Scammers are tricking people out of enormous payments as they're about to close on a house

Key Points
  • A new variant of wire fraud schemes is increasingly targeting homebuyers.
  • Buyers are tricked into wiring their downpayment on the day of closing to a fraudulent offshore account, often by criminals who have spoofed or co-opted their real estate professional's email account.
  • Losses from these scams are typically not covered or reimbursed by the bank. Since the wires go overseas, it's nearly impossible for victims to recover their money.
  • Victims have lost six-figure sums and had to cancel transactions on their dream homes due to this fraud.
A prospective home buyer walks past real estate signs outside of a property during an open house in Phoenix, Arizona.
Joshua Lott | Bloomberg | Getty Images

It's a nightmare scenario for any homebuyer: the day before closing, a scammer manages to trick you into wiring your down payment to an offshore account. You lose your hard-earned money and you lose the house, and there's no way you can get either one back.

That's how some criminals have adapted the common "business email compromise" scam – so-named because it used to almost exclusively target businesses – to focus on individuals, especially people who are involved in a pending real estate transaction.

CNBC spoke with two victims of this type of crime who wished to remain anonymous. They were devastated to lose six-figure sums, their dream homes and in one case, the bulk of the individual's life savings.

And it's a crime that is growing, according to Ryan Kalember, senior vice president of cybersecurity strategy for email security company Proofpoint, which tracks cybercrimes perpetrated over email. Kalember has observed attempts at this type of crime have risen to a level 14 times higher than last year. The Federal Bureau of Investigation has also warned several times this year that email compromise schemes are spiking, which includes this type of real estate fraud.

How criminals fool homebuyers

Here's how it often works: a person involved in a real estate transaction, such as a real estate attorney or realtor, has his or her email account compromised by malicious software, known as malware, sent by a criminal over email. Unbeknownst to the professional, the fraudster can now monitor the realtor's emails to look for upcoming transactions.

Next, just as a closing date is coming near, the fraudster uses the compromised email account to send a legitimate-looking message to the buyer – which, coming directly from the realtor or attorney's account, appears real. The note tells the buyer that there's been a change of plans, and he or she needs to wire the down payment just before the closing date, supposedly to a bank account belonging to the seller.

But the account actually belongs to the criminal, and is typically overseas, out of the reach of U.S. law enforcement, Kalember said.

In some cases, Kalember said, criminals even follow up with phone calls to the victim buyers, purporting to be from a representative for the title company or seller's law office, and reassuring them the wire transfer request is real.

"The technical skill level is near zero for this crime, but the operational sophistication is very high," Kalember said. "That means that the phishing kits and other technical tools are freely available on the internet, but they are investing more time and effort into taking steps to trick the consumer."

The reason is clear. The immediate payout for the criminal is lucrative, often far more than other types of scams against individuals.

Gone forever

"It's important to remember that in these cases, they lose the funds permanently," said Kalember.

That's what makes the consequences for this type of scam much higher for consumers than most other cyberattacks. Consumers rarely see significant financial fallout from having their data, even financial information, stolen and used by criminals, because banks typically reimburse customers for fraud that occurs on their account due to stolen or compromised checking, savings or credit card numbers.

But banks are rarely are responsible for a wire authorized by the customer, even if the customer was tricked into sending it. And if the funds are overseas, there's little U.S. law enforcement can do to recover it.

What you can do

According to the FBI, email compromise crimes, including similar attacks on businesses, have been "spiking" in the past year. Between December 2016 and May 2018, businesses and consumers reported a 136% increase in losses related to these crimes. The fraudulent transfers have been sent globally, to 115 countries, the FBI said. Since 2013, losses to these types of crimes have topped $12 billion.

There are steps homebuyers should take to make sure they are protecting themselves from falling victim to fraudsters, according to Kalember and the FBI.

  • Be vigilant: Homebuyers should first just be aware that they may be a targeted by scammers in this manner, and should act accordingly to verify any suspicious correspondence associated with their home purchase or sale.
  • Voice verify: It might seem cumbersome in an already long homebuying process, but following up emails with a voice verification is a must, Kalember said. That's especially true if the email involves e-signing a document, logging into a new website, transacting money or supplying any kind of financial information
  • Talk to your bank: While not all banks may follow the guidelines you suggest, most will honor your request to not allow any wire transfers without a voice verification or other checkpoint from you. This is especially true for business accounts, but even individuals going through a real estate transaction can request a note be added to their primary accounts to put additional steps in place before allowing wire transactions to go through.
  • Don't react immediately to email: Emails asking you to take some type of action, purporting to be from the title company, attorneys, realtors, bank lawyers or others involved in a transaction may not be authentic. Regard any of them with suspicion, and you should follow up on known phone numbers for the individuals making the request to confirm.
'WannaCry' attack: More to come?
'WannaCry' attack: More to come?