Most business in the 21st century is conducted online. This is especially true during the ongoing pandemic as office personnel are working remotely from laptops and personal computers. It is now second nature for people to use Facebook Messenger, WhatsApp, Signal, Slack or email to discuss business with their co-workers.
What some companies do not think enough about, however, is the real possibility their employees could be exchanging texts and emails with a cybercriminal.
According to the FBI’s Internet Crime Report, business email compromise (BEC) schemes caused an estimated $1.7 billion in losses in 2019, accounting for about half of all reported cybercrime-related financial losses in the U.S. BEC remains the most commonly used scam by cybercriminals to steal from commercial mortgage borrowers, brokers and lenders.
Business email compromise is a quickly growing and highly effective online scam that targets businesses and individuals who perform wire or clearinghouse transfer payments. In a BEC scam, the attacker steals a username and password combination from a legitimate email account, and then launches fraudulent email messages requesting funds transfers. Requests are often made to an accountant, chief financial officer, treasurer or other business stakeholder with responsibility for making payments.
BEC scams have been reported in every U.S. state and around the world. Although BEC attacks affect mortgage lenders and brokerages of every size, small and midsize businesses are typically more susceptible because they lack the security budgets, controls and experienced internal IT staff of their larger peers.
Security breaches are often caused by users doing something they shouldn’t do, such as clicking a malicious URL in an email that takes them to a dubious website, or opens a tainted PDF, Excel or Word file; using weak passwords; leaving portable devices with confidential data unattended; or being tricked into giving up their passwords through phishing attacks that harvest user and password credentials. Security industry estimates indicate that roughly 90% of successful compromises begin with users making mistakes. But there is no simple answer to this problem and potential solutions raise difficult questions.
Spear-phishing and other social engineering schemes target borrowers, brokers, lenders, title companies, insurers, attorneys and other participants within the mortgage origination process. These crafty exploits trick people into believing they are dealing with a trusted, legitimate party. These attacks are designed to lead consumers to counterfeit, malicious websites that dupe recipients into divulging financial data and credentials, such as usernames and passwords. These increasingly sophisticated schemes plant malicious payloads onto computers and other devices to steal credentials, identities, money and data.
Targeting real estate
Participants in commercial real estate transactions are particularly vulnerable to BEC scams. A foremost reason is that the major participants in these deals are easily identified online.
They include Realtors and brokers, property portfolio managers, title companies, banks or other lenders, closing attorneys and related entities. The property itself may be listed and viewed online. This gives perpetrators of BEC scams the ability to target one or more participants in the transaction, as well as to identify the participants, their roles and the subject property.
The second reason real estate transactions are at risk is that, in many of these deals, small businesses and private individuals participate in the chain of title transfer or sale. It could be a small to midsize title company, a solo real estate attorney, or the buyer or seller. As such, they may not have the levels of data protection and authentication that more sophisticated entities should (but often do not) have.
Third, real estate is real money. For many individuals, it is their most valuable asset. For businesses, it represents a core asset or expense. When real estate changes hands, so does money, and hackers know this. Many BEC scams are perpetrated because one trusted party whose email account was abused failed to take reasonable measures to protect the security of the email. Once the scam is detected, however, it is often difficult to find the source of the breach. In the end, both parties think that it was the obligation of the other to prevent the incident.
BEC threats can be minimized by taking some relatively simple steps. For example, there are several mobile-app security platforms, such as NowSecure, that can be installed on mobile devices and portable computers to provide protection. A company needs to establish a secure and authenticated means of communicating and transferring documents and records while protecting the confidentiality and integrity of computers, networks and programs. Other means of communication — faxes, drop boxes, and even voice and video communications — also can be hijacked.
An elusive problem
BEC scams related to commercial mortgage transactions are often difficult to catch because of the numerous participants involved in the underwriting of a loan. During a real estate transaction, borrowers must rely on agents, attorneys, title companies and others to guide them through a complex process from application to closure. And much of the communication during this process takes place via email.
When an email appears to come from any one of these trusted sources, the borrower or anyone else involved in the transaction often follows instructions without hesitation. Email is both insecure and trusted — not a good combination if you are trying to protect your company from cyberattacks. The COVID-19 pandemic has increased this threat because more people are working remotely, increasing the reliance on insecure devices or technologies.
Active efforts are being made, however, to fight BEC fraud. In August 2019, 80 defendants, all believed to be responsible for at least $6 million in losses, were indicted in Los Angeles for BEC fraud in a major effort led by the FBI. In September 2019, a worldwide law-enforcement effort yielded 281 arrests — including 167 in Nigeria and 74 in the U.S. — for BEC-related fraud, with nearly $3.7 million in assets seized from the fraudsters. The U.S. Justice Department has filed at least 22 such cases in the past three years, many as part of a collective enforcement effort dubbed “Operation Wire Wire.”
One example of a BEC attempt occurred when a mortgage lender received an email purporting to be from a company executive, who had previously scheduled a transfer of $1 million. The email requested that the transfer date be moved up and for the recipient account to be changed “due to COVID-19 outbreak precautions.” The email address used by the attacker was nearly identical to the CEO’s actual email address, with only one letter changed.
In another example, a borrower was emailed by someone claiming to be their lender. The fraudulent lender requested that mortgage payments be wired to a different bank because the accounts at the subject bank were inaccessible due to “coronavirus audits.” The victim sent several wires to the new bank account and had significant losses before discovering the fraud.
● ● ●
These incidents serve to remind us of the threat. The internet has transformed commercial mortgage lending, and it’s now more efficient and profitable than ever. Unfortunately, crime also has moved online and is equally, if not even more, efficient.
Socially engineered and targeted phishing exploits remain the attack of choice for cybercriminals, and these exploits are increasingly responsible for a growing number of business email compromises. Large transactions processed online by commercial mortgage originators, their business partners and clients have put the entire industry in the crosshairs of cybercriminals. Let’s get prepared. ●
Author
-
Jeffrey Bernstein is the director of cybersecurity and compliance advisory services for Kaufman Rossin’s risk advisory consulting practice. Kaufman Rossin is a certified public accounting firm that provides professional services to businesses, organizations, institutions and their leaders. Bernstein advises clients in highly regulated industries on the protection and compliance of their networks, applications, systems, data, devices, people and property. Follow him on Twitter @Jeff_Bernstein1.