Property renters targeted in simple BEC scam
Emails purportedly sent by rental property management firms are being used to steal money from people in France and Canada, Proofpoint researchers have warned.
A BEC scam preying on renters
“Most campaigns are sent from compromised mailboxes belonging to educational institutions in various regions, and use a generic subject line, for example ‘Loyer’ and ‘Nouveau RIB’,” Proofpoint says.
“The term ‘RIB’ refers to ‘Relevé d’Identité Bancaire’ (which roughly translates to ‘bank account identity statement’). Early campaigns often included attached PDFs using logos and statements such as ‘Gestion locative de bien immobilier’ (‘Rental property management’), ‘Garantie des loyers’ (Rent guarantee), and ‘Gestion immobilier comptabilité’ (‘Real estate management accounting’).”
Example of a scam email (Source: Proofpoint)
The goal of the email is to trick users into redirecting their monthly rent payment to a new bank account, which is controlled by the attackers.
Once making the payment or, in some cases, authorizing their bank to make automatic monthly payments to the new bank account, the victims are instructed to send the evidence of the action to a free Gmail or Outlook mail account.
While this business email compromise (BEC) scam targets French-speaking individuals, but can easily be “translated” to target individuals in other countries.
Is it worth it for the attackers?
It’s difficult to say how successful or lucrative these particular email campaigns are.
But according to the latest Internet Crime Report by FBI’s Internet Crime Complaint Center, with 21,442 registered complaints, BEC schemes have been one of the most often reported digital crimes in 2024, and related losses are staggering: nearly $2.8 billion.
For the attackers, the calculation is simple: is the time, money and effort spent on setting up this scheme small enough to make the pay-off worthwhile?
In this particular case, the associated cost seems small:
- The emails are sent from compromised emails accounts, whose login credentials have been likely stolen through previous credential phishing or keylogger malware campaigns
- The emails to which the victims are supposed to reply to are free email accounts that can be easily and quickly set up
- The bank accounts used by the attackers are registered at French banks
The emails impersonate French organizations and are written in French, but contain unusual phrasing, so it’s possible they have been written with the help of generative AI. It’s likely, then, that the attackers are not French themselves, though they are familiar with the rental payment process for properties in France and may have information about the rental properties identified in the campaigns.
With stolen information and accounts, phishing templates and scam manuals being offered for sale on dark web forums; free AI tools available to help translate and tweak phishing messages; and some banks allowing individuals to remotely open accounts, the attackers could mount these scheme from anywhere.
Finally, they can use money mules to collect the stolen money from those bank accounts and send it them, without them personally risking an immediate arrest.
Be careful
While most people are likely to recognize that the email is not coming from their regular rental agency, the attackers are counting on enough of them to fail. After all, we’ve all been in a rush, under stress, tired or otherwise not thinking clearly and made mistakes due to wanting to solve a problem quickly because we had other, bigger or more immediate problems on our plate.
“Email message lures that alert users to unpaid and overdue rental installments are intended to cause anxiety in recipients of these campaigns so that they act quickly to avoid potential eviction and/or interest, penalties, and fees,” Proofpoint noted.
“This is a good example for why it is important to pause and reassess any email – or message from social media, messaging applications, etc. – that provokes a strong emotional response and demands immediate action.”
Subscribe to our breaking news e-mail alert to never miss out on the latest breaches, vulnerabilities and cybersecurity threats. Subscribe here!