Multiple real estate wire fraud stories have made national news in recent years. As these types of incidents continue to make headlines and criminals gain a better understanding of the processes and trusted institutions within the real estate sector, it’s more important than ever for real estate professionals and businesses of all sizes to understand cybersecurity threats.

Why is the real estate industry a target for criminals? 

Real estate is the third most common sector targeted by criminals, just above financial services. This is due to a few reasons that make real estate transactions especially enticing:

  1. Real estate transactions typically involve large sums of money. This allows a criminal to cash in on a one-time event instead of multiple smaller transactions. 
  2. Throughout a real estate transaction, highly-sensitive information is exchanged. This enables attackers to access bank accounts, social security numbers, and other information that they can use to access funds—even those unrelated to the real estate purchase.
  3. Multiple parties are involved in real estate transactions. In a typical real estate transaction, up to 12 parties exchange information. Each party typically uses its own software to communicate and update information. Each party also uses different communication methods to relay information. These disconnected systems are an easy target for cybercriminals to intercept. 

Criminals use a number of tactics to carry out their crimes, including spoofing, phishing, and business email compromise. 

What is spoofing?

Spoofing describes a criminal who impersonates an individual or trusted organization to accomplish a malicious goal. Spoofers hide their identity using a number of technical measures. Below are some common spoofing techniques: 

  • Email spoofing: A criminal copies an email header (the “from” field of an email) to pose as a known and trusted email contact. In many cases, the attacker does not need to gain access to the spoofed company’s network to forge the email domain.
  • IP spoofing: A criminal copies an IP address so that systems believe the source is trustworthy. 
  • URL spoofing: Criminals replicate a website to create a look-alike website to collect sensitive information. Most people receive links to these look-alike websites via emails from scammers posing as trustworthy or known contacts.
  • Domain Name System (DNS) spoofing: The DNS associates domain names with the correct IP address. In this type of attack, a criminal reroutes a DNS translation, so it directs to a different server. 

What is a phishing attack?

Phishing is a social engineering technique cybercriminals use to steal sensitive data such as credit card numbers and login credentials. The attacker poses as a trusted individual to fool a target into taking harmful action. The goal is to bring the recipient’s guard down by tricking them into believing that the message or request is something they need or were expecting and comes from a legitimate contact. 

Many phishing messages are relatively crude and emailed to thousands of potential victims, but some are specifically crafted for high-value individuals to try to get them to part with useful information. Phishing messages often involve a few key characteristics, such as lookalike sender names, embedded links, unexpected attachments, and an appeal to authority or sense of urgency (such as a request from a CEO).

For example, a phishing attack may appear to be a request from a transaction partner or an email from someone internally. The attacker mimics email templates and signatures to make the message appear familiar so the recipient’s guard is down. A phishing email typically includes a link to a malicious website or attachment (malware), which grants an attacker access to devices, systems, and company networks. Once infected with malware, an attacker can take screenshots, delete files, and steal passwords. 

What is Business Email Compromise (BEC)?

Spoofing and phishing are precursors to what the FBI calls business email compromise (BEC). The FBI describes BEC as “a scam targeting businesses regularly performing wire transfer payments.” The criminal uses spoofing and phishing to trick an individual into wiring funds into a fraudulent account. According to the FBI’s 2020 Internet Crime Report, BEC cost businesses $1.8 billion in 2020.  

Increasingly, real estate transactions are a target for BEC scams due to the large sums of money wired during the closing process. According to the FBI’s 2020 Internet Crime Report, there were 13,638 real estate fraud victims in 2020, with over $213 million in losses. This data compared to 11,667 victims and $221 million in losses in 2019. 

Tips for avoiding cyberattacks

  1. Use a password manager to avoid password reuse. Most individuals have accounts across many different websites and services. It would be nearly impossible to remember a unique password for every single one, leading to password reuse. Password reuse can allow an attacker to access a user’s accounts across many different websites, even if only one of those was truly breached. Password managers can automatically generate strong, unique passwords across multiple websites.
  2. Employ multi-factor authentication (MFA). Adding another authentication factor—such as an SMS text message or app push notification—can prevent attackers from gaining access to accounts. This security technique is also called Two-Factor Authentication (2FA). 
  3. Be vigilant when working in a public place. When working in a public place, such as a café, airplane, or public transit, attackers may read the contents of screens, overhear conversations, or access unattended devices. This attack is known as shoulder surfing. Professionals can defend against shoulder surfing by being aware of their surroundings, locking unattended devices, and considering using a privacy screen.

What do attacks look like? Real examples from US companies 

While BEC scams, phishing, and spoofing appear to be fairly elementary, there are many major corporations that have fallen victim to these socially-engineered scams. These incidents demonstrate why it’s important for businesses of any type to set hyper-vigilant standards among their employees for link clicking and communications.  

Google and Facebook

Between 2013 and 2015, Facebook and Google together lost more than $100 million due to a fake invoice scam. Criminals from Lithuania sent emails with fraudulent invoices to Facebook and Google employees. 


In 2015, criminals stole more than $3 million from toy manufacturing company Mattel. The criminals mimicked Mattel CEO’s email account to send a seemingly-routine request for a new vendor payment to a finance executive. The finance executive completed the request, wiring funds to what turned out to be a fraudulent account in China.

Upsher-Smith Laboratories

In 2014, a US drug company, Upsher-Smith Laboratories, lost more than $50 million due to phishing attacks. The attackers impersonated the company’s CEO to send emails to the accounts payable coordinator instructing them to make multiple fraudulent wire transfers. 

These attacks prove that phishing, spoofing, and BEC incidents can impact even the most technologically advanced organizations. The scams are designed to prey on routine processes and requests that appear legitimate to catch people off guard. This is why businesses need to instill daily security practices and employ baseline security measures to counteract these attacks. To learn more about security measures your business can deploy immediately, click here.