The process of buying or selling a home can be extremely stressful and complex, but imagine the stress that would boil up if — at settlement — your money was wired to scammers in another country instead of to the settlement firm or escrow company. Here’s the story about a phishing email that cost a couple their home and left them scrambling for months to recover hundreds of thousands in cash that went missing.
It was late November 2016, and Jon and Dorothy Little were all set to close on a $200,000 home in Hendersonville, North Carolina. Just prior to the closing date on Dec. 2 their realtor sent an email to the Little’s and to the law firm handling the closing, asking the settlement firm for instructions on wiring the money to an escrow account.
An attorney with the closing firm responded with wiring instructions as requested, attaching a document that had the law firm’s logo and some bank account information that was represented as the seller’s account number. The Little’s realtor sent the wire on Thursday morning, the day before settlement.
“We went to closing at 1 p.m. on Friday, and after we signed all the papers, we asked the lawyers if we were going to get back the extra money we had sent them, because they hadn’t be able to give us an exact amount in the wiring instructions. At that point they told us they had never gotten the money.”
After some disagreement, both legitimate parties to the transaction agreed that someone’s email had been hacked by the fraudsters, and was used to divert the wired funds to an account the criminals controlled. The hackers had forged a copy of the law firm’s letterhead, and beneath it placed their own Bank of America account information (see screen shot above).
The owner of the Bank of America account appears to have been a willing or unwitting accomplice — also know as a “money mule” — recruited through work-at-home job schemes to receive and forward funds stolen from hacked business accounts. In this case, the money mule wired all but 10 percent of the money (a typical money mule commission) to an account at TD Bank.
Fortunately for the Littles, the FBI succeeded in having the resulting $180,000 wire transfer frozen once it hit the TD Bank account. However, efforts to recover the stolen funds were stymied immediately when the Littles’ credit union refused to give Bank of America a so-called “hold harmless” agreement that the bigger bank wanted as a legal guarantee before agreeing to help.
Charisse Castagnoli, an adjunct professor of law at the John Marshall Law School, said banks have a fiduciary duty to their customers to honor their requests in good faith, and as such they tend to be very nervous legally about colluding with another bank to reverse payment instructions by one of their own customers. The “hold harmless” agreement is usually sought by the bank which received a fraudulent wire transfer, Castagnoli said, and it requires the responding bank to assume any and all liability for costs that the requesting bank may later incur should the owner of account which received the fraudulent wire decide to dispute the payment reversal.
“When it comes to wire fraud cases the banks have to move very quickly because once the wires make it outside the U.S. to foreign banks, the money is usually as good as gone,” Castagnoli said. “The receiver or transferee usually insists on a hold harmless agreement because they’re moving the money on behalf of their own account holder, kind of going against their own client which is a big ‘no-no’ when you’re a fiduciary.”
But in this case, the credit union in which the Littles had invested virtually all of their money for more than 40 years decided it could not in good faith provide that hold harmless agreement, because doing so would stipulate that the credit union affirms the victim (the Littles) hadn’t willingly and knowing initiated the wire, when in fact they had.
“I talked to the wire dept multiple times,” Mr. Little said of the folks at his financial institution, Atlanta, Ga.-based Delta Community Credit Union (DCCU). “They finally put me through to the vice president of loss prevention at the credit union. I’m not sure they even believed all that was going on. They finally came back and told me they couldn’t do it. Their rules would not allow them to send a hold harmless letter because I had asked them to do something and they had done it. They had a big meeting last week with apparently the CEO of the credit union and several other people. Then they called me on Monday again and told me they would not could not do it.”
The Littles had to cancel the contract on the house they were prepared to occupy in December. Most of their cash was tied up in this account that the banks were haggling over, and so they opted to get a heavily mortgaged small townhome instead, with the intention of paying off the mortgage when their stolen funds are returned.
“We canceled the contract on the house because the sellers really needed to sell it,” Jon Little said.
The DCCU has yet to respond to my requests for comment. But less than a day after KrebsOnSecurity reached out to the credit union for comment about the Littles’ story, the bank informed the Littles that the other bank would soon have its hold harmless letter — freeing up their $180,000 after more than four months in legal limbo.
The Littles’ story has a fairly happy ending, however most of the other few dozens stories previously featured on this blog about wayward mortgage, escrow and payroll payments wound up with the victim losing six figures at least.
