An emerging type of cybersecurity attack known as the homeless homebuyer is seeing would-be homeowners robbed of their life savings and their future home.
A subset of a type of attack known as an account takeover, it sees criminals obtain the login credentials of a real estate lawyer and email clients of theirs who are currently in the process of buying a home.
Posing as the lawyer, the cybercriminals con these clients into sending them the balance of their purchase, leaving them without both the money and the property.
The attack is detailed by Dr Markus Jakobsson, chief scientist at email threat protection provider Agari, in the latest issue of cybersecurity magazine Verdict Encrypt.
How cybercriminals fool homebuyers
Account takeover attacks are on the rise in part because a growing number of data breaches mean that many login and password details are now bought and sold on the dark web.
The homeless homebuyer attack is one particularly devastating form of it, which is carefully timed to make it very hard for would-be homeowners to spot.
“Say that you’re buying an apartment or house and you’re two weeks away from closing and you have to send your downpayment to the escrow agency,” said Jakobsson.
“Now unfortunately your real estate attorney has been corrupted. Their email account has been taken over by a criminal, who now infiltrates all the email they are getting.
“So they know you’re closing in two weeks. And they know the amount that you’re going to pay; they know the address of the property you’re buying, and they know everything. And maybe they even know that you’re going to get an email from the escrow agency in one week.”
At this point the cybercriminals will send an email that looks exactly like the one the buyers expect, but with different account details – those of the attackers, not the escrow agency.
“Of course you’re going to do this. So you hurry to the bank, you send them money and that’s your life savings. It’s a truly devastating form of abuse.”
What you can do if you are a victim of the homeless homebuyer attack
When buying a house – or making any large bank transfer, it is best to phone the recipient to confirm the account details before you make the transfer.
However, anyone who is duped by the homeless homebuyer attack may be able to prevent losing their life savings if they act quickly.
“The odds are reduced and reduced over time, but if people realise that they’ve been had, they should just run to the bank,” advised Jakobsson.
“Almost always this is about wire transfers, and wire transfers actually can be reversed. It’s not easy, it’s not foolproof, but if you run to the bank within 24 hours there is a chance.
“And the sooner you get to the bank after this happens the greater the chance that they will be able to reverse it. It might not have gone out. It may still be in an intermediary bank and not have been delivered. It might have been delivered to the account of the criminal but not taken out yet.”