A hacked email can cost homebuyers thousands

Picture this home purchase nightmare: After weeks of getting ready, you’re about to go to closing. Moving trucks are on the way. Based on instructions you received by email from your realty agent, you’ve wired closing funds to the bank account the agent specified.

But the tens of thousands of dollars you wired never arrived. Instead the money got diverted to an account set up by offshore cyber pirates who’ve hacked into your realty agent’s email account, watched the agent’s communications with you, and the title and settlement service providers, then waited for the right moment to pounce. The money is gone — hijacked to an unknown account in some foreign country. You can’t get it back. And there’s no way you can buy the house.

Versions of this horror scenario have been popping up around the country, sometimes costing buyers $100,000 to $300,000, even more.

— In Greenfield, Massachusetts, Corinne Fitzgerald, broker-owner of Fitzgerald Real Estate, told me hackers grabbed $80,000 in closing funds and $20,000 in earnest money deposits by penetrating a buyer’s agent’s email account and supplying false bank wiring instructions.

— Barely weeks ago, in Montgomery County, Maryland, hackers siphoned off “between $100,000 and $200,000” sent by buyers to what they believed was the correct bank for their home purchase, according to Todd Hylton, owner of Excalibur Title & Escrow LLC, whose firm was scheduled to handle the settlement. The money vanished. In late November last year, in Frederick County, Maryland, $300,000 was minutes away from being diverted to an account set up by hackers operating out of Nigeria when realty agent Bill Woodcock of Mackintosh Inc., Realtors noticed something amiss at the closing. Because of a bogus email sent to the buyer’s title agency, closing funds were about to be wired to an unknown bank account. It turned out that the cyber criminals had hacked into Woodcock’s email account and, posing convincingly as Woodcock himself, given erroneous last-minute instructions to the title agency.

Jessica Edgerton, associate counsel for the National Association of Realtors in Chicago, says versions of this scam have been surfacing with disturbing frequency, affecting “hundreds if not thousands” of home closings. Though many attempts are detected in time before the settlement funds are stolen, cyber criminals have been successful in “dozens” of cases, she said, often at massive financial costs to the victims. One near-miss in the Chicago area reportedly involved more than $830,000.

The situation has become serious enough that on March 18 the Federal Trade Commission issued a joint warning with the Realtors association about the threats to settlement funds.

To pull off their heists, hackers typically break into a realty agent’s email account and watch for references to forthcoming cash-rich closing transactions on homes. From their monitoring of the email traffic, they can learn the identities of buyers and sellers, the company names of title, escrow and settlement service providers and the timing of scheduled closings. Once inside the agent’s account, they can effectively take over the agent’s identity and provide credible instructions to clients. Unlike the cartoonish scammers of years past who couldn’t spell and mangled English, today’s artful bandits know the lingo and even pick up and mimic the conversational styles of agents exchanging emails with settlement officials and clients.

How to counter sophisticated settlement fund theft schemes? The FTC’s alert to consumers emphasized a key step all buyers can take: However convincing an email may appear, if it provides money-moving instructions for your closing, stop right there. “Email is not a secure way to send financial information, and your real estate professional or title company should know that,” said the FTC.

Fitzgerald, an immediate past president of the Massachusetts Association of Realtors, says she recommends that agents inform clients in writing early in the process that “I will never in an email ask you to move money.” If buyers understand and acknowledge this, cyber hijacking will be much tougher for the crooks. It’s a smart practice also to confirm all wiring instructions received by any means with a call to a verifiable phone contact number of the realty or settlement agent.

Then there’s the obvious advice for realty agents themselves: Harden up your email security measures. Change your passwords more frequently. If the pirates can’t penetrate and take over your system, they’re much less likely to be able to rip off your clients.