Threat Spotlight: Spear Phishing for Mortgages — Hooking a Big One

Print Friendly, PDF & Email

Buying a house is one of the most important purchases people ever make, and often one they’ve been saving for years in order to finally place their signature on the closing documents. When you think about the amount of time and effort it takes to not only find the perfect house, get an offer accepted, and ultimately make it through the signing process — the deep breath at the end is truly refreshing. But what if that breath got delayed, or worse — never came because a cybercriminal interfered with the process and had the loan payment wired to them instead of the seller? This nightmare scenario can have substantial financial consequences for the homebuyer. They could end up losing the house, a whole lot of money, personal information, and much more.

Sadly this is a real scenario, and as spear phishing attacks continue to increase — people, businesses, and brands should be on high alert. In this month’s Threat Spotlight, we take a look at a recent attack attempt that was made at the eleventh hour of a mortgage deal in an effort to trick a home buyer into wiring a large payment into the wrong hands.   

Highlighted Threat:

Spear Phishing for Mortgages — the attacker attempts to interfere with a mortgage closure and almost runs off with a large sum of money if it wasn’t for an alert user.

The Details:

*Some sensitive information has been changed in the details below to protect the privacy of the people involved in this attack.

All seemed to be going according to plan. The homebuyers had just a few last-minute tasks to complete, and they’d have the keys to their new home. Of the remaining tasks — the time had come for the buyers to wire funds to close escrow. However, on the day that the buyers were set to wire funds, they received an email from their mortgage company stating that they switched banks, and to follow the updated wiring instructions in the email attachment.   

Actual message received by the homebuyer from the attacker.
This is certainly a curious message that should raise questions from homebuyers, especially considering that it’s asking for funds to be wired differently than what was originally expected. On the other hand, there’s plenty of evidence that mortgage scams continue to bring in revenue for criminals so anyone buying a home needs to be aware of the risk.

Fortunately in this instance, the message raised a red flag and the client immediately called his mortgage agent to investigate before proceeding. Aside from the curious message itself, when the client took a closer look at the actual sender’s email address — the domain didn’t match the one listed in the real mortgage agent’s email signature. The attackers spoofed the domain to appear like it was an actual message from the client’s mortgage agent. An easy way to tell if the domains match is to hover your cursor over the sender’s address and a window will appear that identifies the actual address.

In addition to the spoofed domain, the attacker includes an attachment and asks the client to follow the instructions inside to make the wire transfer. If the request itself isn’t odd enough, there’s always a risk involved in opening an attachment. Even though the attacker is clearly trying to convince the homebuyer to wire money, an attachment like this could contain other malicious activity such as ransomware or other types of malware. When in doubt, don’t open attachments.

In this attempted scam, the homebuyer did everything right to avoid a cyber catastrophe. He was alert enough to question the initial request, then identified the spoofed domain, and immediately called his mortgage agent to confirm that the message was, in fact, a scam. What he found even more alarming with his situation, was the reaction that he received from the mortgage company. They mentioned that it’s a wide-spread problem, but they didn’t seem interested in looking into the issue any further.

In this incident, the target did not fall for the hook. However, there have been several news reports of other similar incidents, where unfortunately the victims were not as lucky.

To recap, the techniques used in this attack were:

  • Spear phishing: The attacker attempts to bait the recipient into wiring money. 
  • Impersonation: The attacker is pretending to be a mortgage agent.
  • Spoofing: The sender’s email address is spoofed by the attacker.

Take Action:

Although the example above was ultimately sniffed out by the instincts of a savvy home buyer, there are some approaches along with simply being aware of such frauds that users can take to avoid these types of scams. Training is obviously a big one because if users are more aware of what to look out for in potential attacks, they’ll be much less likely to fall victim or even engage in any type of questionable communication with criminals. Taking a proactive approach with not only user training, but by also addressing any threat vectors with the proper IT security technologies can significantly lower the risk for an attack. One of the reasons spear phishing continues to be so successful for criminals is because traditional email security gateways often fail to detect these highly-personalized, social engineering attacks. Along with user training, Barracuda recommends an approach with multiple layers of security to stay safe from spear phishing — this could include:

  • Email Security — this should include features like Advanced Threat Protection, link protection, and anti-phishing protection to stop malicious activity before it ever reaches users.
  • AI for real-time spear phishing and cyber fraud defenseBarracuda Sentinel is delivered as a cloud service and combines three powerful layers: an artificial intelligence engine that stops impersonation attempts and spear phishing attacks in real time; domain fraud visibility using DMARC authentication to protect against domain spoofing and brand hijacking; and anti-fraud training including simulated attacks for high-risk individuals in the organization.

Lastly, if you’re curious whether your company has been the victim of a spear phishing attack, try our Barracuda Email Threat Scanner. It’s a free tool that scans your Office 365 account for advanced persistent threats and phishing risks.


More Threat Spotlights:

Asaf Cidon, VP of Content Security Services, Barracuda 
Asaf Cidon is Vice President, Content Security Services at Barracuda Networks. In this role, he is one of the leaders for Barracuda Sentinel, the company's AI solution for real-time spear phishing and cyber fraud defense. Barracuda Sentinel utilizes artificial intelligence to learn the unique communications patterns inside customer organizations to identify anomalies and guard against these personalized attacks. Asaf was previously CEO and co-founder of Sookasa, a cloud storage security startup that was acquired by Barracuda. Prior to that, he completed his PhD at Stanford, where his research focused on cloud storage reliability and performance. He also worked at Google’s web search engineering team. Asaf holds a PhD and MS in Electrical Engineering from Stanford, and BSc in Computer Engineering from the Technion. 

You can connect with Asaf on LinkedIn here.


Scroll to top