This One Mistake Cost a Home Buyer $50,000

When Hillary Clinton, Ashley Madison, or Target get hacked, it’s headline news. While someone may be inconvenienced by these high-profile hacks, they rarely result in large cash losses to consumers. Not so in the case of a new breed of real estate phishing scams. These are highly sophisticated cyber-attacks that specifically target the active transaction pipelines of realtors, lenders and title companies.

Robert Millard was sitting in his long island home on a brisk Tuesday morning sipping coffee, reviewing trades for the day and waiting for an email from Patty Doran, an attorney helping Millard close on a $20MM penthouse apartment in Manhattan. Millard knew and trusted Doran. He heard the chime of outlook letting him know a new email arrived. It was from Patty telling him they were ready for the wire transfer giving him detailed instructions.

All the names were correct, the email addresses were right, the title company was right, even the banks were correct. He opened his browser and logged into his bank. Punched in the ABA number, the account number and amount of the wire $1.938 million and finally hit send. Moments later the funds were rushing to their destination and Mr. Millard relaxed, blissfully unaware that he was just the victim of a terrible cybercrime.

You see, Patty’s email had been hacked and the cyber criminals were watching every single email back and forth between the parties. At exactly the right moment they sent Mr. Millard an email – from Patty’s computer, with the wiring instructions. The only difference between the official wire instruction and the fake one was that the bank account number was the criminal’s account rather than the title companies account. Ouch.

The cretins perpetrating these crimes are stealing from everyday people like you and me. And they’re stealing large sums of people’s hard earned money. People like, Robert Millard. He was educated at MIT and Harvard and is chairman of Massachusetts Institute of Technology’s board of trustees, where he serves as a board member of the school’s $13.5 billion endowment. In 2007 he was the head of proprietary trading at Lehman Brothers where he traded house money and was their highest paid employee, making more than the CEO — $50 million dollars. No one earns that kind of money without being one of the best in the world at his job. His job was to evaluate and price risk.  How did Mr. Millard, a phenomenally smart guy, fail to understand the risks when wiring funds and what could he, Patty and the title company do to prevent this from happening in the future?

A former Lehman Brothers executive unwittingly wired a $2 million deposit for a $20 million Manhattan apartment to cyber criminals – and now he is b…

—The New York Post

I’m too small to be a target

Many small businesses believe that this kind of crime won’t happen to them, that they’re below the radar or “we’re too small for cybercriminals to pay attention to”.  This couldn’t be further from the truth and cyber criminals understand this misperception.  Don’t forget that these are the same criminals that used to send out the Nigerian emails and would be thrilled to pick up a few hundred bucks.  Smaller realtors don’t have the same security, policies and procedures as the bigger companies making them easy targets.

Gary Jaburg, Shareholder
Jaburg & Wilk

While Millard’s case was very high profile, small businesses throughout the country are experiencing this kind of fraud regularly.  Early in December 2016 the same scam was used to defraud a Tucson, AZ couple of $50,000 on their very first home purchase.  We only know about the case because the realtor on the transaction is one of our neighbors.  It received no press and so far, no restitution.

Aside from the transaction that is ruined, the dashed hopes of a buyer and seller, ere can be significant longer term effects.  There could be lawsuits claiming the hacked party was negligent in their security practices (if your password is currently 12345, stop reading and go change it right now).  Many states have enacted laws requiring business to disclose safeguard client’s personal information.

Gary Jaburg, an attorney with Jaburg & Wilk, said, “here in Arizona, the Arizona Consumer Fraud Act, A.R.S. 44-151, requires a person that conducts business in this state has a responsibility to properly implement adequate, commercially reasonable security measures to protect customer’s private financial information, and can be held responsible for any damages caused by their lack of security”.  These aren’t just legal theories, a $5,000,000  lawsuit was filed against Jimmy John’s, for failing to implement adequate security measures to prevent hackers from breaking into their systems.

Cybercrime against large retailers like Target and Home Depot has cost these companies millions in damages. Now, cybercriminals are targeting the real estate industry … they specifically target peop…

–Jessica EdgertonAssociate CounselNational Association of Realtors

If Hilary can’t prevent hackers what can I do?

The first step to preventing this kind of crime is to change your own personal practices and to raise awareness for those around you.  Start by reframing the issue and it will be easier to prevent thefts.  Rather than thinking to yourself, “My computer is safe & secure” assume that hackers are already in your systems, they are smarter than you and they are not going to be detected by any antivirus or anti-malware program.

There are red flags that everyone in the transaction should be aware of:

1. Last Minute Changes.  There should not be any significant changes is the transaction.  The title company should not change.  The wire instructions shouldn’t change, there shouldn’t be any new people introduced.  If there are, the information must be verified.
2. Beware of opened and public WiFi connections.  It’s almost trivial for a hacker to gain access to your phone or laptop on an insecure connection.  Under no circumstance should you transmit sensitive information from a public IP address, in english, that means don’t log into your bank account from the WiFi at StarBucks!
3. Use Secure Passwords.  I know this seems like common sense, but, you’d be amazed how many people are using simple passwords.  91% of all users pick one of a 1,000 passwords common words.  At the top of the list are 12345, football, baseball, fuckoff and fuckme.  Use a random password generator to create a strong password. It may not keep out a persistent criminal, but, at least it won’t be easy for him.
4. Go Old School.  If you have any reason to believe that your computer or anyone else’s in the transaction may be compromised, instead of wiring the funds, go to your bank, pick up a cashier’s check and hand deliver it to the title company.  It’ll add time to the transaction, but, we won’t be reading about you in the NY Post.

It’s important for you as a participant in the real estate industry to understand how this could happen to you and your clients and to take steps to prevent this kind of scam from happening to you.

Howard Lein, President
ReMax/Excalibur

Howard Lein, the president of ReMax/Excalibur, said “The incidence of cybercrime as relates to real estate and title transactions is pervasive and is not localized nor does it attack any particular individual. All buyers and sellers can be at risk if they don’t pay attention. When a loss occurs, it is a big dollar amount and can be a life changing cost to an innocent party. I would encourage all parties in the industry to become VERY aware of the problem and warn anyone they know of involved in a real estate transaction to be VERY careful with their wire instructions. If we don’t get a handle on this type of loss, it will end up changing the way we close transactions and we don’t want that to happen”.

Corey Schwartz, the President of Loanatik, an Arizona Mortgage Bank, said, “these are the kinds of hacks that Loanatik is designed from the ground up to prevent.  All settlement service providers should establish policies and procedures designed to thwart the criminal’s plans.  Even simple changes can make it difficult for hackers to derail your transaction.  For example, at the very beginning of the transaction send out the complete set of contacts for the transaction and include the wire instructions.  We advise our clients that this information should not change throughout the transaction.  We also advise the buyer that if there are any changes to the wire instruction that they must be verified with someone whose voice they recognize.  So, communicate with the escrow officer early in the transaction so that you recognize their voice. Before sending a wire, call the receiving party, verify the wire information and then call after the wire is sent to confirm its receipt.” Mr. Schwartz went on to explain that the faster you recognize that something went wrong, the better chance you have of recovering the funds.

Frank Nein, a cyber warfare specialist, has been consulting with Loanatik over several years and added, that these are very sophisticated “Angler Phishing” attacks and that this is just the begining.  Paypal was recently the target of Angler Phishing scams.