Skip to main content

Oregon State Flag An official website of the State of Oregon »

Oregon.gov Homepage

Think Before You Click: Real Estate Wire Transfer Fraud Crimes are on the Rise

March 2022

Views from the Board

Patricia Ihnat, Chair, Oregon Real Estate Board

Editor's Note: This article was originally published in the December 2018 issue of the Oregon Real Estate News-Journal. Patricia Ihnat has graciously allowed us to reprint it, as the topic is still relevant today.

An Oregon couple purchasing their dream home in 2018 fell prey to scammers in an increasingly common wire-transfer scheme targeting real estate transactions. The hacker in this case gained access to an email conversation among the buyers, their real estate broker, and the title/escrow company handling the transaction. Posing as the broker, the hacker emailed authentic-seeming instructions to the buyers, who dutifully wired $379,000 to the bad guys' account. With that, the buyers' money was gone.

Real-estate imposter fraud is on the rise. According to the FBI, nearly $1 billion was diverted or attempted to be diverted from real estate purchase transactions in 2017. From 2015 to 2017, reported fraud victims from real estate transactions increased by more than 1100 percent, and reported monetary losses increased by almost 2200 percent.

Unfortunately, attempts at these crimes are not slowing. Reports of attempts at wire-transfer crimes in which buyers and sellers are the targets of spoofed emails containing fraudulent wire instructions are on the rise. More attempts result in more success by the fraudsters and more losses often involving a victim's life savings.

At risk are real estate brokers, loan officers, mortgage brokers, transaction coordinators, buyers and sellers, escrow officers, and attorneys involved in real estate transactions. In short, anybody who participates in a real estate transaction can be a target.

In our experience, a scheme typically starts when a fraudster uses malware or successfully “phishes' for a means of getting into victims' computer or email systems, or when a fraudster gains access through the victim's use of an unsecure Wi-Fi network. Once access is obtained, the bad guys send spoofed emails that include virus-bearing internet links or attachments, and that seem legitimate to the recipient. Or, the bad guys intercept and send emails directly from within the phish victim's compromised email account. If a target takes the bait and clicks on a link, opens an attachment, or hits reply to an email, the scammer gains entry often without the target's knowledge.

The fraudster then monitors emails and devises a scheme for intervening in the transaction by spoofing the email account of a person related to the transaction, as in the example with the Oregon couple. Fraudsters are patient — they monitor a target's email account, review emails in sent and trash folders, check social media posts, find patterns, and wait for the opportunity to complete the crime. Spoofed emails containing fraudulent wire instructions often look legitimate – with business logos, correct names, contact details, and loan numbers. Spoofed emails often contain content that is conversational and sounds like the purported sender. Even a phone number might be provided to confirm the wire-instruction change, though that phone number routes the target victim to the scammer and is part of the fraud.

Common indicators you may be a target of this kind of cybercrime include:

    • Emails requesting changes to wiring information, such as a change in the beneficiary or the receiving bank.
    • Emails with attachments purporting to be “secure" or “encrypted."
    • Emails purporting to be confidential.
    • Emails with instructions requiring the recipient to act quickly.
    • Emails indicating sudden changes in the business practices of a person involved in the transaction, including refusal to speak via telephone, a direction to use a new telephone number, or a direction to use a new email address.
    • Emails that contain markedly different grammar, sentence structure or spelling compared to previous emails from a person involved in the transaction.

Education, awareness, and understanding of how these schemes operate is the best defense against giving a fraudster the opportunity for your client to become a victim, or becoming a victim yourself. Let your clients know they will receive wire instructions only from the title/escrow company, and not from you or any other party. Let your clients know they will not receive wire instructions from the title/escrow company through regular email. Don't use regular email to forward attachments you originally received through the title/escrow company's encrypted secure email system. Caution your clients to avoid using regular email to forward attachments they originally received through a secure email system. Take steps to limit the opportunity for fraudsters to intervene in your transactions.

Educate your clients about wire fraud risks. Early in a transaction and outside of the email environment you can protect yourself and your clients by establishing trusted telephone numbers or passphrases to verify transaction details. Remind your clients that wiring instructions never will be sent to them from you. Inform your clients to use the pre-established trusted phone number and/or passphrase and verbally verify any instructions purporting to be sent by you. Remind your clients to use a trusted and verified phone number to confirm any instructions that appear to be sent by the title/escrow company.

Be proactive by working with information technology and cybersecurity professionals to ensure that email accounts, online systems, and business practices are as secure and current as possible.

And always remember these basic rules:

    • Use two-factor authentication for email accounts.
    • Select complex passwords that employ a combination of mixed case, numbers and symbols.
    • Never send sensitive or confidential information via standard email.
    • Avoid connecting to free Wi-Fi, and change your settings to avoid automatic connections to available Wi-Fi.
    • Immediately delete unsolicited email from unknown parties.
    • Never open suspicious emails, click on links in the email, or open attachments. If you do, report immediately to your cybersecurity professionals, and contact your clients outside of the email environment.
    • Regularly purge your email so fraudsters cannot review old emails to gather information.

If you suspect an email is spoofed, one way to test it is to hover your cursor over the “From" or “Sender" line in the email heading. A window showing the sender's email address will pop up, which you should check carefully. Often fraudsters create email addresses that differ from participants' legitimate email addresses by just one letter or number, or by inserting a period/dot or an underscore.

Be careful of what is posted on your social media sites and websites, especially job duties and descriptions, and out-of-office details. These are the types of details that could be a roadmap for fraudsters as they devise strategy for targeting victims and transactions.

Always remind your clients: Inquire before you wire!

As for the Oregon couple tricked into sending $379,000 to scammers, The Oregonian reported they eventually recovered most of their money because the bank where the fraudsters established an account was notified quickly and froze the account.

 Many victims aren't so lucky.

Views from the Board" features the opinions of Real Estate Board members. The views expressed are not necessarily those of the Oregon Real Estate News- Journal, the Oregon Real Estate Agency or Agency staff.