One of the more recent advertisers on this blog — Ninjio — specializes in developing custom, “gamified” security awareness training videos for clients. “The Homeless Homebuyer,” one of the videos Ninjio produced for a government client seems appropriate here: It features an animated FBI agent breaking the bad news to some would-be homeowners that their money is gone and so are their dreams of a new home — all because everyone blindly trusted unsecured email for what is essentially a high-risk cash transaction.
I like the video because its message is fairly stark and real: You could get screwed if you don’t take this seriously and proceed carefully, because once the money’s gone it usually stays gone. Check it out here:
So here’s what you need to know if you or anyone you know, love or even like are about to buy or sell a home: Never wire money based on the say-so of one party to the transaction made via email. You simply don’t know if their account is hacked, so from a self-preservation standpoint it’s best to assume it is.
Agree in advance who will contact whom — preferably by phone — on settlement day to receive the wiring details, and who will manage the wiring process. Never trust bank account details and payment instructions sent via email. Always double or even triple check any instructions for wiring money at settlement. Confirm all wiring instructions in person if possible, or else over the phone.
By the way, these same precautions can help make organizations less susceptible to CEO fraud schemes, email scams in which the attacker spoofs the boss and tricks an employee at the organization into wiring funds to the fraudster.
The Federal Bureau of Investigation (FBI) has been keeping a running tally of the financial devastation visited on companies via CEO fraud scams. In June 2016, the FBI estimated that crooks had stolen nearly $3.1 billion from more than 22,000 victims of these wire fraud schemes.
Castagnoli said many credit unions and small banks don’t have the legal staff with the clearance to make calls on whether to issue a hold harmless agreement, and so they usually try to punt on that when requested. Were she in The Littles’ position, Castagnoli said she would have called the head of the credit union and demanded assistance.
“If the head of the bank wouldn’t do it, I’d call my congressperson or a state banking regulator,” she said.
If you’re selling or buying the home yourself and somehow also in charge of wiring money, consider using a Live CD approach (all of these “live” Linux distributions will just as happily run on USB-based flash drives). I have long recommend Live Linux usage as a smart option for small businesses to avoid paying dearly when a Windows banking trojan snarfs their business banking credentials.
scams and scams are heavy…in usa now.
hittinh hard…wolfes are hungry..and hustles hustle hard.
Hi,
RE: Blind trust in email could cost you your home
The same thing happened in South Africa: https://mybroadband.co.za/news/security/153089-couple-robbed-of-r250000-by-hackers-while-trying-to-buy-a-house.html
Good video – it really punctuates the pain that people have to go through in sad disasters like this. Keep up the good work Brian!
Nice to see this topic being given a high-profile venue.
I work for a large escrow/title organization and we have seen wire fraud attempts increase from once a quarter in early 2015 to 5-6 times a week currently.
As mentioned in the article – always CALL to verify an email that asks you to wire any money. I have seen people write in emails, “This doesn’t seem right but I will wire the money anyway.” It’s Kafka-esque sometimes.
We rarely discover whose email account was compromised (too many third-parties), but – real estate agents are heavily phished for their email credentials, have less anti-phishing/anti-fraud controls/resources/awareness, and commonly use free email services to transact business (*cough* Yahoo breaches *cough*).
This also flourishes because too few care about it unless money disappears. I have seen look-alike domains/mail accounts (“t1tle.com”) stay online after being reported, the same Gmail addresses used for months, banks that aren’t interested in hearing about money-mule accounts, and so on. The bad guys have essentially infinite resources to utilize.
The “win” is in foiling the attempt and knowing you helped save someone’s money (and time and aggravation), but that guy in Nigeria is going to just try again tomorrow, with no worries.
and, always CALL a number that was given to you previously, not the phone number in the email…
Blind Trust in *ANYTHING* Could Cost You Your Everything
Fixed that for you!
On point, your coverage of Ninjio is excellent.
I’d gently suggest: making transactions frictionless is perilous.
Specific to this story, what makes it painful and difficult reading: for most folks, a real estate closing isn’t a frequent event in our lives. It’s not like buying fast food or topping off a fuel tank or checking into a hotel. Typically, principals buying and selling real estate seek professional / legal guidance which, one hopes, can be trusted. And that’s another infrequent occurrence for most of us: we don’t have lawyers on speed-dial.
So what’s to be done? Add some friction to the process; some additional steps that confirm what’s about to happen is what everyone legitimately party to the transaction intends to happen. Again, your guidance — in italics — about confirming wiring instructions is spot-on.
Narrowly / specifically to this genre of transaction: detailed wiring instructions can properly be included in the contract. Well in advance. No surprises.
