Wiring significant sums of money is a serious business. So why do we trust e-mail instructions to wire money?
KrebsonSecurity carried an interesting story about an incident in late November 2016. Jon and Dorothy Little were all set to close on a $200,000 home in Hendersonville, North Carolina. Just prior to the closing date on December 2nd, their realtor sent an e-mail to the purchasers and to the law firm handling the closing, asking the settlement firm for instructions on wiring the money to an escrow account.
Fraudulent wire instructions were apparently sent by the hackers via the settlement law firm. It appeared that an attorney with the closing firm responded with wiring instructions as requested, attaching a document that had the law firm's letterhead (that was no doubt persuasive!) and some bank account information that was represented as the seller's account number. The Little's realtor sent the wire on Thursday morning, the day before settlement.
The monies were never received, as the buyers learned at closing. Both legitimate parties to the transaction agreed that someone's e-mail had been hacked by the fraudsters, and was used to divert the wired funds to an account the criminals controlled. The hackers had forged a copy of the law firm's letterhead, and beneath it placed Bank of America account information.
The owner of the Bank of America account appears to have been a willing or unwitting accomplice - also known as a "money mule" - recruited through work-at-home job schemes to receive and forward funds stolen from hacked business accounts. In this case, the money mule wired all but 10 percent of the money (a typical money mule commission) to an account at TD Bank.
Read the post to learn all the complexities of ever getting your money back – and most people never do. In this case, the FBI succeeded in having the resulting $180,000 wire transfer frozen once it hit the TD Bank account and subsequent efforts to get a "hold harmless" letter were ultimately successful (after four months), perhaps because of the story posted by Mr. Krebs - and the Littles got their money back.
As Mr. Krebs advises, never wire money based on the instructions of one party to the transaction made via e-mail. You simply don't know if their account is hacked, so assume it is.
Agree in advance who will contact whom -preferably by phone- to receive the wiring details, and who will manage the wiring process. Always double check any instructions for wiring money at settlement. Confirm all wiring instructions in person if possible, or else over the phone.
It's a dangerous world out there – I would never dream of wiring money based solely on e-mail instructions. The call is too easy to make to risk the loss of the monies.
HT Dave Ries.
E-mail: email@example.com Phone: 703-359-0700
Digital Forensics/Information Security/Information Technology