Connect with us

Hi, what are you looking for?



Mortgage Phishing Scams Target Big Payouts

Over the last few years, business email compromise (BEC) scams have rocketed — costing victims $1.45 billion in 2016 alone (FBI report). Now a new related threat has emerged — the mortgage phishing scam — that seems likely to follow a similar trajectory.

Over the last few years, business email compromise (BEC) scams have rocketed — costing victims $1.45 billion in 2016 alone (FBI report). Now a new related threat has emerged — the mortgage phishing scam — that seems likely to follow a similar trajectory.

It is early days and the scam — like BEC in its early days — goes by various names: mortgage phish, mortgage escrow scam, real estate wire transfer scam, and mortgage wiring scam. But it is growing. In June 2017, during National Homeownership Month, the FTC issued a warning: “the FTC and the National Association of Realtors want to remind you that scammers sometimes use emails to rob home buyers of their closing costs and personal information.”

Like BEC, the scam seeks to trick its victims into wiring funds to a criminally operated account. The difference here is that it people rather than businesses that are conned — and they can end up losing their life savings and/or their home. 

The FTC warning explains the basic scam: “Hackers break into the email accounts of buyers or real estate professionals to get information about upcoming real estate transactions. The hacker then sends an email to the buyer, posing as the real estate professional or title company. The bogus email says there has been a last-minute change to the wiring instructions, and tells the buyer to wire closing costs to a different account. But it’s the scammer’s account. If the buyer takes the bait, their bank account could be cleared out in a matter of minutes.”

Mortgage Phishing Attacks

Barracuda Networks has described a real-life example that, in this instance, failed. “On the day that the buyers were set to wire funds, they received an email from their mortgage company stating that they switched banks, and to follow the updated wiring instructions in the email attachment.”

Home buyers are particularly vulnerable at this point. They may have spent many stressful months in arranging the purchase, and there is now one relatively simple task before they can collect the keys to their new home. In this instance, the scam failed. It raised a red flag for the buyer who looked more closely at the email — and noticed that the actual sender’s email address didn’t quite match the one listed in the real mortgage agent’s email signature.

The text of the email read, “We changed banks, please see the attached for the updated wiring instructions. Let me know you receive this message and when wire is sent.”

Advertisement. Scroll to continue reading.

The attachment gives the attacker an extra shot at the target. If he opens the attachment but decides against making the wire, he could still find himself infected with a banking trojan or, potentially, ransomware. In this instance, however, the target did the right thing: he “immediately called his mortgage agent to confirm that the message was in fact a scam. What he found even more alarming with his situation,” adds Barracuda, “was the reaction that he received from the mortgage company. They mentioned that it’s a wide-spread problem, but they didn’t seem interested in looking into the issue any further.”

House prices have consistently grown since the 2006 crash, and now stand at similar or above their previous high. This makes it a lucrative market for scammers. “Scams like these have been around for a few years,” reported HousingWire in June this year.” Last year, the Contra Costa Association of Realtors warned Bay Area homebuyers that they could be targets of similar schemes, one of which cost a local buyer nearly $1 million.”

The mortgage phish is just another social engineering spear-phish; but the stakes are high and the targets are vulnerable. The Contra Costa Association warns, “Because buyers often put their complete faith in the real estate professionals who guide them through transactions, they very rarely challenge any advice and direction provided. Moreover, they are so comfortable making daily online transactions, they rarely, if ever question the authenticity of email or text messages.” It adds, “there is no means to retrieve the funds once wired.”

Last month Barracuda launched Sentinel, described as “an artificial intelligence (AI) powered spear-phishing and business email compromise (BEC) real-time detection and prevention solution.”

Written By

Kevin Townsend is a Senior Contributor at SecurityWeek. He has been writing about high tech issues since before the birth of Microsoft. For the last 15 years he has specialized in information security; and has had many thousands of articles published in dozens of different magazines – from The Times and the Financial Times to current and long-gone computer magazines.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join security experts as they discuss ZTNA’s untapped potential to both reduce cyber risk and empower the business.


Join Microsoft and Finite State for a webinar that will introduce a new strategy for securing the software supply chain.


Expert Insights

Related Content


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.


As it evolves, web3 will contain and increase all the security issues of web2 – and perhaps add a few more.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...


Luxury retailer Neiman Marcus Group informed some customers last week that their online accounts had been breached by hackers.


Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.


Satellite TV giant Dish Network confirmed that a recent outage was the result of a cyberattack and admitted that data was stolen.

Artificial Intelligence

The release of OpenAI’s ChatGPT in late 2022 has demonstrated the potential of AI for both good and bad.


A new study by McAfee and the Center for Strategic and International Studies (CSIS) named a staggering figure as the true annual cost of...