Phishing attack when selling a house

Cyber thieves stole $150,000 from a woman during a real estate transaction last year, according to Lisa Vaas at Naked Security. Mireille Appert, a Swiss woman who lives in the United States, inherited her uncle’s house in Australia when he passed away in 2014. She fell victim to a phishing attack.

In 2018, Appert decided to sell the house and got in touch with an Australian law firm, KF Solicitors, on July 1st. On July 18th, she received a phishing email that read, “The sellers [sic] authority just needs to be emailed back to us and not posted.” She emailed her bank details to the company in a PDF.

Wrong bank account number

Over the next month, Appert and her son worked with KF Solicitors to have the money transferred to Appert’s account. However, the money kept bouncing back. On August 10th, Appert received an email supposedly confirming the wire transfer with the wrong bank account number.

KF Solicitors said they never sent this confirmation, and that they had already transferred the money to an account owned by a company called Kristal Contractors LLC. Appert contacted US law enforcement on August 11th, and on August 14th, Appert’s bank confirmed that the attackers had stolen her money on August 6th. KF Solicitors tried to freeze the transfer, but it was too late.

“There aren’t a lot of details about this case beyond what Appert relates,” writes Vaas. “But more than anything, it sounds like business email compromise (BEC, also known as CEO Fraud): a crime that’s a bit like phishing but without the fake website. Fraudsters contact employees, generally at small companies, often through spoofed email addresses but also by phone, and then impersonate trustworthy business contacts, be they suppliers or customers. In this case, the ‘corporate account’ with Kristal Contractors LLC was likely the purportedly trustworthy business party.”

New school security could have thwarted this phishing attack from becoming successful

Phishing scams are increasingly popular among criminals, and organizations need to ensure that they’ve implemented proper authentication protocols for money transfers. New-school security awareness training can also help employees be on the lookout for this type of behavior and prevent social engineering tricks. Naked Security has the full story at  https://nakedsecurity.sophos.com/2019/01/17/email-crooks-swindle-woman-out-of-150k-from-home-sale/

Cyber Safety Net is a KnowBe4 partner. Reposted with permission from https://blog.knowbe4.com/criminals-make-off-with-usd-150000-in-real-estate-scam. Cyber Safety Net – Keeping you safe online. See https://cybersafetynet.net/cyber-security-awareness-training/ to train and strengthen your human firewall. See https://youtu.be/UFpFesrcnvY and https://www.knowbe4.com/security-awareness-training-features/ to learn more.