The last few months have meant a shift for many of us, working remotely, relying on virtual platforms to communicate with others and complete tasks we may have done face-to-face in the past. Not only have we shifted, but so have cyber thieves, who were ready to jump at the chaos a global pandemic brings.
Industry specific targeting
Real estate transactions have always been targets of cyber fraud and fraudsters’ efforts appear to have accelerated in the last few months.
In a presentation during the 2020 Fund Assembly, Tom Cronkright, co-founder and CEO of CertifID and CEO of Sun Title, shared that roughly 2,000 purchase transactions are taking place every hour around the country, moving more than $400 million dollars through escrow accounts.
The Fund Assembly is a 56 year annual tradition. This first completely virtual Fund Assembly was held on June 11th and 12th as creative and safe alternative during the COVID-19 pandemic.
“We know now that the fraudsters, especially in light of current situations we find ourselves in, are trying to divert these funds to fraudulent accounts,” he said, noting that since the pandemic started there have been spikes in nearly all sectors of cybercrime.
“It was active before the pandemic and is even more active now,” Cronkright said. “We have to take a step back and I’ve had to do it in our title operations, and identify the areas where your company and customers may be vulnerable to a cyber-attack or wire fraud. There are so many different stressors right now that our employees have to deal with – insanely busy pipeline, working from home, providing safe and compliant contactless closings are all hitting at once. Prior to COVID, the industry was equipped with the busy TRID-Tuesdays and the Thursday/Friday closing calendar at the end of the month. They are used to that, they have muscle memory of that.
“We were not prepared to perform at the same level while being forced to educate our children from home, scavenge for toilet paper and jockey the dog so the barking is not overheard on the next Zoom session,” he continued. “That said, the title industry is made up of resilient and inspiring people and we rose to the occasion and got it done!.”
As the country pivoted to working from home, cyber perpetrators have used this as an advantage to deploy cyber scams meant to steal information or funds passing between parties in a transaction. He noted, “The amount of compromised systems is up over 200 percent, and incoming reports to the FBI, hacking attempts or actual hacking has surged to four times in recent months. They are coming at our folks, they are coming at us, and you’ve probably seen that in many different ways.”
One of the schemes he has seen increase is personal extortion, where scammers are going to those working from home, getting access to their computer and saying they are going to expose what the person is doing when no one is watching if they don’t pay the hacker some type of money. This is personal digital extortion of the individual.
He noted that ransomware has increased in velocity, a lot of it related to pandemic and COVID-related messages. They may get you to click on what you may believe to be new information from WHO or the CDC, and when the person downloads it, unwanted software gets written into a network drive.
COVID-related business email compromise is also on the rise, connected with phishing schemes. Cronkright shared as an example ZOOM-related phishing schemes.
“Everybody has moved to some type of audio-video communication—ZOOM, GoToMeetings, GoogleHangouts, Slack,” he said. “Based on executive orders, we’ve had to move from our in-person closings and now we can have that same experience from a compliance standpoint over a recorded webinar similar to this. The fraudsters see this coming and just since the beginning of the year, 17,000 new domains were registered with the name ‘ZOOM’ in them.”
Abnormal Security in May reported on two industry-related phishing schemes that illustrate the strategies fraudsters are using in its Abnormal Attack Stories.
The first was a report May 8 said attackers impersonated a notification from DocuSign to steal credentials from employees. It stated that the attacker copied the content used by real DocuSign emails, claiming that there is a document sent to the user for review from “CU #COVID19 Electronic Documents,” with no further details of what the document is. It hit 15,000 to 50,000 mailboxes.
It noted that Abnormal Security has seen a large increase in COVID-19 related attack campaigns. It stated that these attacks are similar to those previously seen, but with coronavirus-related vocabulary.
“The attack impersonated DocuSign and included official images used by the company,” the report stated. “The email had many embedded links in the email, some of which led to authentic DocuSign webpages. If not careful, one could believe the email was safe because many aspects of the email looked authentic. However, as we saw, the email contained a malicious URL that hosted a DocuSign phishing credentials webpage.”
On May 18, it reported that the Navy Federal Credit Union was victim of a phishing attack affecting more than 70,000 mailboxes. The attackers sent an email claiming to be from U.S. Navy Federal Credit Union, stating that the user received $1,100 due to the COVID-19 pandemic. It states that if the user has not received their funds, they must validate their account information with the provided link.
Abnormal Security noted: “Given the current pandemic, some individuals would have been still waiting to receive their stimulus check from the government. In the case that the user has not yet received their relief funds, they may be more inclined to believe this email.”
“The attacker sent themselves the email (as seen in the to-field of the email attack), while the victim’s email address was placed in the BCC field,” the report stated. “The email body itself is vague and contains no personalization. This is a common tactic used by attacks to mass send this campaign, in order to hide who else was affected by this attack, as well as expand their net of targets.”
Cronkright also noted new payment-related scams. For example, sending an email purportedly from the president saying he needs to send money from the U.S. Treasury and if you send him $50, he’ll drop the money into this account.
“Other scams are more personal and sinister as they relate to consuming information on COVID guidance,” he said. “These are allegedly coming from the World Health Organization. It provides a kind of teaser of some highlights of local COVID activity, but it is a scam designed to get someone to download a document that is included in the email. If you download that document, it has malicious software embedded in it that will automatically introduce bad things into your computer or network”
He said these have a very high click rate as people continue to be curious and fearful of COVID. “Everyone’s life has been turned upside down this year,” he said. “Having to adjust to massive change has led many people to be less skeptical of information that is sent to them. This could lead to clicking on a malicious email, providing user credentials to an email or other account or relying on ‘new’ wiring instructions that are sent via email or fax for a disbursement wire transfer.”
Cronkright encouraged attendees to advise family members, employees and anyone else in their ecosystems to think twice about clicking on or responding to any emails or messages that are coming in unsolicited. “If you want a COVID update, go to a trusted media or health department source and spend a few minutes finding what you are looking for – this could mean the difference between staying safe and being a victim of fraud,” Cronkright said.
Thriving in this “New Normal”
We’ve been through imaginable change this year and while no one can predict the future, it appears that social distancing, masking up and virtual interactions will be part of our day-to-day lives for some time. While there has been a spike in fraud activity, there are things that can be done. “Cyber security requires the alignment of people, process and technology,” said Cronkright. “Empowered and trained people, a clear and measurable set of procedures that comply with best practice and leveraging to protect your network, data and the transfer of funds will reduce the attack surface and provide more protection for all transaction participants.”