If often happens to less prominent individuals, but this time it happened to a US State Supreme Court judge: scammers have managed trick her into wiring the money meant for buying an apartment to a bank account under their control.
According to the NY Daily News, State Supreme Court Justice Lori Sattler was in the process of selling her apartment and buying another, when she received an email that seemed like it was coming from her lawyer.
The “lawyer” instructed her to send the money – a little over $1 million – to an account with the Commerce Bank of China, and she did.
Whether the scammers managed to compromise the lawyer’s email account or have created a new one that could pass as the legitimate thing is unknown, but it seems almost certain that they have compromised either the lawyer’s or the judge’s computer – how else would they know how to craft such a timely and convincing spear-phishing email?
Conveyancing fraud is on the rise
Conveyancing fraud – when criminals hack into an email chain between sellers, buyers and brokers and modify the information contained in emails in order to redirect money to their accounts – is a variant of the business email compromise (BEC) scam.
The difference is that, instead of companies, the crooks ultimately target clients of lawyers who specialise in the legal aspects of buying and selling real property.
“This attack is so much worse than business email compromise because it targeted an individual, who instantly lost years of her savings. Unlike a consumer phishing scheme, where banks typically reimburse the customer’s losses, there’s no recourse for the victim. From the bank’s point of view, she instructed them to wire the money, and they simply carried out her instructions,” John Wilson, field CTO of email security vendor Agari, commented for Help Net Security.
“This attack should serve as a cautionary tale; no one is safe from digital deception. Spear phishing attacks are particularly pernicious because they leverage the familiar – in this case a real estate lawyer – so it only takes a momentary lapse in judgement to become a victim. Everyone must do more to secure the identity and authentication of email,” he noted.
Mitigation and prosecution
If you receive an email asking you to direct payment to a new account, it’s always a good idea to pick up the phone, call your lawyer, and confirm that the account information provided in the email is correct, and that the email is legitimate.
Wilson advises US-based victims of conveyancing fraudsters to bypass local police and call the FBI directly.
“If the crime is reported within 24-48 hours there is a small chance that the FBI can prevent the money from leaving the USA. If you waste a week waiting for your local police to figure out what to do, you’ve squandered this crucial time window,” he noted.
According to LegalinX7-Side, a UK-based business, property and consumer information provider, not all cases of conveyancing fraud are ultimately investigated by the UK police.
“Cases are only dealt with by the police if they are deemed to have sufficient lines of inquiry by the National Fraud Intelligence Bureau as detectives will only look into cases they are confident will get a conviction,” they shared.