By Asaf Cidon
Buying a house is one of the most important purchases people ever make, and often one they’ve been saving for years in order to finally place their signature on the closing documents. When you think about the amount of time and effort it takes to not only find the perfect house, get an offer accepted, and ultimately make it through the signing process—the deep breath at the end is truly refreshing. But, what if that breath got delayed, or worse—never came because a cybercriminal interfered with the process and had the loan payment wired to them instead of the seller? This nightmare scenario can have substantial financial consequences for the homebuyer. They could end up losing the house, a whole lot of money, personal information, and much more.
Sadly, this is a real scenario, and as spear phishing attacks continue to increase— people, businesses, and brands should be on high alert.
Spear Phishing for Mortgages—the attacker attempts to interfere with a mortgage closure and almost runs off with a large sum of money if it wasn’t for an alert user.
*Some sensitive information has been changed in the details below to protect the privacy of the people involved in this attack.
All seemed to be going according to plan. The homebuyers had just a few last-minute tasks to complete, and they’d have the keys to their new home. Of the remaining tasks—the time had come for the buyers to wire funds to close escrow. However, on the day that the buyers were set to wire funds, they received an email from their mortgage company stating that they switched banks, and to follow the updated wiring instructions in the email attachment.
Actual message received by the homebuyer from the attacker.
This is certainly a curious message that should raise questions from homebuyers, especially considering that it’s asking for funds to be wired differently than what was originally expected. On the other hand, there’s plenty of evidence that mortgage scams continue to bring in revenue for criminals, so anyone buying a home needs to be aware of the risk.
Fortunately, in this instance, the message raised a red flag and the client immediately called his mortgage agent to investigate before proceeding. Aside from the curious message itself, when the client took a closer look at the actual sender’s email address—the domain didn’t match the one listed in the real mortgage agent’s email signature. The attackers spoofed the domain to appear like it was an actual message from the client’s mortgage agent. An easy way to tell if the domains match is to hover your cursor over the sender’s address and a window will appear that identifies the actual address.
In addition to the spoofed domain, the attacker includes an attachment and asks the client to follow the instructions inside to make the wire transfer. If the request itself isn’t odd enough, there’s always a risk involved in opening an attachment. Even though the attacker is clearly trying to convince the homebuyer to wire money, an attachment like this could contain other malicious activity such as ransomware or other types of malware. When in doubt, don’t open attachments.
In this attempted scam, the homebuyer did everything right to avoid a cyber catastrophe. He was alert enough to question the initial request, then identified the spoofed domain, and immediately called his mortgage agent to confirm that the message was, in fact, a scam. What he found even more alarming with his situation, was the reaction that he received from the mortgage company. They mentioned that it’s a wide-spread problem, but they didn’t seem interested in looking into the issue any further.
In this incident, the target did not fall for the hook. However, there have been several news reports of other similar incidents, where unfortunately the victims were not as lucky.
To recap, the techniques used in this attack were:
- Spear phishing: The attacker attempts to bait the recipient into wiring money.
- Impersonation: The attacker is pretending to be a mortgage agent.
- Spoofing: The sender’s email address is spoofed by the attacker.
Although the example above was ultimately sniffed out by the instincts of a savvy home buyer, there are some approaches along with simply being aware of such frauds that users can take to avoid these types of scams. Training is obviously a big one because if users are more aware of what to look out for in potential attacks, they’ll be much less likely to fall victim or even engage in any type of questionable communication with criminals. Taking a proactive approach with not only user training, but by also addressing any threat vectors with the proper IT security technologies can significantly lower the risk for an attack. One of the reasons spear phishing continues to be so successful for criminals is because traditional email security gateways often fail to detect these highly-personalized, social engineering attacks.
Asaf Cidon is Vice President, Content Security Services at Barracuda Networks. He can be reached at Cidon@Stanford.edu.