the client using stolen information.
How to protect yourself
Despite the complexity of the threat, there are some fairly simple practices agents can adopt to protect themselves and their clients, and in doing so, add another layer of expertise to the quality of the service they offer. In fact, how an agent will safeguard a client’s personal and financial information should be presented along with proposed marketing plans during initial meetings.
Knowing the risks will help agents understand that cautious scrolling through their inboxes is imperative. Here are a few things to watch for that indicate possible cybercrime:
1. Wiring instructions
Note any changes to wiring instructions or recipient account information, and have the client verify any received wire instructions — by phone, using a number verified on their title company’s website — with that company.
2. Verify URLs
Be sure that any URL included in an email is associated with the represented business by hovering the cursor over the URL address. This will show the destination.
3. Writing errors
One of the easiest giveaways is misspelled words in either the email copy or provided hyperlinks. Take the time to read carefully.
4. Check the address
What may appear to be a familiar email address could actually be off by just a character or two, signaling that it has been socially engineered for a redirect to the scammer.
The FBI’s email crime hit list
Earlier this year, the FBI released a list of the most egregious and commonly used forms of this activity. Here is a summary of the top seven:
1. Business email compromise (BEC)
This is a highly sophisticated scam that targets businesses that work with foreign companies and regularly perform wire transfer payments. The goal is access through email or computer intrusion techniques to conduct unauthorized transfers of funds.
2. Email account compromise (EAC)
Similar to the above, this activity uses compromised emails to request payments to fraudulent locations.
3. Data breach
These leaks of data from a secure location at the personal and corporate levels will spill sensitive, confidential information into an untrusted environment where an unauthorized individual can initiate a criminal transfer.
4. Denial of service
A hacker can cause an authorized user to be denied access to his or her own system or network.
Malicious software invades a computer to damage or disable it, and then through it, potentially impact an entire office or network. There’s also the lesser-known “scareware,” which uses scare tactics to solicit funds from victims.
To forge or fake electronic documents, “spoofing” uses emails forged to appear as if sent by a familiar or trustworthy source. “Phishing” (vishing, smishing or pharming), often used in conjunction with a spoofed email, falsely claims to be from an established, legitimate business.
These emails ask the recipient to divulge passwords, credit card numbers and bank account information at a phony website created to obtain the user’s information.
This is malware that preys on human or technical weaknesses within a business or personal network to deny access to data and/or systems. It’s often delivered through “spear-phishing” emails that initiate rapid encryption of sensitive files within a corporate network.
The organization is no longer able to access their data, and the perpetrator now demands payment, typically in virtual currency such as bitcoin to reestablish the victim’s data access.
Staying safe online
Safeguarding oneself and one’s company from these pervasive criminal activities is harder, but especially important while the COVID-19 pandemic is taking such an emotional and economic toll around the world.
There are also apps and online services that leverage two-factor authentication, biometric or PIN-based logins and password managers, including Dashlane, Lastpass and 1Password, that can create ridiculously hard-to-crack passwords that users won’t need to memorize for every login.
Justin Stutz is the vice president with WEST, A Williston Financial Group Company. Connect with him on Facebook or LinkedIn.
After 25 years, Inman Connect is coming to you. We’re transcending our legendary events in a live digital event, Inman Connect Now. Get ready for the top industry leaders plotting the path forward, new business ideas and opportunities, networking like you’ve never imagined it, and tons of exciting new magic, all straight to you. It’s all part of an epic new Inman experience, Connect Now, June 2-4, 2020. Click here to save your seat.