Cyber criminals are now expanding their focus from targeting financial firms to attacking less suspecting companies such as real estate agencies. An increasingly popular bank details switching scam known as ‘Buyer Deposit Redirection Fraud’ involves a criminal posing as a solicitor over email and deceiving the customer into paying the deposit for a property into the criminal’s bank account instead of the solicitor’s own account.

Recent statistics from Action Fraud UK show that the number of incidents per month in the UK have increased steadily over the last three years with the average loss per incident valued at £102,584. In March 2016 there were more than three times the incidents reported than in the same month of the previous year.

buyer-deposit-redirection-fraud-statistics-graph

Number of monthly reported Buyer Deposit Redirection Fraud cases (July 2013 – April 2016)

Buyer Deposit Redirection Fraud is becoming increasingly popular because of its relatively low-tech barrier and potential for criminals to net huge payoffs. There have also been reports of this scam occurring in the United States, Australia and South Africa.

How the scam works

The criminal starts by monitoring the email conversation between a real estate agent or solicitor and a customer. Criminals typically gain access to one of the parties’ email accounts using a phishing or malware attack. Once the solicitor emails their bank account details to the customer the criminal will typically send a follow up email from the solicitors email account (if they have gained access) to inform the customer that their bank details have changed. Once the customer transfers the deposit into this new account the criminal quickly transfers the money away to a variety of other bank accounts before it can be recovered.

If the criminal has only gained access to the customer’s email account they will usually purchase a domain name that is very similar to that of the solicitor or real estate agency and create an email address that will look almost identical to the solicitor’s.

How to protect yourself

The most important thing to do is to prevent criminals from gaining access to your email account. Always remember this rule:

Never open an attachment or click on a link in an email from someone you do not trust, no matter how tempting it is.

Criminals will try to gain access to your email account by sending you an email with a malicious attachment that appears to be something tempting to open such as a proof of payment, PO number, tax rebate, bank statement or overdue invoice. Once you open these you could be unwillingly tricked into giving up your email username and password (phishing) or accepting a prompt to allow macros or additional scripts that will secretly install malware on your computer. Once they have obtained your email login details or successfully installed a malware agent on your computer then they are in a prime position to commit the scam and just need to wait for the right time to strike.

Another precaution can be to use two-factor authentication or change your email account password regularly, typically every 30 days. However, in a lot of cases corporate email addresses are controlled by the IT administrator and so this can be a cumbersome process. It  also won’t prevent the scam from being carried out using malware.

Sending bank details securely

If you want to send bank details to a customer securely and prevent criminals from impersonating your organisation then we recommend creating a certified digital document with Verity. The process is simple, just create a normal PDF with your company letterhead and bank details and then sign the PDF with your Verity account. You can then send this PDF to anyone who will have the ability to verify that it was genuinely issued by your organisation. An extra check like this can go a long way to providing peace of mind to customers before they make large transfers.