One safe method is to use a cashier’s check. Various closing firms accept that, and give you a receipt when you hand it to them. After that, you are covered, and the closing firm is typically insured against falacies later on their end.
It forces you to take a extra personal visit to the closing firm, but for this amount of money you may prefer the peace of mind.
Cashier’s checks can be forged as well, and so they are not accepted as cash, (or should not), because they are not as good as cash. In the case of a fraud, or suspected fraud, the issuing bank can stop payment on that check.
This cashier’s check instrument is NOT any different than any other check–the funds still must clear to the receiver’s bank, from the sender’s bank through the federal reserve bank before the funds are truly received. It can take time before the fraud is discovered, and the receiving bank will pursue their users if that check later bounces. I believe that even after the fact it has cleared, the federal reserve can reverse two member banks’ transactions if there’s a fraud.
Email of any kind cannot safely act as the verification system. In my experience, you must use multiple methods of verifying the account numbers and routing numbers, not just one. There’s just no way that all the parties of a bank, law firm, individuals, and a closing company are all going to be up to speed to even determine if something is safe, let alone follow good practices.
Finding fault after the fact won’t do much good, since the amounts will often be enough that you couldn’t sue and collect from the “responsible parties”, and it would take years if you could. Get it right to begin with, or it will cost you. Hire a security expert if you must.
I would agree to a point, checks can be traced, just as snail mail can. It places a contingent hold at this place in the transaction. A wait till it clears point. And each place can be traced if needed. Yes a week to verify the amount is excessive, but, the transaction would be recorded, and verified. And that would be in front of your bank representative, and their end verified, the only problem would be BOA. And someone still trusts them?
You missed the point. Using a cashieres check protects YOU the buyer. That the buyer can give the closing firm a fake check, and hence the accepting bank will verify its validtiy is true, but irrelevant here. This is about me sending my money to the wrong person. Using a cashier check prevents that.
It’s time to seriously think about doing away with the use if email ,as it’s a continuously vector for fraud abuse.
Not a chance it will ever go away. If nothing else, people still need it when they sign up for various services, and it is oftentimes needed for password resets and whatnot.
There’s no need to get rid of email; email is incredibly useful and has proliferated as a means of communication for good reason. The problem isn’t email in and of itself; the problem is that email is (like anything else) not a universal solution. It’s never been intended for high-trust transactions, but people have started using it that way anyhow.
It bears pointing out that before email, scammers used fax machines to pull off many of the same scams that happen in email. And before fax machines, they used phones. The problem isn’t the medium, the problem is when people assume trust rather than validate it…regardless of what the communications medium is.
You are absolutely correct. eMail is not the problem. Its how this tool is used/misused that is the issue.
What about the $20K? Did the Littles still owe that amount to their credit union because their credit union wouldn’t play ball with BoA? If so, do they owe that lump sum to their credit union, or have to make payments or what?
Shouldn’t the realtor who send the letter to the Littles and their firm be liable, since she/he sent the bogus/hacked email?
Is there any legal ground for the Littles to sue their credit union, or the realtor?
What about the money mule? Anyone going after him/her?
Seems like a system failure, not the fault of the Littles. We as consumers rely on financial system entities and law firms to follow best security practices etc.
That’s too much money to walk away from in my opinion.
Thanks Brian for sharing this case.
Most likely the closing firm was hacked. And if it isn’t the closing firm, it must be the realtor or so. But since the article explicitly states “An attorney with the closing firm responded”, it’s pretty certain who’s email was hacked.
After all chances that a hacker got so lucky to hack the email of someone who *just* happens to be in the process of buying a house while having a mule ready, is slim. Also closing firms are attractive targets for many other reasons, due to their handling of SSN and other info.
Ad the solution is so simple. The last time I bought a house, all sensitive communication was done using secure email, where I would have to log into a remote server to view the email. to see the contents. That way an hacker would have to both compromise the closing form’s email (which is often an 3rd party external server) *and* their internal systems.
My bank used a similar system and didn’t use regular email for any of the documents.
In general when you handle data *that* sensitive like bank acounts etc, you shouldn’t use regular email.
I completely agree.
When I bought my house (about 3 years ago), we used a secure e-mail service for all paperwork, including electronic signatures of documents.
But at closing, we had to have the money with us in the room. We had the bank issue a certified check, which we brought with us to the closing. The settlement company deposited it using their systems. It cleared within the hour and the sale completed. We received a direct deposit to our account for the excess amount.
I think there might have been a wire-transfer option, but I chose to not use it because I was paranoid about a computer glitch destroying everything. Fraud had never occurred to me, but after reading this I’m doubly glad I made the decision I did.
The check did not clear in an hour. Rather, they called the issuing institution and verifying its legitimacy. All checks, including Cashier’s/Certified Checks, must clear through the Federal Reserve before being paid. I work for a financial institution and process wires. Many institutions have begun confirming information with title companies and law firms before releasing the funds.
Not quite true. If the seller and buyer are both customers of the same bank, the check would be processed internally. The check would not be processed by the Fed.
It’s not unreasonable in 2017 to ask your service providers (real estate agent, closing firm, accountant, credit union, etc) if they use two-factor authentication to access email.
It’s also not unreasonable to ask them if they still use a cyber-crime-vulnerable desktop email client like Lookout xxxx Outlook or Mac Mail.
It might not even be unreasonable to decline to do business with service providers with such sloppy cyber security.
And, of course, always call to verify. And look up the number, don’t call the number on the email message.
The VP of Sales where I work got an email purporting to be from the CEO instructing her to wire some money to a particular account. The spearphisher knew enough about our business to mention a customer company we actually serve. (Probably looked at a testimonial on the web site.) Fortunately we’d just had some security training, plus our VP of sales is savvy. But we could have been caught.
In the UK most property sales/purchases are
done face to face with no possibility of fraud.
Is it because the parties involved are not
prepared to travel to do this because of vast
distances involved in State to State sales?
My experience in the US (three transactions) is that they’re done face-to-face. And the closing attorney needs to have all the funds “on the table” at closing. That is, funds previously deposited to his escrow account (typically a mortgage company will work this way) or a cashier’s check from a known bank.
Of course, in some cases not everyone is present. The buyer usually is but it’s not uncommon for the seller to be absent.
The issue is not whether a sale is done face to face, but whether you wire money. In the UK transfers are also (often) done by wiring money, I know first hand 🙂
It is the wiring vs plain good old cashiers check that gives the risk here.
Isn’t the receiving bank (The Bank of America, in this case) obliged to check that the account belongs to the named beneficiary? It all seems rather slipshod.
Using a LiveCD isn’t a bad idea but a better one would be to ditch Windows entirely for business use.
It’s not the fact the LiveCD is running Linux per-se, but that it is not-persistent. So each reboot of the LiveCD gives you a clean slate to work from without the risk of anything getting “infected”.
You could accomplish the same with a Windows LiveCD, but Linux has the added advantage of being free.
Given the prevalence of email compromise and the volumes of cyber fraud it’s interesting that the first reaction of financial companies is still “not us guv!”.
This is why we need more of these sorts of stories to hit the mainstream press with none of the ‘techno babble’ that so often accompanies them. Joe Public does not need to understand the detailed technie stuff behind so many of these attacks, they need them explained in language they can understand much as Brian has done here.
Ronald Reagan summed it up best “Trust, but verify”.
This almost happened to a coworker last month. They got an email with new instructions for the wire transfer for closing, but were suspicious because of misspellings and phrasing. They sent it back to the attorneys’ office, but the attackers were filtering the messages in and out of the attorneys’ system, so it took a phone call to resolve the issue.
One could certainly hope the law firm would have immediately suspended all e-mail activity and instituted a thorough deep-scan forensic analysis to find and remove the malware that infected their system.
Stalin said long time ago, Trust but Double check and control.
After reading this, I suggested our bank provide this information when people are looking for a loan, to help avoid the scam.
Thank you for the story.
But follow the money and you see whole picture.
its that easy !!
Im no sure but in poland bank will not let you trafsfer that kind of money just like that (esspecialy to another bank). They will call you for veryfication
That wouldn’t help. The buyer sincerely believes that the account information is correct. That’s precisely the problem the credit union had which prevented it from using the hold harmless statement: the buyer did enter the account information and issued the order. If the credit union called to ask the buyer to confirm, the buyer would read the email and confirm the account number.
Confirmation is important, but if you aren’t careful about what you’re confirming, you haven’t helped anyone.
I’m old fashioned. For real estate closings I insist on all documentation 10 days before the closing. I read it all and I do the closing in person at the escrow company. The person I deal with jokes that I pay more attention to the details than most lawyers she deals with.
For me, I would think something is very fishy as wire transfers are about as rare as hen’s teeth for my region.
I don’t know how home closing works in other states, but the closing amount is agreed upon and once in the final stages, you get a bank check made out to the proper party, whether it’s the mortgage group, or trust group XYZ, take it to signing and boom! you have a house!
