Targeting the Payment Functions

PwC, in its Q4 2015 Current Developments for the Real Estate Industry report [PDF], highlighted this trend.

More and more employees are having a hard time identifying a similar scheme that requests wire transfers be sent overseas because the emails appear to come from people or vendors that they know. These scams target a company's payment functions, prompting the receiver to wire money to overseas bank accounts for apparently legitimate purposes. Since October 2013, US businesses and international law enforcement have reported more than $1 billion in losses from these scams.

In another PwC report, Stop! Did your executive really request that wire transfer? [PDF] it explained that the people perpetrating these frauds frequently research employees' responsibilities so they know who to target, and often gather information to try to make the wire transfer request as believable as possible.

For example, they may research the executive's schedule using public information or by making inquiries of the executive's assistant with the goal of sending the fraudulent emails when the executive is out of town and cannot be easily reached for verification. Although some of the fraudulent requests are for millions of dollars, they can just as often be for smaller amounts. Since many companies have stricter controls (like dual approvals) for amounts over a certain dollar threshold, the scammers often submit requests for lower amounts hoping the looser controls will raise the success rate of their scam. If the scammer is successful in a preliminary request, they may continue to submit additional requests until the scam is detected.

Bypassing the Controls

The problem is, employees are often tempted to bypass the internal controls their employer has established if they think the wire request is legitimate. It gets ugly very quickly when it turns out that the request was not.

For example, a former broker for Wells Fargo Advisers Financial Network was disciplined by the Financial Industry Regulatory Authority for transferring $349,947.53 via two domestic wires to someone she thought was a client.

Instead, it was an imposter who hacked the client's e-mail account and then sent fraudulent wiring instructions to the broker. The broker ignored Wells Fargo's internal controls by not verifying verbally with the client that the instructions were legitimate.

So again, brokers — are you sure that wire request is legitimate?

WASHINGTON, DC–Cybercrime has become an unfortunate fact of life for individuals, companies and — as we now know following the release of the declassified report by US intelligence agencies – political organizations and politicians. Even the world's Central Banks are not immune to such malfeasance. In February of 2016 hackers broke into the Central Bank of Bangladesh and stole $81 million. Last month Reuters exclusively reported that since that heist cyber attackers have continued to attack the global banking system and in some cases have been successful in stealing funds.

There hasn't been — that we know of — a major cyber theft from a commercial real estate broker or fund. But unless a company is bound by regulation to disclose such a loss, it is highly unlikely that it would do so.

But even if the CRE industry has remained out of reach of hackers to date, Al Sargent, senior director at the San Francisco-based OneLogin, believes the industry is ripe for exactly such an intrusion. Last year it became clear that cyber thieves were raiding the escrow accounts of residential home buyers when in March the Federal Trade Commission and the National Association of Realtors warned homebuyers that hackers had been breaking into some consumers' and real estate professionals' email accounts to get information about upcoming real estate transactions. The scam worked like this, the agencies wrote:

After figuring out the closing dates, the hacker sends an email to the buyer, posing as the real estate professional or title company. The bogus email says there has been a last minute change to the wiring instructions, and tells the buyer to wire closing costs to a different account. But it's the scammer's account. If the buyer takes the bait, their bank account could be cleared out in a matter of minutes. Often, that's money the buyer will never see again.

Too many brokers ignored or downplayed that warning, Sargent said, and the risk is still there. Furthermore, as cyber thieves become more sophisticated they could use similar tactics to find out the details about commercial deals, parlaying the expertise they have gained in the last year targeting the Central Banks. Granted, it is unlikely a, say, Blackstone multibillion dollar buyout or acquisition could be hijacked in such a fashion, but there are countless low-level deals that easily could.

“There is an insane lack of security around real estate firms,” Sargent tells GlobeSt.com.

Targeting the Payment Functions

PwC, in its Q4 2015 Current Developments for the Real Estate Industry report [PDF], highlighted this trend.

More and more employees are having a hard time identifying a similar scheme that requests wire transfers be sent overseas because the emails appear to come from people or vendors that they know. These scams target a company's payment functions, prompting the receiver to wire money to overseas bank accounts for apparently legitimate purposes. Since October 2013, US businesses and international law enforcement have reported more than $1 billion in losses from these scams.

In another PwC report, Stop! Did your executive really request that wire transfer? [PDF] it explained that the people perpetrating these frauds frequently research employees' responsibilities so they know who to target, and often gather information to try to make the wire transfer request as believable as possible.

For example, they may research the executive's schedule using public information or by making inquiries of the executive's assistant with the goal of sending the fraudulent emails when the executive is out of town and cannot be easily reached for verification. Although some of the fraudulent requests are for millions of dollars, they can just as often be for smaller amounts. Since many companies have stricter controls (like dual approvals) for amounts over a certain dollar threshold, the scammers often submit requests for lower amounts hoping the looser controls will raise the success rate of their scam. If the scammer is successful in a preliminary request, they may continue to submit additional requests until the scam is detected.

Bypassing the Controls

The problem is, employees are often tempted to bypass the internal controls their employer has established if they think the wire request is legitimate. It gets ugly very quickly when it turns out that the request was not.

For example, a former broker for Wells Fargo Advisers Financial Network was disciplined by the Financial Industry Regulatory Authority for transferring $349,947.53 via two domestic wires to someone she thought was a client.

Instead, it was an imposter who hacked the client's e-mail account and then sent fraudulent wiring instructions to the broker. The broker ignored Wells Fargo's internal controls by not verifying verbally with the client that the instructions were legitimate.

So again, brokers — are you sure that wire request is legitimate?