Security Clearance Flagged After Cybersecurity Phishing Scam Snagged Real Estate Funds

Cybersecurity keychain small house with red door and grey roof

In a recent case filed in the United States District Court, State of New Jersey, a real estate attorney and mortgage lender were sued by both the buyers and sellers of residential property because of alleged damages from the fallout of a phishing scam. It goes to show you that no one is immune nor invulnerable to this sort of malicious behavior.

The plaintiff/sellers in this case were both employees of DHS and will be referred to as A&M throughout this article. One of the plaintiff/buyers was also an employee of DHS and he and his wife will be referred to as J&C throughout this article. J&C sold residential property in New Jersey to A&M and hired attorney JI to handle the transaction. JI was not someone just out of law school, the complaint alleged, but in fact, had 24 years experience. His practice was focused on real estate law. Under the terms of the contract, the property was to be sold with a majority of the purchase price was to be wired to Bank of America to pay off J&C’s mortgage balance. This money was supposed to be coming from A&M’s real estate attorney’s office.

Instead of following the contract exactly, the plaintiffs allege that JI was duped by an email two days before the closing date sent by someone purporting to be a paralegal at A&Ms attorney’s office, changing the instructions. As you can guess, the money ended up where it was not supposed to, as the email/wire transfer was a fraudulent transaction. As a result, the perpetrators made large cash withdrawals from the fake account they had started at Bank of America. However, according to the pleading, Bank of America continued to charge late fees and proceeded with foreclosure on A&Ms property up until last month. A&M also asserts that Bank of America did not flag the matter as fraud when they should have and instead of going after the perpetrators of the phishing scam (John Doe 1-10), they continue to badger A&M about the mortgage payoff.

All the while, J&C continue to live in the house that they contracted for, one that is subject to foreclosure. To complicate matters, one of the plaintiff A&M’s security clearances was up for renewal shortly after this transaction, which then caused a flag in the investigation.

Legal Recourse and Clearance Clarification

Attorney JI and Bank of America were all predictably sued on several legal grounds, ranging from negligence in failing to follow industry standards when verifying transfers of money and unusual transactions, not following the terms of the contract carefully, and in Bank of America’s specific case, a demand to withdraw all defamatory credit reports and to restore A&M’s good reputation amongst lenders and security clearance investigators. John Doe 1-10 were sued as the parties that converted the property into their own.

So, for the purposes of taking the complaint on face value as true, how did an experienced real estate attorney fall for this scam? The allegations early in the pleading spell this out:

The State of New Jersey Department of Banking and Insurance issued Bulletin No. 18-04 on April 1, 2018 regarding wire transfer fraud. The bulletin noted increased rates of wire transfer fraud and informed companies to:

  1. Closely verify email address before use. JI did not verify the email address after receiving an email regarding the changed wiring instructions. Had he closely examined the address, he would have seen that it was sent from @kosbersglaw.com, as opposed to the correctly spelled @kosberglaw.com.
  2. Avoid web-based email. JI uses web-based email, Hotmail, rather than a law firm email address.
  3. Strictly follow business procedures for confirming validity of changes made to wire transfer instructions. Seller Firm had a warning notification on all email regarding fraud. The warning informed JI that any changes to wiring instructions needed to be confirmed via telephone and no changes were to be sent via email. JI did not acknowledge the warning. JI did not contact Seller Firm per the warning after receiving the fraudulent email to confirm the changed wiring instructions.
  4. Use a confirmation process -JI did not confirm via telephone with Seller Firm the changes to the wiring instructions upon receipt of the fraudulent email.

Whether the lawsuit will end favorably for the plaintiffs is still unresolved, but the above is almost textbook hacking/social engineering techniques: Legit looking email addresses, taking advantage of conducting business and confidential communications on a web based email server and capitalizing on lack of multi factor authentication in the transaction. The second and third order effects and the idea that this literally can happen to anybody, just goes to show you the importance of cybersecurity in today’s business world.

Related News

Joe Jabara, JD, is the Director, of the Hub, For Cyber Education and Awareness, Wichita State University. He also serves as an adjunct faculty at two other universities teaching Intelligence and Cyber Law. Prior to his current job, he served 30 years in the Air Force, Air Force Reserve, and Kansas Air National Guard. His last ten years were spent in command/leadership positions, the bulk of which were at the 184th Intelligence Wing as Vice Commander.