Cybersecurity for the Mortgage & Real Estate Industry — Part 4
How do you know the person you’re talking to is legitimate?
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
⚙️ Part of my series on Automating Cybersecurity Metrics. The Code.
🔒 Related Stories: Mortgage, Real Estate, Banking, and Legal Security
💻 Free Content on Jobs in Cybersecurity | ✉️ Sign up for the Email List
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Social engineering in cybersecurity is the concept of tricking someone into doing something to gain access to systems or steal information, data, or money. I wrote about it more in this blog post about penetration testing. Social engineering does not involve breaking into systems using technical means. Attackers use communication to trick people into doing something that facilitates their malicious activity. I will explain how attackers might use this tactic in a real estate transaction based on things I experienced.
Business email compromise (BEC) in real estate transactions
This last post on mortgage industry security includes the real estate industry because the topic applies to both. As I explain at the end of the article, real estate agents can dramatically reduce the success of these types of attacks with some simple strategies. These topics go beyond mortgages and apply to different people and contacts involved in a property sale, with or without a bank or mortgage broker.
In prior posts in this series, I explained how attackers use security flaws in portals or access to email accounts to obtain information about real estate transactions. Attackers may obtain the email addresses of buyers, sellers, and other people involved in the process. They might also acquire the amount of the transaction.
Phishing is one of the primary forms of social engineering. An attacker sends a person an email to trick them into doing something. Often an attacker wants the recipient to click on a document or link that ultimately installs malware. That is one of the primary attack vectors leading to ransomware.
In the context of a real estate transaction, the attackers leverage phishing in an attack called business email compromise (BEC). The attack involves tricking someone into wiring money to the wrong account. In the latest IBM Cost of a Data Breach report for 2021, BEC was the costliest form of data breach. I’ve also attended Infragard presentations where the FBI was trying to raise awareness of this attack due to the number of cases and amount of money lost due to BEC.
Attackers are leveraging business email compromise attacks in real estate transactions. Once attackers obtain information about a property sale, they can send emails to the addresses they steal and attempt to trick people into wire money to the wrong bank account.
Gaps in real estate transaction communications
My recent real estate experience on both ends — buying and selling — involved getting emails from people I had never heard of asking for information, paperwork, and eventually, bank accounts. I had no prior contact with these people. I did not know if the information they were providing or their requests were legitimate.
The process for buying and selling homes varies across states as well. These differences involved what seemed like disconnected processes in some cases, and information spread across multiple people and companies. The more people and systems that have your data, the greater the chance it gets exposed to the wrong person.
In one state, the process involved my real estate agent, a title company, and a notary. At one point, a person from the title company contacted me, and I had no idea if this was a legitimate contact or organization. This company told me a notary would contact me and gave me a name of an individual.
Next, I got an email from the notary. I had no way to know if that email was from the real notary. Anyone can send you an email that says, I am Jane Doe, and you have no way to know if it’s truly Jane Doe or not. The notary arranged to walk me through documents and witness me signing them via a Zoom call. She also asked for my wire transfer information on the phone.
Not only was I concerned about giving my banking information to multiple people throughout this process, but I also did not want it to appear on a document in a Zoom call. The information could be recorded by video company system or captured via a screenshot, not to mention now the notary and the bank and the title company have the information. When I explained my apprehension to the notary, she allowed me to provide the wire transfer details directly to the title company.
The title company sent me a DocuSign form to fill out with the wire transfer information. I was more comfortable with this since I am familiar with DocuSign and their process for ensuring documents are not accessed or tampered with, though I haven’t assessed them in-depth for a while. I know the company has undergone some changes, so do your own assessment if you plan to use them.
My other concern was that after I filled out the secure document, a person I never heard of before called me from the title company to “verify” my bank account information over the phone. I didn’t know this person, her phone number, and had no way to know if this call was legitimate, so I declined. I had carefully filled out and double-triple-checked the wire transfer information when I filled it out and took screenshots, so I know it was correct. DocuSign employs integrity checks to ensure no tampering occurs after the point of entry during the transaction.
In another state where I participated in a real estate transaction, a person from a law firm contacted me. I was not even aware that law firms were involved in property sales in that state. The process is completely different. The law firm re-requested a lot of sale information. I was curious why I had to give them the data already provided via other documents. The more locations this information gets stored, the greater the chance it gets exposed. If the information is not required, it is best not to ask for it or give it. When I asked, my legal contact told me I did not have to resubmit the information, so I did not.
The other thing was that this law firm was providing me wire transfer information. Since the person contacting me was unfamiliar to me, I could not know if the account information was accurate without taking a few additional steps.
How I avoided business email compromise in my real estate transaction
While going through the process of buying and selling a house, I took the additional step of performing some open-source intelligence (OSINT) to research people who contacted me to make sure they were from the purported company. OSINT involves using publicly available information online to obtain information. That tactic is also used in penetration testing to gather information to carry out an attack. In this case, I was using it to confirm I was speaking to valid contacts.
In some cases, I found the person on LinkedIn and confirmed connections and contact information. In other cases, I searched for the company in Google, called the receptionist, and asked for the person. I also validated all contacts with my real estate agents. At each step along the way, I confirmed for each transaction when the bank or other party sent or received money by contacting the title company, the law firm, or the bank as appropriate. That meant I would know something was wrong quickly.
