Business Email Compromise, BEC or CEO Fraud is a term used to describe the scam where hackers create fraudulent emails usually pretending to be someone in authority like a CEO in order to get an employee to do something on behalf of the hacker.
Two examples of this would be when a hacker sends an email pretending to be the CEO asking accounting to wire some money to an account. Of course, since it came from the CEO (or appeared to), accounting jumps right on it. And, again of course, this is really the hacker’s account and the money is gone long before anyone figures it out. An Austrian aircraft parts company lost $50 million that way recently.
Another example is an email to someone in HR asking for copies of the previous year’s W2s for an audit. Again, the W2s, with names. addresses, socials and other information is now in the hands of hackers.
While these two examples affect businesses, this scam also affects ordinary people – in a big way.
Hackers are getting in the middle of home purchase transactions and redirecting wire transfers for down payments. Here is a local article and interview that talks about two such cases in the Denver area.
In both cases, the buyer received an email from the real estate agent with wiring instructions for the down payment. This email was followed by a replacement email from the hackers saying that the wiring instructions changed and the new instructions were included in that new email.
The bank information in the new wiring instructions belong to the hacker and the hacker moves the money out of that account within minutes of the wire being received. Trying to get money back from a wire transfer is extremely difficult – especially if that money is withdrawn from the receiving account.
In one of the two cases, the buyer lost $80,000; in the other case, the buyer figured out that the second email was fraudulent and didn’t send the money.
In the case where the buyer did send the money, it is not clear who is responsible. Other than the likelihood of a long court battle, not much else is certain.
Under current consumer protection laws, there is no recourse for the buyer other than to start suing people and see if they decide to pay. The banks, in almost every case that I am aware of, have been held not responsible as they did, accurately, execute the instructions from the buyer. On the other hand, if the Realtor’s email had been hacked and they didn’t know it, then maybe they will be absolved too. However, since a real estate agent is a professional, the court might hold that they should have used more diligence. Using email for anything confidential is an example of extremely poor judgement.
It is likely that the borrower will not be able to purchase the house unless they have an extra spare down payment and, in fact, could potentially, be in breach of contract if the seller wants to sue. In a hot real estate market, the seller will likely just move on to the next contract and the buyer will lose the house.
If the buyer already sold their house and/or gave notice on their rental unit, they may be – very quickly – looking for a place to live.
A home sale is only one example of this problem, albeit probably the largest dollar one that the average consumer will ever see. Any time you are transferring large dollar amounts of money you should be cautious.
What is the solution to this. Actually, it is pretty simple. Either an in person visit or phone call with the person and company that the funds are being sent to to validate the information. But make sure that phone call is originated by you and not a call that you receive so that you are not the victim of a phone scam on top of it.
Alternatively, you can get a cashier’s check from your bank, hand deliver it to the title company and get a receipt for it. That way, if there is a problem, it becomes the title company’s problem, not yours.
In general, when it comes to money – especially large amounts of money – be very cautious. Think like a hacker. Do not be afraid to ask questions if something seems odd. After all, it is your money.