Even mortgage transactions aren't safe from scammersImagine making a successful offer for your dream home and getting your mortgage approved. While you’re waiting for the closing process to begin, you receive an email from your real estate agent stating that the buying timeline has changed. To expedite the closing process, they ask you to wire the settlement fees to a specified account immediately. Not wanting to lose the home after coming this far, you comply only to find that days later your bank account has been cleared out. This, sadly, is the reality of some unfortunate home buyers today. Both real estate organizations, like the National Association of Realtors, as well as government departments such as the Federal Trade Commission have been monitoring this scam, which started in March of last year. Here’s what you need to know about this frightening occurrence and how you can fight it.

How this mortgage scam works

Phishing is a key part of the scam, as hackers essentially break into real estate agents’ emails to look at recent home purchases and inquires. When they find an agent with clients entering into closing, they hijack that email account and pose as the agent. What makes this more insidious than other phishing scams is that it leverages home buyers’ trust by using an authentic email address they’re familiar with. Another issue is that a lot of would-be homeowners want to appear agreeable rather than risk losing the house they negotiated so hard to get. So while someone more detached from the situation might be critical, eager home buyers, especially first-time buyers who may not be familiar with the process, are likely to accept any strange changes as a natural part of the process.

Although real estate agents and home buyers are the main targets of the scam, anyone else working with them is also in danger. Depending on how hackers go about eavesdropping, they can get the details of everyone the agent has communicated with — the buyer, the seller, other agents, title company representatives, etc. — which could expose plenty of information, including the buyer’s bank account. Aside from committing identify fraud with the information, hackers can also pretend to be any of the parties in the transaction should they decide to approach their scheme from another angle or attempt a phishing attack on others who are involved in the deal.

How to prevent it

If you ever receive an email from your real estate agent telling you that you need to wire funds as soon as possible, the best way to confirm its legitimacy is to call your agent or meet them in person and ask them about the email (be sure to bring a copy). Any requests to send sensitive information via email as well as sudden changes to prior agreements should be discussed in person. Keep in mind, if a hacker gains access to your real estate agent’s emails, they likely have your phone number, so you should be sure to follow the phone scam avoidance technique of always calling your agent directly, using the number they’ve always used. A hacker’s deception only extends to conversation they initiate, so by asking for clarification over the phone or in person, you’re keeping everyone in the loop and stopping fraud from happening.

Aside from this, basic cybersecurity tips are also applicable here:

Use precaution when you’re online. Since the Internet is full of scammers hoping to gain access to your bank account, credit card or other personal information, you’ll want to always think before you click on any link sent to you via email or social media. If you’re not sure whether or not it’s legitimate, opt to not click on it. The National Association of Realtors suggests that you “[s]tart from the assumption that any email in your inbox could be a targeted attack from a criminal.” While it might seem excessive, it’s this kind of skepticism that’s needed to prevent you from clicking strange links and unknowingly downloading malicious files. You should forward any suspicious emails to other parties involved in the transaction, then call them to verify if the contents are legitimate, as detailed above. To help you avoid visiting suspicious sites, you may want to consider enlisting the help of Internet security software, which will alert you if you’re ever about to visit an insecure site.

Keep everything up to date. Making sure your browser, operating system, passwords, apps and software are updated frequently is more important than you think, as updates make sure these things are not susceptible to common exploits. As such, it’s important to not only check for updates frequently, but also make sure you don’t ignore any updates that pop up on your device. When it comes to passwords, the rule of thumb is to make them long, incorporate special characters and numbers and never reuse the same password twice. Consider using a password manager to help you keep track of passwords and ensure you aren’t falling into the bad habit of reusing them.

Don’t enter personal information on unsecure sites. This rule applies to any website you visit, and not just ones you receive via email. If you are ever about to input any personal information or log into a website, you’ll want to make sure the URL has HTTPS at the beginning, as the “S” stands for secure. If you do receive a link via email and want to verify the legitimacy before you click on it, you can do so by completing a simple Google search or looking up the domain owner with the domain name registry WHOIS. If the domain name owner is someone other than a legitimate company — for example, bankofamerica.com is owned by Bank of America — that’s usually a tell-tale sign of a scam.

Ask your real estate agent about their cybersecurity practices. Although this may be something you’re not too enthused to do, it may be an important to inquire about, especially since your real estate agent will have access to all of the documents with your sensitive information, like your social security number, household income, loan information and more, which could be detrimental if they land in the wrong hands. As such, it’s your right as a potential buyer to ask your real estate agent, bank and the other parties involved which cybersecurity precautions they take on their end. They should be able to give you a general idea or provide you with documentation explaining their company’s privacy and cybersecurity policies. The National Association of Realtors follows general best practices as well as practices that’ll protect both agents and their clients from cyberfraud. Even if your agent is unaffiliated with the Realtors organization, you can opt to suggest these cybersecurity standards to them.

If you become a victim of this scam …

If you are or think you might be a victim, you should notify all of the parties and banks involved in the transaction via phone or in person (remember that their email was hacked). In addition, consider calling the police and reporting it to the FBI via its online Internet Crime Complaint Center. Unfortunately, even with all of these resources, the FTC notes that it’s rare for people to get anything back.

Scams are terrible, but you don’t have to let them ruin your life. Take a look at our scams blog to see how you can defend yourself from other scams. If you were recently a scam victim, you might want to look into an identity theft protection service which can help you keep tabs on your personal information, even after it’s been compromised, and credit reports. Visit our identity theft protection reviews to learn more about these services.