Spear Phishing, Wires, and Fraud. Oh My!

Thursday, February 18, 2016 by Azi Mindick


The Half Million Dollar Mistake

In a recent story reported in The News Leader, an attorney gave the proceeds of a sale, a check for almost $600,000 dollars, to her client. Several hours later, the attorney received an email from someone claiming to be the client, asking her to wire the money to a corporate account. In her response, she explained that she would need to stop payment on the check she had given to the client earlier, and requested the information she would need to wire the money.The attorney subsequently stopped payment on the check, and transferred the funds by wire to the account provided in the email.

A few days later, the real estate client informed his attorney that he had not yet received the proceeds from the transaction. When the attorney told the client that she had wired the funds to an account he had requested, the client told her he had never asked for the check to be stopped or that funds be wired to another account. The email requesting the wire had been a fraud and the client was out $600,000!

The Check Is In The (e)Mail

This story is an example of one of the various techniques used by cyber criminals to impersonate a party in a transaction in order to facilitate fraud. The commonly used tactic from this case is known as spear phishing, and is dangerously simple.

A hacker gains access to an email account and monitors the emails, watching and waiting to get a feel for the type of communication that happens leading up to a disbursement of funds or a new order.

Once the scammer learns what type of email will generate a disbursement, for example a request by the seller to receive their funds from escrow, the hacker  will step into the transaction and try to get funds sent to his own account.

We had one blatant encounter with spear phishing when we placed an order with one of our New York City vendors. A few minutes later, we received an email from the vendor stating that their credit card machine was broken and we would need to send them a wire. This was highly unusual and immediately raised a red flag. We asked for wiring instructions and were sent instructions to wire funds to a personal account of a woman in Georgia.

This raised another red flag, as our vendor was a local retail shop based in New York. At this point, we picked up the phone and contacted our vendor directly to tell them they had been hacked. They were very grateful and confirmed that hackers had been intercepting and sending emails from their accounts.

Sneakier and Sneakier

Most cases, however, are much more insidious and harder to detect. The scammer will typically have learned the details of the deal from scanning the victim’s emails, and may have even created similar sounding LLC’s or fraudulent bank accounts to further complicate the matter.

A Riverside closer reached out to the office via urgent email claiming that we needed to review important documents for a closing that was taking place that day. The email contained what looked like a link to Google Drive, but when clicked would have directed us to malware that could have given us spam, a virus or worse.

The sophistication of this attack was mind boggling; the attackers knew that this particular closer actually had a closing scheduled for that day. Riverside's vigilant staff were suspicious because typically, closers do not reach out to our office until they are actually at a closing, and this email was received several hours before the closing started. In addition, none of the other parties (such as buyers and sellers attorney) that would normally be the recipients of such an email were included. We reached out to our closer, who verified that the email was not from him and encouraged him to change his passwords.

In addition, scammers who cannot get into email accounts will set up fake accounts and mask the email address so it appears to be from a legitimate source. Riverside has software set up that filters all incoming email and adds the following warning to each external email:

l**** This is an EXTERNAL email. Exercise caution. DO NOT open attachments or click links from unknown senders or unexpected email. ****

If a Riverside team member sees this warning show up on an email sent from one of their co-workers they have an instant red flag that the email is not an actual Riverside email.

Constant Vigilance

Riverside recently had another instance where one of our escrow officers received an email from the seller's attorney indicating that they had originally given us the wrong wiring instructions. Riverside called both the seller and the seller’s attorney as well as the managing partner of the firm to confirm that the new wiring instructions were legitimate. Once it was confirmed, Riverside had the sellers attorney email all the parties in the transaction about the change, for an added level of comfort.

The potential for cyber and socially engineered attacks grows larger everyday. It is imperative to know how to deal with cases of potential fraud. At Riverside, we have strong policies in place to protect our clients and prevent these types of fraud. Here are some of our important rules:

1. Never accept wiring information from anyone off the main group chain of emails. Hacker will seek to cut out other players in the transactions to avoid raising anyone’s suspicions, so emails outside of the normal chain are a clear red flag.

​2. If instructions change from those previously sent, have the individual email the group and call to confirm. Hackers will need to send the money to a new account, so be very suspicious of changes in wire or payment information.

3. Always be on the lookout for suspicious requests for documents and/or information, and for accepting information. Hackers will sometimes send malware or infected docs pertaining to the transaction labeled “urgent” or “please read” etc. Once clicked, these bad links can infect computers with a virus or run computer scripts to help the scammers perpertrate future scams. If something doesn't smell right, contact the person in question by phone.


Got questions about "Fraud" or other Escrow topics? Click here to ask a Riverside expert and get the answers you need.  

Riverside is currently one of the top 10 title agencies in New York as well as in New Jersey. In addition, we are ranked nationally as a top 25 agent for Old Republic. Riverside is licensed in over 35 states and facilitate closings in all 50 States including many multi-site commercial deals and a considerable volume of high-end residential transactions. We currently have over $100mm in escrow between our title company and our 1031 exchange division and work in various capacities with many of the most prestigious investors, owners, lenders and law firms.


The materials on this website are provided for informational purposes only and do not constitute legal advice. These materials are intended, but not promised or guaranteed to be current, complete, or up-to-date and should in no way be taken as an indication of future results. Transmission of the information is not intended to create, and the receipt does not constitute, an attorney-client relationship between sender and receiver. The newsletters and articles on this website are offered only for general informational and educational purposes. They are not offered as and do not constitute legal advice or legal opinions. You should not act or rely on any information contained in this website without first seeking the advice of an attorney.