In the past few months, multiple real estate wire fraud stories have made national news. As these types of incidents continue to make headlines and criminals gain a better understanding of the  processes and trusted institutions within the real estate sector, it’s more important than ever for real estate professionals and businesses of all sizes to understand cyber security threats.

Why is the real estate industry a target for criminals? 

Real estate is the third most common sector to be targeted by criminals, just above financial services. This is due to a few reasons that make real estate transactions especially enticing:

  1. Real estate transactions typically involve large sums of money. This allows a criminal to cash-in on a one-time event instead of multiple smaller transactions. 
  2. Throughout a real estate transaction, highly-sensitive information is exchanged. This enables attackers to access bank accounts, social security numbers, and other information that they can use to access funds—even those unrelated to the real estate purchase.
  3. Multiple parties are involved in real estate transactions. In a typical real estate transaction, up to 12 parties exchange information. Each party typically uses its own software to communicate and update information. Each party also uses different communication methods to relay information. These disconnected systems are an easy target for cyber criminals to intercept. 

Criminals use a number of tactics to carry out their crimes including spoofing, phishing, and business email compromise. 

What is spoofing?

Spoofing describes a criminal who impersonates an individual or trusted organization to carry out a malicious goal. Spoofers hide their identity using a number of technical measures. Below are some common spoofing techniques: 

  • Email spoofing: A criminal copies an email header (the “from” field of an email) to pose as a known and trusted email contact. In many cases the attacker does not even need to gain access to the spoofed company’s network to forge the email domain.
  • IP spoofing: A criminal copies an IP address so that systems believe the source is trustworthy. 
  • URL spoofing: A real website is replicated so that it looks identical to the original. Most people receive links to these look-alike websites via emails from scammers posing as trustworthy or known contacts 
  • Domain Name System (DNS) spoofing: The DNS associates domain names with the correct IP address. In this type of attack, a criminal reroutes a DNS translation so it directs to a different server. 

What is a phishing attack?

Phishing is an attack in which a criminal poses as a legitimate institution (i.e., using one of the spoofing tactics above) to lure a target into providing sensitive information. The goal is to bring the recipient’s guard down by tricking them into believing that the message or request is something they need or were expecting and comes from a legitimate contact. 

For example, a phishing attack may appear to be a request from a transaction partner or an email from someone internally. The attacker mimics email templates and signatures to make the message appear familiar so that the recipient’s guard is down. The phishing email typically includes a link to a malicious website or attachment (malware) which then grants an attacker access to devices, systems, and company networks. Once infected with malware, an attacker can take screenshots, delete files, and steal passwords. 

What is Business Email Compromise (BEC)?

Spoofing and phishing are precursors to what the FBI calls business email compromise (BEC). The FBI describes BEC as “a scam targeting businesses regularly performing wire transfer payments.” The criminal uses spoofing and phishing to trick an individual into wiring funds into a fraudulent account. According to the FBI’s 2019 Internet Crime Report, BEC cost businesses $1.7 billion in 2019.  

Increasingly, real estate transactions are a target for BEC scams due to the large sums of money wired during the closing process. According to the FBI’s 2019 Internet Crime Report, there were 11,677 wire fraud victims in 2019 with $221 million in losses. This compared to 11,300 victims and $150 million in losses in 2018. 

What do attacks look like? Real examples from US companies 

While BEC scams, phishing, and spoofing appear to be fairly elementary, there are a number of major corporations who have fallen victims to these socially-engineered scams. These incidents demonstrate why it’s important for businesses of any type to set hyper-vigilant standards among their employees for link clicking and communications.  

Google and Facebook

Between 2013 and 2015, Facebook and Google together lost more than $100 million due to a fake invoice scam. Criminals from Lithuania sent emails with fraudulent invoices to Facebook and Google employees. 


In 2015 criminals stole more than $3 million from toy manufacturing company, Mattel. The criminals mimicked Mattel CEO’s email account to send a seemingly-routine request for a new vendor payment to a finance executive. The finance executive completed the request, wiring funds to what turned out to be a fraudulent account in China.

Upsher-Smith Laboratories

In 2014, a US drug company, Upsher-Smith Laboratories lost more than $50 million due to phishing attacks. The attackers impersonated the company’s CEO to send emails to the accounts payable coordinator instructing them to make multiple fraudulent wire transfers. 

These attacks prove that phishing, spoofing, and BEC incidents can impact even the most technologically advanced organizations. The scams are designed to prey on routine processes and requests that appear legitimate to catch people off guard. This is why it’s especially important for businesses to instill daily security practices and employ baseline security measures to counteract these attacks. To learn more about security measures your business can deploy immediately click here.