September 10, 2018updated 04 Jan 2019 4:26pm

Homeless homebuyer: The cyberattack taking people’s life savings

By Lucy Ingham

An emerging type of cybersecurity attack known as the homeless homebuyer is seeing would-be homeowners robbed of their life savings and their future home.

A subset of a type of attack known as an account takeover, it sees criminals obtain the login credentials of a real estate lawyer and email clients of theirs who are currently in the process of buying a home.

Posing as the lawyer, the cybercriminals con these clients into sending them the balance of their purchase, leaving them without both the money and the property.

The attack is detailed by Dr Markus Jakobsson, chief scientist at email threat protection provider Agari, in the latest issue of cybersecurity magazine Verdict Encrypt.

How cybercriminals fool homebuyers

Account takeover attacks are on the rise in part because a growing number of data breaches mean that many login and password details are now bought and sold on the dark web.

The homeless homebuyer attack is one particularly devastating form of it, which is carefully timed to make it very hard for would-be homeowners to spot.

“Say that you’re buying an apartment or house and you’re two weeks away from closing and you have to send your downpayment to the escrow agency,” said Jakobsson.

“Now unfortunately your real estate attorney has been corrupted. Their email account has been taken over by a criminal, who now infiltrates all the email they are getting.

“So they know you’re closing in two weeks. And they know the amount that you’re going to pay; they know the address of the property you’re buying, and they know everything. And maybe they even know that you’re going to get an email from the escrow agency in one week.”

At this point the cybercriminals will send an email that looks exactly like the one the buyers expect, but with different account details – those of the attackers, not the escrow agency.

“Of course you’re going to do this. So you hurry to the bank, you send them money and that’s your life savings. It’s a truly devastating form of abuse.”

What you can do if you are a victim of the homeless homebuyer attack

When buying a house – or making any large bank transfer, it is best to phone the recipient to confirm the account details before you make the transfer.

However, anyone who is duped by the homeless homebuyer attack may be able to prevent losing their life savings if they act quickly.

“The odds are reduced and reduced over time, but if people realise that they’ve been had, they should just run to the bank,” advised Jakobsson.

“Almost always this is about wire transfers, and wire transfers actually can be reversed. It’s not easy, it’s not foolproof, but if you run to the bank within 24 hours there is a chance.

“And the sooner you get to the bank after this happens the greater the chance that they will be able to reverse it. It might not have gone out. It may still be in an intermediary bank and not have been delivered. It might have been delivered to the account of the criminal but not taken out yet.”

Verdict deals analysis methodology

This analysis considers only announced and completed deals from the GlobalData financial deals database and excludes all terminated and rumoured deals. Country and industry are defined according to the headquarters and dominant industry of the target firm. The term ‘acquisition’ refers to both completed deals and those in the bidding stage.

GlobalData tracks real-time data concerning all merger and acquisition, private equity/venture capital and asset transaction activity around the world from thousands of company websites and other reliable sources.

More in-depth reports and analysis on all reported deals are available for subscribers to GlobalData’s deals database.

Topics in this article: