For anyone who thinks that phishing campaigns are easily-detectable affairs that only affect the unsophisticated and the elderly, some sobering statistics from Barracuda’s 2019 Email Security Trends report:
- 74% of respondents said that email attacks are having a major impact on their businesses
- 43% of organizations have been the victim of a spear-phishing attack in the past 12 months
- 66% claimed that attacks have had a direct monetary cost on their organization in the past year
- 79% of IT professionals said they are worried about attacks and breaches stemming from inside the organization
An Osterman Research white paper found that phishing attacks topped the list of concerns for decision makers, with nearly 75% of executives citing phishing emails as the most significant threat.
Executives are right to be concerned. Phishing techniques are evolving and becoming increasingly more sophisticated. Real estate transactions tend to be an easy target because it’s a highly emotional process for most buyers, who can be somewhat unfamiliar with the process and eager to cast aside logic in order to get the deal done. It’s also no coincidence that the most vulnerable point of a real estate transaction is also the most dizzying when it comes to activity. Buyers begin the process with a mortgage originator and a realtor, but at that point any number of parties can be involved, including an escrow officer, or any number of assistants sending emails back and forth.
Bruce Phillips, CISSP SVP and Chief Information Security Officer for Williston Financial Group, says the small warnings about wire fraud at the bottom of an email are akin to an end user license agreement: no one reads the end user license agreement, merely click through in order to get what they really want.
“The education needs to start much, much earlier than the time the transaction starts,” Phillips said. “If you don’t hear about potential pitfalls until you open escrow, you’re months behind the curve. Mortgage professionals and real estate agents should be telling people, as you go through this process, you’re going to be a target for people, this is what to look for, and don’t send money without talking to somebody.”
Attackers have also gotten better in crafting the messages within an email or text message. Gone are the broken English and grammatical errors that plagued email scams of the last decade. Today, Phillips said, telltale signs will often be a different variant of the English language; phrasing or terminology that’s common of British English as opposed to American English.
Social engineering is also a powerful way that attackers have been able to transcend logic and the warning signs, particularly when it comes to working with a younger generation of consumers.
“They do everything on their phone except make a phone call. You’re trying to get them to step away from the really convenient world of text messaging and back to the world of picking up the phone. The criminals know that too,” Phillips said. They know that everyone warns people not to trust emails and it’s really easy to spoof someone’s phone number. By copying a known phone number, a target of an attack is more likely to answer and the attacker can either ask them to do something or fake a bad connection and follow up with a phony email. The call looks like it’s coming from an escrow officer, the wire instructions appear as if they’re coming from an assistant, and the buyer wires the money to the criminals without a second thought.
“They use multiple ways of making you lower your guard even though we’ve told the consumer from day one that we’ll never do that. Social engineering works as a technique to get people to do what you would like them to do, and that’s a technique that they’re using within these phishing campaigns,” Phillips said.
The good news is that the counterattack doesn’t involve some sort of technological breakthrough. In fact, it’s the opposite.
Phillips recalls a conversation that he had with a wire fraud victim who lost $123,000 before Christmas 2018, where Phillips asked what could’ve been done differently to prepare him against the attack. The victim’s opinion was that nothing in the way of written warnings would’ve helped.
“He said, ‘if my real estate agent, somewhere along the line, had sat me down, looked me in the eyes and said you are a now target for criminals who are going to try and get your money, and they’re going to try to do it . . . [via] email; any time you get an email that says send money, pick up the phone to these numbers—not anything that’s in the email—and call the escrow office, and ask them before you send any money.’ His opinion was if that had happened, coming from his trusted advisors, that would’ve protected him.”
Phishing attacks garner a lot of attention, but the truth is that those attacks are often doorways for more specific attacks. Traditional phishing practices cast a wide net and capitalize on whatever gets caught. Spear phishing is more targeted, where attackers will do a little more research to go after people and businesses. Whaling targets specific high-ranking individuals within a company. Attackers can layer these practices to get their desired effect.
Once an attacker gets someone to click a link, they can gain access to that person’s device, and along with it any number of details, such as where a person works and who does what within that organization. This opens any number of people to email/phone number spoofing in efforts to reach high-level executives.
“The end goal in all cases is to monetize the information that you get,” Phillips said. “It doesn’t take a lot of work, doesn’t take a lot of technical knowledge, and it costs a relatively small amount of money because they’re going to use someone else’s computer as a source for all the attacks. So that shields them from prosecution and other things.”
In additions to consumers losing deposits and lenders losing funds, there’s also a very real consequence for small broker shops or small title and escrow companies, Phillips said, that will have to calculate how much extra business they’ll have to do in order to make up that loss.
Losses have soared from $360 million in 2016 to $1.3 billion in 2018—and yet Phillips says that industry experts estimate that to be only 40% of what’s actually occurring, because a lot of wire fraud goes unreported.
“I think the final report for 2019 is going to end up somewhere around $2.5 billion, and my prediction for 2020 is it’s going to continue and they will continue to be successful because we have a lot of work to do to get everyone—consumers and real estate and mortgage brokers, everyone—understanding that this is a real problem,” Phillips said. “We all live and die by messaging and email and social media and those are the tools of the attacker. I don’t see it slowing down yet because it’s not a technology problem. It’s a social engineering problem.”