Any industry involving wiring transfers of large sums of money is vulnerable to this new type of hack. Purchasing a car, home or piece of art are large transactions and are not usually done in cash. In well-established industries like real estate, there are some checks and balances, but while one would think it would be very tough to pull off this scam in real estate, it is just as easy. I do not know how many billionaire art collectors follow my blog (they should!), but most of you are regular people like my family and friends.
Although many of us will never experience buying a million-dollar art piece from Italy, we can relate to purchasing a home. How can we make the world Safr? As a Safr.Me community, we need to rely less on industry security parameters and learn how to manually spot email-engineered money-wiring scams; they are not necessarily a common hack. 
When looking at the home buying process, a report by the FBI’s Internet Crime Complaint Center said email fraud involving mortgage closings and real estate transactions rose 1,110 percent in the years 2015 to 2017 and fraud dollars lost rose almost 2,200 percent. That means scammers are getting more efficient.
Nearly 10,000 people reported being victims of this kind of fraud in 2017 with losses over $56 million, the FBI report said. Real estate is only now tightening its belt and fighting back.
One Victim’s Story
In my circles, I occasionally brush up against those whose lives are just perfect—or what most of us would consider perfect. They’ve made all the right choices, and with hard work everything lined up wonderfully. Anyway, I met a great husband and wife team, and this awesome guy is a money man. He handles investments not just for companies but for countries. That means big commissions. That means he’s a juicy target.
This level of income also allows one to develop and feed a taste for fine art. I’m not a museum or art aficionado by any stretch, but this persons art collection was amazing. Their art of choice is called Hyperrealism. Google it. It’s paintings that look like photographs, and to us common folk it’s called “Frikin’ Awesome.” When I attended a party at this person’s home with a bunch of others, we got a quick tour. After seeing this household collection, it must have been painfully obvious by all of our jaws dropping and our stupid (but appreciative comments) that we were all out of our league.
Anyway, money man purchased a $200,000 piece of art via email, which apparently isn’t unusual. Long story short, hackers intercepted his email communications via the hacked gallery and he wired $200,000 to a criminal. Remember, he’s in finance; finance guys are conditioned to recognize risk. When he looks back, there were slightly odd requests in the communications, but they made sense. Keep in mind, he was functioning in the security parameters in which this industry exists.
Lucky for him, his bank flagged the transaction because the account to which the wire was being sent was brand new, and a brand new account that’s being wired $200,000 is recognized by this bank’s anomaly detection software as potential fraud.
He called the gallery, and they concurred it was fraud. His heart sank, and he jumped into panic mode as one would when $200,000 is about to vanish. He then made every possible phone call to stop this transaction and got nowhere as 99% of the world’s population who is affected by something like this would suffer the same experience.
His ace in the proverbial hole was because of his role in his company and his professional connection to the particular bank. After losing 10 pounds from nerves, he was able to make a personal phone call to some muckety mucks at the bank and get the whole thing fixed. I’d pull the same strings if I had them. You would too.
How the Hack Works
Although it’s not entirely a new concept, this is the freshest approach hackers are taking; and it targets art galleries, collectors, real estate agents and your clients. You need to put this on your radar! This is a pretty simple hack. Basically, criminals are breaking into the email accounts of the art dealers who manage high-end galleries, and then they monitor the email correspondence. Breaking in, in other words, means “logging in” because millions of email addresses and their associated passwords are in the hands of criminals due to massive data breaches.
So, when the dealer or gallery sends an invoice to the innocent art collector via email, the hacker is triggered and will step in. The bad guy will now impersonate the dealer and warn that the invoice had a mistake on it or change up the instructions. The criminal does this to justify a wire transfer, maybe offering a slight discount, and then asks the buyer to send the money to a different account. Once the hackers have the money, the third-party hacker just disappears.
The Victims of This Scam
Both buyers and sellers are victims here, and in many cases, both are left in the dark because the hacker hijacks the conversation. In other words, they take control of the emails and play both parts. In the art world for example, when the gallery emails the customer, the hacker intercepts the email pretending to be that customer. The same thing happens when the customer emails the gallery. This gives the hacker plenty of time to cover their tracks and get away, and in the meantime, money and time is lost for all parties involved. There have even been some galleries that have had to close altogether due to the financial impact of account wiring and money transferring scams.
Why Art Galleries?
Good question. Interestingly enough, the reality is that hackers are only targeting the art industry because it’s really easy to do so. A wire fraud happening in the finance industry used to be a “thing,” but there are so many security protocols in place within finance making it difficult to pull off a transfer scam within the financial space.
Tips to Keep Email Fraud at Bay
These tips are for buyers, brokers, real estate agents and art galleries.
- All email account passwords should include uppercase, lowercase, numbers and characters. Never use the same password twice—NEVER.
- All email should have two-step authentication. This means after logging in, a one-time password is texted to the user’s mobile for account access.
- Make sure to change all passwords for online accounts, including Wi-Fi, regularly and especially after a data breach.
- Escrow services are your friend. There’s a ton of them. The gallery or broker will, or should, have a relationship with a trusted source.
- Pick up the phone, and confirm every aspect of a transaction until you are blue in the face and annoying everyone involved to the point you are satisfied that the money is safe.
- Update all of your anti-virus software.
- When you send an invoice via email, call or text a trusted number of the recipient to double check that they got it and that they have the correct account number.
- Urge all of your staff to remain vigilant when opening emails, and make sure that they do not click on any links or download attachments unless the correspondence has been verified by phone. If you have doubt, contact the sender by phone.
There is so much more to this, and, while I can’t solve all the world’s problems, I can at least make you cyber-security smarter and digitally literate. Take a look at our eLearning Courses and our S.A.F.E. Certification.
Robert Siciliano personal security and identity theft expert and speaker is the author of Identity Theft Privacy: Security Protection and Fraud Prevention: Your Guide to Protecting Yourself from Identity Theft and Computer Fraud. See him knock’em dead in this Security Awareness Training video.
“A CSI Protection Certified Agent can help you decrease susceptibility to crime and ensure you are working with a trained, concerned professional. If your real estate professional holds the CSI Protection designation, you can trust that they will provide the skills necessary for a safe and secure transaction.”
How Did I Get Here?
