Cyber criminals are now targeting the real estate industry

Cyber criminals are now expanding their focus from targeting financial firms to attacking less suspecting companies such as real estate agencies. An increasingly popular bank details switching scam known as ‘Buyer Deposit Redirection Fraud’ involves a criminal posing as a solicitor over email and deceiving the customer into paying the deposit for a property into the criminal’s bank account instead of the solicitor’s own account.

Recent statistics from Action Fraud UK show that the number of incidents per month in the UK have increased steadily over the last three years with the average loss per incident valued at £102,584. In March 2016 there were more than three times the incidents reported than in the same month of the previous year.

buyer-deposit-redirection-fraud-statistics-graph

Number of monthly reported Buyer Deposit Redirection Fraud cases (July 2013 – April 2016)

Buyer Deposit Redirection Fraud is becoming increasingly popular because of its relatively low-tech barrier and potential for criminals to net huge payoffs. There have also been reports of this scam occurring in the United States, Australia and South Africa.

How the scam works

The criminal starts by monitoring the email conversation between a real estate agent or solicitor and a customer. Criminals typically gain access to one of the parties’ email accounts using a phishing or malware attack. Once the solicitor emails their bank account details to the customer the criminal will typically send a follow up email from the solicitors email account (if they have gained access) to inform the customer that their bank details have changed. Once the customer transfers the deposit into this new account the criminal quickly transfers the money away to a variety of other bank accounts before it can be recovered.

If the criminal has only gained access to the customer’s email account they will usually purchase a domain name that is very similar to that of the solicitor or real estate agency and create an email address that will look almost identical to the solicitor’s.

How to protect yourself

The most important thing to do is to prevent criminals from gaining access to your email account. Always remember this rule:

Never open an attachment or click on a link in an email from someone you do not trust, no matter how tempting it is.

Criminals will try to gain access to your email account by sending you an email with a malicious attachment that appears to be something tempting to open such as a proof of payment, PO number, tax rebate, bank statement or overdue invoice. Once you open these you could be unwillingly tricked into giving up your email username and password (phishing) or accepting a prompt to allow macros or additional scripts that will secretly install malware on your computer. Once they have obtained your email login details or successfully installed a malware agent on your computer then they are in a prime position to commit the scam and just need to wait for the right time to strike.

Another precaution can be to use two-factor authentication or change your email account password regularly, typically every 30 days. However, in a lot of cases corporate email addresses are controlled by the IT administrator and so this can be a cumbersome process. It  also won’t prevent the scam from being carried out using malware.

Sending bank details securely

If you want to send bank details to a customer securely and prevent criminals from impersonating your organisation then we recommend creating a certified digital document with Verity. The process is simple, just create a normal PDF with your company letterhead and bank details and then sign the PDF with your Verity account. You can then send this PDF to anyone who will have the ability to verify that it was genuinely issued by your organisation. An extra check like this can go a long way to providing peace of mind to customers before they make large transfers.

Discussing document fraud at The Cyber Security Show

Discussing document fraud at The Cyber Security Show

This year Verity will be attending The Cyber Security Show, taking place on the 8th and 9th of March at the Business Design Centre in London.

During the conference we’ll be giving a talk on the issues around document fraud and its use in social engineering. More specifically we’ll be talking about:

  • The increasing digitalisation of business transactions and why this needs digital documents.
  • The ways in which digital documents can be forged and falsified by malicious parties.
  • Verity’s approach to create a document verification system that all parties can trust.

The talk will take place at 12:50 on the 8th of March at the Seminar Theatre. If you’d like to discuss any document fraud issues you’ve experienced then be sure to find us after the talk. Alternatively, you can get in touch with us if you’d like to set up a meeting while there.

Verity joins CyLon accelerator programme

Cylon-logo

We’re extremely excited to announce that Verity will be joining the CyLon winter accelerator programme from the 11th of December 2015 to 18th of March 2016. CyLon is Europe’s first cyber security startup accelerator and incubator space that focuses on developing the next generation of startups in the cyber security industry.

During the programme Verity will be based at the CyLon offices in Hammersmith, London. If you would like to meet with us during this time please get in touch using our contact page.

More information on the programme can be found on the CyLon website.

 

Certify your documents using a domain name

In our latest update we’ve added the ability to certify your documents using a domain name. This is useful for institutions like banks, government departments and online retailers who issue electronic documents from their websites. When people check these documents they will now be able to see the web address that it was certified from.

In order to enable domain name certification for documents you will need to first prove that you own the domain name. To do this, log into your account and navigate to Domain Names > Verify Domain Name to begin the setup process. The setup process will require you to create a TXT record for your domain name with the prefix ‘verity’. So if your domain is google.com you will need to setup a TXT record that looks like this: verity.google.com. When that domain name is requested it must display the token that is supplied to you during the domain verification setup process in order to complete the verification.

Domain name certifications are the latest addition to our Certification Level program which will allow organisations to certify their documents with increased security.

PrizeCloud certifies documents with Verity

The mobile competitions service, PrizeCloud, is now certifying its prize draw certificates using Verity’s document certification service. PrizeCloud awards some substantial prizes using its grand draw mechanism and so for each grand draw the PrizeCloud system creates a PDF certificate showing the date and winners of the draw.

By using Verity’s document certification API PrizeCloud can now provide completely transparent reports for 3rd party audits showing how all prizes were allocated. Below is an example of a typical prize draw certificate that PrizeCloud issues.

Draw results example (PDF)

This document has been certified and can be verified using the Verity validation page.

Verity document certification is now in public beta

verity-login-screenshot

We’re extremely excited to announce that Verity’s document certification service is now online in public beta! This first release allows users to create an account and begin certifying digital documents using their email address as an identity. Recipients of the signed (certified) documents can then verify the authenticity and signatory of the document.

Certifying a document

Once you’ve created an account and verified your email address you will be able to start signing documents using your email address as an identity. This means that when people verify the document they will see your name and email address as the signatory. Documents can be certified using the drag and drop web interface or sign API method. When signing your document you can also choose to email it to someone after it has been certified. Another thing to note is that Verity never stores your documents on our server and we never see the contents of your document. We only keep a record of the document’s unique digital signature that is captured in the certification process.

Verifying a document

Once your document has been signed anyone can verify its authenticity using the web interface or validate API method. If the contents of the document are changed in anyway after it was signed then the modified version of the document will no longer be recognised. If you would like to make a change to your document it will need to be signed as a new document. This is so that people can always be sure that the version of a document they have was signed by you or your organisation.

What’s next?

In future releases we plan to support additional identity verification checks that will allow organisations to sign documents with an increased level of security, this is part of our Certification Level programme. Currently the Verity document certification service is free to use until further notice. If you have any feedback we’d love to hear it! Just get in touch with us using the contact page.