According to the NY Daily News, State Supreme Court Justice Lori Sattler was in the process of selling her apartment and buying another, when she received an email that seemed like it was coming from her lawyer.
The “lawyer” instructed her to send the money – a little over $1 million – to an account with the Commerce Bank of China, and she did.
It is not known if the scammers managed to compromise Sattler's account, the lawyer’s email account or if they created a spoofed one, but it's highly likely that one of the two people involved was pwned – how else would the bad guys know how to send such a timely and convincing spear-phishing email?
Emails From Fake Realtors Are Skyrocketing
Our customers send us "phishy" emails through our free phish alert button, we get thousands per day. These real-estate-themed phishing attacks usually come from spoofed addresses like Keller Williams, Remax and so on.
You have to remember that most realtors use their personal email accounts to conduct business. Their email signature will have their company email address listed but they are always sending and receiving from either their ISP provided email account or from Hotmail, Yahoo, and Gmail. This is not very secure, but is very convenient when you are on the road most of your day.
Here is a recent scenario. A fake email comes in and it is a PDF file that will pertain to a current real estate transaction, and you know the realtors email account is hacked. It even goes so far where a realtor had their account hacked and after every closing in that office, the closer would receive an email with different wiring instructions. The bad guy had gotten into the realtors email account and knew when every one of their closings were taking place.
I suggest you send employees, friends and family an email about this Scam Of The Week, feel free to copy/paste/edit:
"There is an epidemic of real-estate related phishing scams going on. Bad guys silently take over the email address of a home buyer or their realtor / lawyer, and right at the moment that a large amount of money needs to get wired for closing, they send a fake email with a different bank account that the bad guys control.
Always, always, always pick up the phone before you make a large transfer and get confirmation about the correct bank account that the wire goes to. This is true for the house, but also the office.
Obviously, an end-user who was trained to spot social engineering red flags like this would think twice before they wire money to an unknown account.
Let's stay safe out there,
Founder and CEO, KnowBe4, Inc.