Real estate … and fake emails: Riker Danzig lawyers say cyberattacks increasingly targeting sector, disguised as part of legitimate transactions

On the cybersecurity side of the real estate industry, knowing whether to ask about someone’s dog can prove to be a million-dollar question.

That’s because, as Riker Danzig partner Bethany Abele explains, hackers are raking in payouts by lying in wait — unbeknownst to their targets — and learning how people communicate. Or if they have a beloved pet they chat about regularly with colleagues.

“What’s happening is, fraudsters hack into someone’s email, and then watch and monitor email chains,” Abele said. “They see how you speak; they see how you sign off on emails. They learn all they can.”

Abele, partner in Morristown-based Riker Danzig’s Commercial Litigation Group, said that information is then wielded in emails where details of real estate transactions are being worked out. And, in fraud stories that are becoming more common by the day, fraudsters then divert funds — seven-figure funds, in some cases — away from their intended recipient.

It could be anyone involved in real estate transactions whose email has been cracked into: real estate lawyers, title insurance staff or settlement agents. Behind the scenes, attorneys representing these professionals said fraudsters are running rampant in New Jersey.

And there would be a hoard of real estate dollars to show for it — if it hadn’t all vanished already.

Abele said cybercriminals, who compromise emails either through breaking into information technology systems or typical phishing-style attacks, learn of real estate closing dates and then jump in at the last minute. Impersonating someone familiar with the closing, the hackers instruct property buyers to follow fraudulent payoff instructions.

Be alert for warning signs

You might have heard it too often already, but Mike O’Donnell and Bethany Abele of Riker Danzig will implore you to really soak it in this time:

It’s not a matter of if, but when.

The sheer amount of fraud cases they’re seeing guarantees for them that everyone — if they haven’t already — will be faced with sometimes convincing-seeming cyberattacks.

They agree that the best thing to do is stay alert to the possibility of these attacks and try to look out for some of the potential red flags. Here’s what they list as some of those clues:

  • Sudden timeline changes can be enough of a signal. If payments were supposed to go through next week, but one of the parties is sending emails asking for the money to be sent tomorrow instead — it might be for a legitimate reason, or it might be a fraudster.
  • Say you always go by the name “Peggy,” but an email is directed to you from someone in a real estate transaction by your more formal, legal name (the one you might find on a Google search) — that’s a reason to call the person involved to ensure it’s actually them.
  • If the person is asking for payoffs to be done in digital currencies, that can be suspicious. If the instructions suddenly include a Bitcoin payment, especially when that wasn’t previously discussed, be wary of doing so without verifying that it’s a real request.
  • This is perhaps most difficult to spot, the attorneys said (at least if you’re browsing emails on your cell phone): Fraudsters will use similar emails with just maybe one character difference, or one letter transposed, from an involved party’s email.
  • Similarly, if someone who usually communicates through a work email address abruptly switches to a personal Yahoo email account they’re emailing you from — even if they say it’s because they’re working from home — that’s yet another excuse to pick up the phone.

“We’re seeing this not just on the day of closing, but afterwards, too,” Abele said. “The fraudster will have someone call or email later and say, ‘The client changed their minds on getting this payment by this check, which we promise not to cash, and they want it wired instead.’”

Mike O’Donnell, co-managing partner of the firm at Riker Danzig, said that, often, highly sophisticated professionals can fall for these schemes because of a hacker’s deceptive attempt to mirror the interactions they’ve infiltrated. Sometimes, it’s because account numbers, the timing or other key details appear correct.

Other times, the payoff demands are replete with low-effort errors that should raise alarm … but ultimately don’t.

“It’s not always because it looks so authentic,” O’Donnell said. “We’ve seen payoff instructions in which there have been misspellings, verb usage errors or requests for money to go to payees that literally make no sense. There’s people looking back and asking, ‘How did I actually fall for this?’”

However crystal-clear as hindsight can be, O’Donnell said there’s a tendency to just assume from moment-to-moment that there’s no reason to question digital correspondences received from apparent colleagues.

He added that busy schedules, perhaps made busier during the pandemic’s months of remote learning and remote working, haven’t helped.

But he’s advocating for a different comfort level today. Because, even as attorneys like him and Abele learn more about fraudsters’ strategies online, cybercriminals are hatching plots.

“There’s almost a new scam developed every minute,” he said. “And, while that might be a little exaggerated, fraudsters are getting more sophisticated and they’re very effective at coming up with new schemes.”

Most of what these attorneys have seen is in the residential context, where the troves attackers get away with can be both big and small. As far as recourse, the victims can recover funds, but there’s often litigation involved with parties who are alleged to have been culpable for not identifying fraudulent wire instructions.

Prevention is obviously the preferred route. Abele said it takes being willing to verbally verify asks made of those in a real estate deal — even if it risks some blushing.

“Trust your gut,” she said. “If you call someone and they say, ‘Of course it was me,’ when you ask if it was really them that sent an email, it might be embarrassing. But it’ll be a lot more embarrassing if you have to make the call to say, ‘Hey, a million dollars is gone.’”