Business Email Compromise Fraud Matters

49843106 - investing money in new property and housing development

Business Email Compromise (BEC), a sophisticated online scam that targets businesses and tricks employees into transferring money to cyber criminals, is responsible for $1.6 billion in losses in the U.S. and $5.3 billion globally since 2013. The Federal Bureau of Investigation (FBI) reports that BEC is on the rise with a 2,370% increase since the beginning of 2015. Just in the second half of 2016, the FBI received 3,044 reports of losses totaling $346 million. Many business, no matter the type or size, can easily fall prey to this type of fraud if not vigilant.

Today, we’ll look at how BEC affects the real estate industry, which can involve a variety of victims including real estate agents, brokers, escrow or title officers, or anyone with a real estate extension in their email address. And let’s not forget about the homebuyer who could lose their life savings and be forced into bankruptcy if targeted by this type of fraud.

BEC is typically a four-step process:

  1. Hackers can simply find a real estate agent’s email accounts on their websites, purchase email extractor software from the Internet, then use it to collect email addresses for thousands of people working in the real estate industry or they can purchase the credentials of 10,000 real estate agents for around $11.
  2. Hackers then send a phishing email that tricks the recipient into clicking on a link or opening an attachment. They only need one person to take the bait.
  3. Once inside the victim’s email account, they can conduct extensive research on thousands of listing addresses, sales prices, loan amounts, escrow and title company information and account numbers.
  4. Criminals use this information to send an email that looks legitimate from the realtor, broker, bank, or title company’s email to the home buyer instructing them to reroute funding from their lender to a new fraudulent account.

Fraudsters can even alter the signature block on a real estate contract to list a number that connects directly to the bad guys. So, if a homebuyer is suspicious and calls the number listed to verify this new account information is correct, the bad guys answer the call and confirm the fraudulent process. It only takes between four and 24 hours for a homebuyer’s life savings to disappear, never to be seen again.

Because today’s hackers are sophisticated and their fraudulent methods are constantly evolving, it’s important for both the real estate industry and homebuyers to protect themselves from BEC. These preventative steps can stop a potentially catastrophic loss:


  • Be careful about what you reveal about yourself and your company on social media channels and corporate websites.
  • Be suspicious of requests for secrecy and to take immediate action.
  • Implement a two-factor or multi-factor verification system to keep the bad guys out of your corporate email system.
  • Utilize digital signatures and encrypt messages on both sides of the transaction.”
  • Don’t open unsolicited or spam e-mail from unknown parties.
  • Keep your company’s antivirus protection up-to-date and install all recommended service patches.


  • Don’t trust any email that requests you to send money or wire funds to a different account.
  • Follow up with a phone call to your original contact to verify the message’s authenticity.
  • If you discover that you have transferred funds to a fraudulent account, contact your financial institution immediately and ask for a wire transfer recall. Be sure to state that you are a victim of a BEC. Because you personally ordered the transfer to the fraudulent account, financial institutions consider the transaction to be legitimate. The average loss is $130,000 per victim, so the faster you can notify your bank, the faster the transaction can be stopped.
  • Notify the FBI, who will work with the U.S. Department of Treasury Financial Crimes Enforcement Network to help return or freeze the funds.
  • Fill out a Complaint Referral Form through the Internet Crime Complaint Center, identifying the incident as a BEC.

To learn more about BEC and how to prevent becoming a victim, read this FBI public service announcement that explains the $5 billion scam. It provides a comprehensive list of suggestions for businesses to take to prevent this type of fraud from occurring, as well as tips for what to do if you are a victim.

Previous articleGovernment: Silo your data at your own risk
Next articleTurning Property Fraud Cases into Newly Found Revenue for Your Jurisdiction
Supervisory Special Agent (SSA) Michael Sohn is currently leading a squad at the FBI Los Angeles Field Division that is responsible for investigating computer and high-technology crimes. His investigative experience includes cyber terrorism, nation-state and criminal cyber intrusion matters. Prior to his employment with the FBI, he worked as a Cyber Counterintelligence Officer for the Department of the Army, a Counter Terrorism officer for the Defense Intelligence Agency, a consultant at Booz Allen Hamilton and a U.S. Army Officer. Mr. Sohn received a Bachelor of Science in Computer Science from the United States Military Academy, West Point and a Master of Science in Computer Information Systems from Boston University, Boston.