Virtual Event Today: Supply Chain Security Summit - Register Now

Security Experts:

Connect with us

Hi, what are you looking for?



Hackers Target Real Estate Deals, With Devastating Impact

James and Candace Butcher were ready to finalize the purchase of their dream retirement home, and at closing time wired $272,000 from their bank following instructions they received by email.

Within hours, the money had vanished.

James and Candace Butcher were ready to finalize the purchase of their dream retirement home, and at closing time wired $272,000 from their bank following instructions they received by email.

Within hours, the money had vanished.

Unbeknownst to the Colorado couple, the email account for the real estate settlement company had been hacked, and fraudsters had altered the wiring instruction to make off with the hefty sum representing a big chunk of the Butchers’ life savings, according to a lawsuit filed in state court.

A report by the FBI’s Internet Crime Complaint Center said the number of victims of email fraud involving real estate transactions rose 1,110 percent between 2015 to 2017 and losses rose nearly 2,200 percent.

Nearly 10,000 people reported being victims of this kind of fraud in 2017 with losses over $56 million, the FBI report said.

The Butchers, forced to move into their son’s basement instead of their dream home, eventually reached a confidential settlement in a lawsuit against their real estate agent, bank and settlement company, according to their lawyer Ian Hicks.

The problem is growing as hackers take advantage of lax security in the chain of businesses involved in real estate and a potential for a large payoff.

“In these cases, the fraudster knows all of the particulars of the transaction, things that are completely confidential, things they should not know,” said Hicks, who is involved in more than a dozen similar cases across the United States.

Email insecurity

Numerous cases have been filed in courts around the country seeking restitution from various parties. One couple in the US capital Washington claimed to have lost $1.5 million in a similar fraud scheme.

Real estate is just one segment of what the FBI calls “business email compromise” fraud which has resulted in some $12 billion in losses over the past five years. But for home buyers, the fraud can be particularly catastrophic.

“In these cases, the loss can be devastating and life-altering,” Hicks said.

Real estate transactions have become a lucrative target for hackers “because they handle a lot of money and because they have employees who are not the most technically savvy,” said Sherrod DeGrippo, director of threat research for the security firm Proofpoint.

Additionally, hackers often do their homework and “sometimes they know more about the business than the employees do,” she said.

Consumers may also be less cautious when they are feeling positive about a new home, making it easy to fall prey to scammers, DeGrippo said.

“These social engineering tactics rely on a heightened emotional state, and people can be in that state when it comes to purchase their dream home,” she added.

DeGrippo said the schemes appear to originate from overseas, possibly from Russia or Africa, using a variety of techniques to stay ahead of law enforcement.

“They employ a lot of money ‘mules,'” she said. “They move the cash from bank to bank to bank.”

Banks have been working to counter what is seen as a growing fraud problem but are often unable to prevent scams stemming from hacked emails, said Paul Benda, senior vice president for risk and cybersecurity at the American Bankers Association.

“Banks have very strong controls in place,” he said. “But when they are given wiring instructions from a customer they have a responsibility to send it where it was instructed.”

Benda said that customers need to know a wire transfer is “just like cash” and may be impossible to recover, especially if it ends up overseas.

Who’s to blame?

Lawsuits from consumers often target real estate agents, attorneys, escrow agents, banks and settlement companies that prepare documents for deals.

“There are a lot of people involved, and (fraudsters) can hack into any one of these parties,” said Finley Maxson, senior counsel at the National Association of Realtors.

“These emails have become much more sophisticated, they are much harder to catch.”

Maxson said the Realtors and other associations are moving aggressively to educate all parties involved about the potential for fraud and the need for better security.

“We’re telling people they should never give these (wiring) instructions by email,” he said.

It may be difficult to establish liability, but Hicks said that “consumers are not going to be careless with their life savings” and that the real estate professionals have a responsibility to ensure the security of their systems, and to give customers adequate information.

The lawsuit filed by Hicks for the Butchers said that “the scam that befell the Butchers was well-known in the real estate industry and easily preventable.”

Earlier this year, a Kansas court assigned 85 percent of the liability to a hacked real estate agent and awarded a homebuyer defrauded by fake wiring instructions $167,129.

Hicks said that in these cases, “there is a lot of blame to go around,” but argued that “unless companies have to pay money they won’t do what’s necessary to protect the consumer.”

Related: Nigerian Sentenced to Prison in U.S. for BEC Scams

Related: 74 Arrested in International Operation Targeting BEC Scams

Related: Two Scammers, Five Mules Arrested in BEC Bust

Written By

AFP 2023

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content


Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.


The release of OpenAI’s ChatGPT in late 2022 has demonstrated the potential of AI for both good and bad.


Satellite TV giant Dish Network confirmed that a recent outage was the result of a cyberattack and admitted that data was stolen.


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.

Application Security

PayPal is alerting roughly 35,000 individuals that their accounts have been targeted in a credential stuffing campaign.


No one combatting cybercrime knows everything, but everyone in the battle has some intelligence to contribute to the larger knowledge base.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...


As it evolves, web3 will contain and increase all the security issues of web2 – and perhaps add a few more.