Select Page

Cyren Security Blog

The Cyren Security Blog is where Cyren engineers and thought leaders provide insights, research and analysis on a range of current cybersecurity topics.

Phishing Targeting Real Estate Firms

Stories about real estate hacking and particularly phishing have appeared with increasing frequency in newspaper and blog headlines. Stories like the cybercriminals who stole client contact information from a DC-area real estate company, and with the information then created a “business email compromise” (BEC) scam, which resulted in $1.5 million being stolen in a phishing wire fraud scheme from a couple about to close on a home. Let’s take a closer look at real estate phishing scams and tactics below.

Real Estate Phishing Tactics

Just like most cybercrime, real estate phishing usually starts off by acquiring sensitive information. People don’t willingly give out this type of information but are often tricked into doing so. Methods for real estate phishing typically include cybercriminals directing users to click on a suspicious link. Alternatively, they could redirect them to a spoofed webpage that could easily compromise your real estate business. Here are a few specific tactics to look out for.

Whaling and Business Email Compromise (BEC)

The type of attack most commonly used on real estate companies is business email compromise (BEC) wire fraud or imposter email attacks called whaling. These types of phishing attacks can take several forms. In the simplest rendition, the hacker may be after internal corporate data. They will send an email pretending to be someone that the recipient knows, such as a trusted partner or vendor, or even someone that works at the same real estate company. The perpetrator may request user names and passwords to corporate networks, a list of employee W2s or email addresses, the names and email addresses for current clients, or even proprietary data, such as competitive market research. Often this type of information can be sold on the black market or used as a starting point for additional phishing attacks.

Spear Phishing and Social Engineering

Spear phishing and social engineering are highly targeted attacks that use psychological manipulation involving a small pool of victims. They then divulge information or take inappropriate actions. Fraudsters could apply pressure using a sense of urgency and repercussion if instructions are not followed. An example of this would be an email from a real estate agent requesting a wire transfer from the buyer. If the wire transfer is not made in time then the deal could fall apart.


While most phishing attacks come via email, vishing (voice phishing) comes in the form of phone calls. Vishing is one of the fastest-growing fraud strategies in the United States.

Fraudsters understand that most real estate deals require phone call verification before funds are wire transferred. Scammers will call the victim or leave a voicemail with specific transaction details in order to protect both parties from fraud. This instantly builds the fraudster’s credibility and reduces any suspicion that the victim may have.

Vishing scams have become more convincing due to technological advancements that allow phone numbers to be spoofed. Fraudsters can create fake phone numbers to match your local area and act as a trusted party, such as a real estate firm or attorney. As most businesses’ phone numbers are available online, the possibilities are endless.

A Complete Breakdown of a Real Estate Phishing Scam

When money is at stake, particularly the large sums often seen during real estate transactions, hackers turn to more insidious criminal tactics. If the criminal has obtained the user name and password for the real estate agent’s email (through an earlier phishing attack), they may engage in a BEC scam, whereby they send an email directly from the agent’s account to a current customer about to close on a property. Pretending to be the agent, the criminal provides closing instructions, including fraudulent wire transfer details. The customer, not suspecting anything, transmits the money to the criminal’s account.

Unfortunately, in many instances, these large sums of money, often down payments, are lost forever unless the scam is discovered quickly enough to halt the wire transfer. In a similar version, the criminal may pretend to be someone from the settlement company or the seller’s agent/representative, and send a phishing email directly to the buyer’s agent. As in the other scenario, this email includes closing instructions, including fraudulent wire transfer details, which the buyer’s agent may then pass along to the home buyers.

Common Real Estate Scams

Organizations don’t always fall victim to a phishing attack directly, often times they could become a victim indirectly because of partners or associates. Below are examples of real estate scams that may affect customers and landlords, real estate firms, and property management groups.

Fake Lender Representatives

A scammer can pose as a mortgage or lending officer and convince a real estate seller that they have a buyer for the property that they’re trying to sell. In order to receive the proceeds from the fictitious lending officer, the seller’s banking information is required. This type of scam can be done via vishing or phishing.

Lockbox Rental Scam

These types of rental scams are notorious on Craigslist. Scammers will act as the landlord and provide access to lockboxes so renters can take tours of the home without the landlord present. If renters like the property then the scammer will request a deposit. By this time, the renters think they have a new place to live in, but the actual landlord has no recollection of making this deal. It’s still unknown how scammers are able to obtain lockbox codes, but it’s likely that landlords recycle or use easy-to-guess codes for their lockboxes.

Fake Invoices

Let’s face it, technology has been a double-edged sword in modern society. Even though it makes our processes more efficient, it can also make us less diligent. Scammers have gotten better at creating documents and invoices, building websites, and crafting emails. In a busy real estate office where team members are multitasking on the phone and forwarding paperwork, it’s easy for a team to forward invoices to your accounts team without realizing its not legitimate.

Benefits of Real Estate Anti-Phishing Solutions

Cybercriminals already know that the real estate industry is the primary facilitator for high volume, high dollar figure wire transfers. That specific industry is also known for owning a vast amount of highly sensitive personal information, such as customer names, addresses, emails, social security numbers, and banking data. Couple this with the fact that real estate agents often work in highly dispersed locations, such as their car or a café, using unprotected smartphones to connect to corporate networks, and you have the makings of an almost perfect crime. That’s why advanced cybersecurity protection is so critical.

You Don’t Get Protection From Browsers, Email Clients, and Online “Freebie” Security Solutions

The story of the massive Target Corporation breach is one that most people have heard of. What is less well known is that the malicious email at the source of this highly destructive attack came from one of Target’s small business partners—an HVAC company—and it probably would’ve been blocked had the HVAC vendor been using an effective email security service, instead of a downloaded ‘freebie’ security tool (that did not include real-time updates) to protect its entire system, including access to all the passwords and portals for its various large clients.

Free downloadable security tools are designed for individual consumers and do not offer the type of protection businesses need. Since threats are evolving constantly, real-time security updates are key. Once a threat has been launched, a business only has seconds to block it. If your security tools, or email client (such as Gmail or Office 365), or browser aren’t updated constantly—in real-time—then the protection simply isn’t there.

Training Alone Isn’t the Answer

Email threats come in a variety of different shapes and sizes. Some are relatively easy to spot, others are highly curated so they appear entirely legitimate—for example, imposter emails. If a fake email arrives in your accounting department, pretending to be from your CEO with wire transfer directions, how much time do you think your accounting manager is going to take to investigate and confirm the authenticity of the email? Chances are if the email appears to come from the CEO or another high-level executive, the target employee will ‘get right on the task’ and transfer the money. In these instances, training your employees to spot fake or dangerous emails may simply be asking too much.

Since operational activities with most real estate companies today take place in the cloud, an automated, systematic approach to security is key—one in which threats are evaluated and blocked in real-time, without relying on the ‘human factor’.

Final Thoughts

With the operational and transactional components of real estate growing by leaps and bounds in an online cloud environment—and cyberattacks growing at an even faster rate—no real estate business wants to be at the center of a data breach that costs a customer their entire life savings and dreams for the future. Real estate businesses need to view cyberattacks as a critical business risk. Learn more about Cyren’s anti-phishing solution for enterprises or contact us today for more information.

You might also like

Phishing with QR codes

Don’t Scan or be Scammed By Maharlito Aquino, Kervin Alintanahin and Dexter To In 1994, a type of the matrix barcode known as the Quick Response code, now widely known as QR code, was invented by Masahiro Hara from a Japanese company Denso Wave. The purpose of the...