In a recent case of cybercrime, a business email compromise scam tricked a law firm into transferring funds to fraudsters.
Social engineering scamming is a multi-billion-dollar industry, with funds transfer fraud responsible for the loss of over $12.5 billion worldwide between October 2013 and May 2018.[1]
Real estate has been identified as a growing target for funds transfer fraud, with an increase in cybercrime of 1100 per cent between 2015 and 2017.[2]
What is social engineering?
Social engineering is deceiving or manipulating people into carrying out a particular act, for example transferring money, sharing confidential information or following a malicious link.[3]
In a recent case study by CFC, a global leader in insurance and pioneer in cyber insurance, a law firm’s employee received an email that appeared to be from Microsoft. The email said the employee’s account had been suspended and asked them to verify their account details. The email provided a link to a legitimate-looking webpage on which the employee entered their Outlook username and password.
What the employee didn’t realise was that they had just handed over the login information for their work email account to a cybercriminal. Because the law firm didn’t have multi-factor authentication – a process that requests two or more pieces of evidence to an authenticate an account log-in – the cybercriminal was able to login to the employee’s email account remotely.
Full-access pass granted
With full access to the employee’s email account, the cybercriminal could monitor communications and gather confidential intel on clients, their real estate agents, upcoming disbursements and settlement dates. The cybercriminal then identified the most lucrative target.
Once identified, the cybercriminal set up a fake email address that looked similar to that of the agent representing a vendor. For example, if the agency’s email address was abcagents.com.au, the cybercriminal created abcagenst.com.au.
Using this fraudulent email address and drawing on information gathered from previous interactions, the cybercriminal sent the law firm an email asking for the payment to be made by wire transfer rather than by cheque, as previously agreed. To imitate authenticity, the cybercriminal copied the agent’s email signature to the fraudulent email.
Believing they were communicating with the vendor’s agent, the law firm transferred over $240,000 to the cybercriminal’s account.
Funds unrecoverable
Because many days had passed before the vendor asked the agent where the funds were and the agent contacted the law firm, the cybercriminal had ample time to withdraw the funds.
Understandable the vendor, buyer, agent and law firm were all impacted by the disappearance of the funds, which were now irretrievable. However, because the law firm has cyber insurance, the loss was covered in full and the sale of the property could go ahead.
The key takeaways