I have purchased two homes at different times in different states. In both instances it was suggested by real estate agents that i use a wire transfer. I decided that I liked the traditional cashier’s check since I was afraid that there was too much risk to entering routing numbers wrongly. I did not consider fraud.
I’ve purchased properties on two continents.
For my first purchase, I transferred funds electronically across the pond to myself (using PayPal, in two transaction as I hit a dollar limit…) and deposited them into my local bank account. My bank was my lender (in fact, it was a condition of them giving me a mortgage that my paycheck be automatically deposited at their institution) for the property and they managed the digital transactions against my account (I was present and authorized, but the account information was managed by the realtors and the (s)). The title OTOH was a classic paper deed with the names of each previous owner written in fancy ink on the back.
That property was later sold using power of attorney (I had switched back across the pond). I don’t know how the closing went, but my empowered friend sent me a wire with the funds.
To make my purchase the second time, I actually bicycled a cashier’s cheque to the real estate agency that was managing escrow. And then I think there was a second cashier’s cheque for the sale. Here, the deed was a digital entry.
—
The contrasts between these two countries are quite amazing in this case consider that paper existed in opposite categories…
I guess this is a use case for some kind of blockchain ledger???
No. That doesn’t help. A ledger at best lets you see where the money went for a hop or two, until it’s extracted from the system and laundered via some incompatible system. Using email addresses or random numbers for accounts is close to the root of this problem, so Bitcoin is not an asset.
Instead, it is an argument for a better escrow system. It’s also an argument for better communication using multiple distinct methods and possibly only performing certain activities with multiple parties physically present.
Bitcoin does have support for escrow, but so do most countries. And buying a house often involves escrow.
Based on my experience buying / selling / refinancing properties, the “standard business practices” for most real estate agents and brokers, title companies, small banks and credit unions, etc. are flat-out insanely dangerous. I’m more surprised that stuff like this doesn’t happen every day. Most of these organizations are absurdly cheap about security. We were dealing with one credit union that sent all sorts of stuff containing PMIs over email (we had to threaten them to make them stop), and the kicker was their email server wasn’t even configured to support TLS, which costs virtually nothing to implement.
According to Robert W.’s earlier comment, stuff like this does happen almost every day — though perhaps not to completion of the theft.
Robert W. April 27, 2017 at 5:34 pm
“I work for a large escrow/title organization and we have seen wire fraud attempts increase from once a quarter in early 2015 to 5-6 times a week currently.”
Whoops… PII not PMI. My brain went into real estate crap mode.
Brian, thanks for a super eye-opening article. I’ve passed the link to many friends who actually think the risk is overblown.
I hate to sound like an old white guy – after all I was at the bleeding edge in the 1980’s. Rewrote portions of DOS to protect against malicious corporate updates, and cracked Lotus, only to replace their code with mine, that would only recognize the hard drive it was running from. This after someone stole 1 of 2 boot floppies, and I have to tell you the code had to be very tight to fit into the space available.
Today, virtually nothing of financial or legal value is transmitted electronically. I’m sadly back to teller’s and certified checks, and overnight or two day express delivery only to known addresses. Legal papers are manually signed. I still do EFT’s but only from a computer with minimal connection to the internet, hard multi-vendor scans, and only to http addresses I know, who on their end, know my bank account info (or vice versa).
It’s a brave new world. Just not a good one. Again, thanks again for posting.
Jack
wow. this is scary. In my opinion, for bigger transaction direct bank deposit is the right choice to avoid crisis like this.
Incredible post!
Maybe I am just the overly suspicious type, but based on the story as written this seems to have been a relatively local transaction (Georgia, North Carolina) and I fully understand that there is nothing to prevent a firm from using out of state banking institutions/locations but to have a Boston bank in the middle of the picture likely would have raised an eyebrow enough to pick up the phone.
Was Bank of America even the right bank for the escrow account?
Sorry to be late responding. We were busy through Friday, April 28th with closings.
1. How will an encrypted email prevent crook from sending bogus wire instructions via encrypted email to buyer? I agree that the encryption will hide transaction details.
2. Use cashier’s check? Visit Office Depot/Staples for $40 software and check stock to create your very own counterfeit check!
3. Wait a week for check to clear? Doesn’t work – good forgery, fake ABA & account numbers – you don’t know how long to wait – heaven forbid that you rely on your bank teller or manager to tell you it has cleared.
4.