You may think all this validation is overkill. However, I was not about to take chances with hundreds of thousands of dollars. I was also aware of the prevalence of this BEC and that it affects many people and businesses. In addition, I had been taking a risk by publicly announcing the sale of my house to try to raise interest. I knew that a social engineer would have a decent amount of information to try to trick me or someone else in the process. Better safe than sorry!
I asked one of my real estate agents what I should do to ensure my wire transfer made it to the right place to see what he would say. He did recommend contacting your agent to validate the transaction contacts. My contact at the law firm also suggested calling before making the final wire transfer to ensure all the information was correct when I asked her about wire transfer concerns.
In addition to validating contacts, information, and funds at each step, I avoided giving out information unless required. As I explained above, I knew something about DocuSign and trusted the security of that system more than giving my banking information to a person I never heard of before. When asked for information, I confirmed whether it was required or not before providing it. I also avoided giving my banking information to the notary or providing it over a communication channel that has been known for security vulnerabilities (Zoom).
You can find some other tips from the FBI in this press release I found after writing this article while putting together my weekly cybersecurity news feed.
Proofpoint also offers some tips related to other types of BEC attacks:
In another example this week, a BEC scammer that stole more than $24M got caught. This group of scammers broke into email systems, sending fake invoices and requests for payments.
A simple solution for more secure real estate transactions
There’s a simple solution for the problems above. When a real estate transaction proceeds, the real estate agents can gather all the names, phone numbers, and emails of the people who will contact the buyer and seller. Provide that information in an email or via a text message. Then call the buyer or seller on the phone to confirm they got the message and the accuracy of the contents to avoid the risk of compromised email accounts or phone messages.
It is one small extra step but helps ensure the buyer or seller does not give out information to an imposter. The person involved in the real estate transaction can validate the person contacting them is coming from the correct email address or phone number. Be aware that phone numbers may be spoofed via caller id, so the safest approach would be to hang up and call the contact back if any concerns exist about the legitimacy of the communications.
When the buyer or seller provides bank accounts or wire transfers, inform them they should call to confirm receipt and accuracy of any information provided. Tell buyers and sellers the timeline for funds to be sent or arrive. Ask them to follow up with banks in the appropriate timeframe to validate transactions to catch malicious activity as quickly as possible.
A more complex solution for secure real estate transactions
A more complex solution involves leveraging a secure portal for real estate transactions that tracks all related documents and contact information. The document management solution can share the documents with the appropriate parties. Avoid displaying sensitive information in Zoom calls or other third-party systems when not necessary.
This solution could be flexible enough to work with any process, whether it involves a notary, real estate agent, lawyer, or title company. I can imagine a software-as-a-service SAAS could service that facilitates the process. Perhaps an extension to DocuSign would do the trick. It is possible to create customized workflows on that platform.
As explained in my last post, the portal needs to be secure and work properly. Otherwise, this solution could exacerbate the problem!
With a secure portal, a customer could log in and find all the appropriate contacts safely. In addition, all submission of wire transfer information occurs via a process that involves security checks and data integrity. If someone does not want to provide wire transfer instructions via this process, they could call on the phone but could be sure the contacts are correct. They could still contact their agent to confirm the information before calling anyone to provide wire transfer instructions.
The problem with wire transfers
This whole process highlights the problem with wire transfers. You have to give someone information about your bank account and hope for the best. Once they have your bank account information, they can use it any time again in the future. There’s no way to initiate a one-time-only wire transfer or a one-way-only wire transfer (i.e., in, never out). I asked my bank to do this, and they said it was not possible. This whole process wire transfer process could use some additional security.
To overcome the weaknesses in wire transfer processes, consider getting multiple bank accounts. Have a bank account for incoming funds that you immediately transfer into a separate account. I asked my bank if they could do this automated transfer for me, but they could not. If the bank that receives funds always has limited or no funds, third parties that use your banking information to wire money should trigger a fraud alert or fail due to insufficient funds. Hopefully, the amount of any successful wire transfer will be limited.
Use have a separate account for outgoing wire transfers and external funds transfer. Only keep the money in that account you require to facilitate payments. Put the rest of the money into savings or even in a separate bank and never give out that account information. If you’re working for a company, require two people to facilitate an outgoing wire transfer. One person has permission to transfer into the outgoing wire account. A different person has permission to initiate the outgoing wire.
Hopefully, some of the suggestions here will help people involved in the mortgage and real estate industries and those buying and selling property. These tips can also help improve the security of wire transfers and prevent business email compromise for any organization.
Follow for updates.
Teri Radichel | © 2nd Sight Lab 2021
About Teri Radichel:
~~~~~~~~~~~~~~~~~~~~
⭐️ Author: Cybersecurity Books
⭐️ Presentations: Presentations by Teri Radichel
⭐️ Recognition: SANS Award, AWS Security Hero, IANS Faculty
⭐️ Certifications: SANS ~ GSE 240
⭐️ Education: BA Business, Master of Software Engineering, Master of Infosec
⭐️ Company: Penetration Tests, Assessments, Phone Consulting ~ 2nd Sight LabNeed Help With Cybersecurity, Cloud, or Application Security?
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
🔒 Request a penetration test or security assessment
🔒 Schedule a consulting call
🔒 Cybersecurity Speaker for PresentationFollow for more stories like this:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
❤️ Sign Up my Medium Email List
❤️ Twitter: @teriradichel
❤️ LinkedIn: https://www.linkedin.com/in/teriradichel
❤️ Mastodon: @teriradichel@infosec.exchange
❤️ Facebook: 2nd Sight Lab
❤️ YouTube: @2ndsightlab