Business Email Compromise (BEC) attacks have emerged as a pressing concern for organizations, including the real estate industry, with the FBI labeling them a staggering $51 billion threat. In contrast to ransomware attacks, BEC scams do not rely on cryptocurrencies, making them more accessible for cybercriminals to execute. Recent data from a cybersecurity company suggests that fewer ransomware victims are willing to pay threat operators, fueling concerns that BEC attacks may experience a resurgence. In a June 2023 update, the FBI shed light on the evolving landscape of BEC attacks. Noteworthy findings include a 17% increase in global exposed losses reported by the United States Internet Crime Complaint Center (IC3) between 2021 and 2022. The IC3 also observed a surge in BEC reports, emphasizing the real estate industry, where funds are often transferred to cryptocurrency exchanges. Interestingly, international funds directed at banks in Hong Kong, China, the United Kingdom, Mexico, and Singapore were frequent targets, contributing to an estimated domestic and international exposed loss nearing $51 billion.
The trajectory of BEC attacks in the real estate industry has been intriguing. These scams gained traction in 2018, witnessed a decline, and then resurged in 2021. Real estate industry BEC scams encompass many targets, including buyers, sellers, attorneys, title companies, and agents. The modus operandi involves cybercriminals infiltrating the email accounts of individuals involved in real estate transactions. Once compromised, threat operators can monitor activities and manipulate payment instructions, typically transitioning from checks to wire transfers or redirecting funds to a bank account controlled by threat operators. According to the FBI, based on IC3 victim complaints, these attacks continue to proliferate. Between 2020 and 2022, there was a 27% increase in real estate-related reports and a staggering 70% increase in victim losses, attributed partly to rising real estate costs in recent years.
Real-world instances of BEC attacks underscore the gravity of this threat. Europol dismantled a cyber gang responsible for a $40 million BEC scam targeting a Parisian real estate developer in February. Impersonating lawyers, the team convinced the victim to transfer millions of Euros abroad before their apprehension by law enforcement. A month later, a fraudster attempted to siphon over $36 million from an undisclosed commercial real estate company. This audacious attack involved a threat actor posing as a trusted partner’s senior vice president and general counsel. Luckily, the attack was thwarted due to several factors, including a domain name discrepancy and advanced AI that detected signs of fraud.
Protecting against BEC attacks necessitates proactive measures. Organizations, including those in the real estate industry, should prioritize secure email solutions, regular staff cybersecurity training, and vigilant monitoring of unusual or suspicious activity and requests. Implementing multifactor authentication (MFA) with biometrics and robust password management is essential. Confirming the sender’s email addresses’ legitimacy and avoiding relying solely on email for financial transactions is critical. A standard protocol for verifying wire transfers or sensitive data requests through face-to-face methods or phone calls to known numbers can make all the difference in preventing these devastating attacks.
In an era where cyber threats continue to evolve, safeguarding against BEC attacks in the real estate industry is paramount. Vigilance, education, and proactive security measures can help organizations stay one step ahead of cybercriminals seeking to exploit vulnerabilities in their operations. Phishing attacks are the most common methods threat actors use to harvest legitimate credentials.
SpearTip offers phishing training as mitigation to enhance skills related to defending against these threats. The training tests the discernment of companies’ teams, educates employees regarding common phishing tactics and indicators, and identifies related security gaps in their environments. Our team creates phishing email simulations like those threat actors use and sends them throughout the organizations. We provide insight and feedback to improve the cyber defenses of companies’ teams, leading to a profound decrease in the likelihood of being victimized by phishing scams. After the training, our team provides precise and thorough strategies to harden their environments and implement ongoing awareness training. By providing cybersecurity awareness training, companies and their employees can better understand the risks of the cyber landscape and develop impactful cybersecurity practices that reduce the likelihood of cyberattacks.
If your company is experiencing a breach, call our Security Operations Centers at 833.997.7327 to speak directly with an engineer.