5. Eliminate email – ha,ha. I have an original Nigerian handwritten letter that was mailed to me.
6. Realtor should be responsible for hacked/bogus email? So all of your friends are liable for the virus-ridden email “they’ sent you?
7. Credit union should be responsible? Credit union sent the money as you instructed.
8. Most likely closing firm was hacked? My experience has been the realtor is the one probably hacked.
9. If crook is monitoring the realtor email, they can intercept the wire instructions from closing agent to realtor and replace them with bogus instructions.
10. “We had the bank issue a certified check. . . three years ago and it cleared within the hour”. I haven’t seen a certified check in twenty five years. A check will not clear within an hour. There is no way that happened.
11. Avoid fraud with face to face transactions. So you think a crook won’t hand you a bad check?
12. Shouldn’t the receiving bank verify the account belongs to receiver? Note the unusual law firm name. My guess is that the crook faked a corporate name similar to the law firm’s real name.
13. It should be impossible to create a fake account at a bank with the USA Patriot Act. Right, tell that to the 2.1 million Wells customers. A bank employee, not Wells, told me I was crazy if I thought only Wells did crap like that.
14. “For real estate closings I insist on all documentation 10 days before the closing.” Tell Wells, BoA, Chase and most other lenders that and they will laugh you out the door. So, I just need to get you the bogus instructions ten days ahead of time. Problem solved.
15. “For me, I would think something is very fishy as wire transfers are about as rare as hen’s teeth for my region.” We receive about a hundred wires a month. For a consumer, they may be rare, not for a settlement company or a realtor.
16. “I’m more surprised that stuff like this doesn’t happen every day.” It is happening every day.
17. “to have a Boston bank in the middle of the picture likely would have raised an eyebrow enough to pick up the phone. Was Bank of America even the right bank for the escrow account?” Many banks have out of state cities for wire instructions – Wells – San Francisco, Suntrust – Atlanta, Regions – Birmingham, BoA – New York, BB&T – Winston. I could go on. With all of the mergers, the ABA number and bank name may be legitimate and not match.
18. Bonus question – what are all the differences between this check and a real check?
https://www.ncbar.gov/media/490366/nathan-silver-check-postage.pdf
If you don’t want to click on a link, go to North Carolina State Bar website , scroll to bottom left of home page and click on Check Scam Alert and then Bank Check and Shipping Label.
So how should it be done?
I don’t handle many cashiers checks, so maybe a pro would spot something, but that check looks totally legit.
Encrypted email won’t prevent it, but crooks canot send them. So suddely you will get 1 email unencrypted, while all other transactions were so you would have to login or perform decryption steps.
And a crook creating a counterfeit check, doesn’t matter a bit. It won’t have him get *my* money which is what is at stake. Me using a cashier check, prevents me wiring him/her money. And that is the fraude this article is about.
The ABA routing number doesn’t come back to a specific bank according to aba.com, I guess that would be the only way to verify a check a layman could do.
My mom deposited an $800 check in the ATM but did not hit the . button, so it showed up as $80,000 for a day or so until someone noticed the error.
They decided to deduct $80,000 from her account instead of $79,200, she almost bounced checks because of that. No wonder she called the Bastards of America after that.
The fraud happens well before this email is setup. My wife is a real estate broker, and I can now tell you how this whole thing gets started. It gets started because most real estate brokers use Docusign. Not that Docusign is the problem, but it does provide the attack vector.
My wife received a spear phishing email from an alleged title company saying that the paper work was completed on the latest transaction. Simply login to Docusign to completed the paperwork. The link, of course, goes to a fake site that asks for the email (which is used for login). The next page then asks for the password and the phone number. Then you get a 500 server error message, and the page redirects to the actual Docusign page.
Not only does the scammer have the email and password (which most people use the same password for many accounts), they also have the phone number so an SMS message can be sent to get the code when trying to login to the email.
Now the scammer has the email, password, and the login to Docusign. With the Docusign login, the scammer has access to all of the transactions that are pending, including those that will use a wire transfer. Send an email from the agent with the given username and pass to the now known client, and now all the pending transactions can be wired to the wrong place. When the scammer sends the email from the broker’s account, they will also know the name of the title company, customer, etc. So the email will look legitimate.
The only way around this (and something my wife is going to do with all transactions) is to agree ahead of time that any emails will require phone verification. Long term, the goal would be to use a secure chat room for all communications between the client, the broker, and the title company.
>>to use a secure chat room for all communications between the client, the broker, and the title company.
You mean like the cone of silence Maxwell Smart used?
Guess I now know never to trust an email, even if the headers are legit. Great article Brian.