Any time your real estate agent or other real estate professional sends you an email adjusting the location, amount, or method of transferring money, it might behoove you to take five minutes and verify their identity before you respond. Failing to pick up the phone and double-check the identity of the person behind her realtor’s new email account recently cost a first-time homebuyer $36,000 she will probably never get back. The woman wired $36,000 in down payment and closing costs to a Bank of America account after being instructed to do so in an email she believed to be from her realtor.
Spoofing is Getting Easier
The homebuyer was deceived by a process called spoofing, which used to refer only to a trick that made it appear that a phone number was, in fact, a different number. For example, phone scammers might spoof the number of a local bank or even the FBI in order to intimidate those whom they called. With email, the process is extremely easy. By using subdomains registered to mimic email addresses of real people working on a transaction, scammers can create emails that appear to be from official addresses. The rest is easy.
In this case, the scammers inserted the letters “dr” into the emails. The unobtrusive shift went unnoticed, and they were able to communicate directly with the homeowner about her pending purchase. An email that might originally have been email@example.com became firstname.lastname@example.org. Ultimately, the scammers directed the buyer to send her down payment to a Bank of America account instead of the original Wells Fargo account the real agent had instructed her to use. The homeowner did so. She did not discover her mistake until the final walk-through at the home when she overheard her realtor say “Wells Fargo account” in reference to the funds.
“I interjected, and I said ‘No, you told me to send it to Bank of America.’ They said, ‘No, it was Wells Fargo,’” the woman recounted. If the woman had called to verify the information for the wire transfer, the issue would have been avoided. However, because she already trusted the source of the emails, whom she believed to be her agent, she did not.
In most cases, victims who wire money as a result of these schemes have no recourse and do not recover their money. Although most states do have anti-fraud laws and computer crime laws, since many of these scams are conducted overseas, there is not a good way to recover money or even identify the criminal behind the theft. The best defense is to always verify the identity of any individual seeking money and confirm, in person or by phone, that the financial institution with which you are dealing is the right one for the transaction. Some banks will actually hold wire transfers to overseas accounts for several days in an attempt to protect consumers, but you should not rely on your bank to defend you from phishing.