ABC’s Shark Tank is known for providing entrepreneurs an opportunity to pitch their business ideas on TV to a panel of five investors (referred to as “sharks”), but unfortunately one of those high profile sharks was recently targeted by a cybercriminal intent on stealing some of her hard-earned cash. And they used the most lucrative attack method in cybercrime - business email compromise (BEC).
Barbara Corcoran, one of the very successful sharks, recently provided a firsthand account regarding how cybercriminals targeted her and her staff. This is how the Barbara Corcoran email scam occurred: it was clear these attackers did their reconnaissance and came prepared. They sent her bookkeeper a fraudulent email (pretending to be Barbara’s assistant) and asked for an invoice payment related to a real estate renovation. And because the fake email address was only one character off, it was easily missed by the human eye. The BEC attack was unfortunately spotted after the fraudulent payment of nearly $400,000 had been completed*.
Corcoran’s company isn’t alone in being targeted by BEC attacks. Earlier this month, the FBI’s Internet Crime Complaint Center (IC3) issued a significant warning by reporting that BEC accounted for $1.77 billion in losses across 23,775 complaints in the US in 2019. That number only captures losses reported by American individuals and businesses. Last year, the FBI reported that BEC has cost organizations around the world more than $26 billion since 2016.
BEC is the most expensive problem in all of cyber security. In fact, BEC accounted for more EMEA cyber insurance claims in 2018 than both ransomware and data breaches. This high-profile episode demonstrates that BEC is something everyone can fall victim to, especially in real estate.
How the Attack Unfolded
BEC attacks are a modern variation of old-fashioned wire scams. An attacker identifies someone in a company and tries to convince them to wire or transfer money right away. In an interview about the phishing scam, Corcoran explains what happened in her case, “It was an invoice supposedly sent by my assistant to my bookkeeper approving the payment for a real estate renovation. There was no reason to be suspicious as I invest in a lot of real estate.” TMZ has posted a copy of the scam email chain here.
This is a classic BEC tactic, especially for real estate. As we recently noted, real estate BEC and other fraud-focused attacks have increased and have expanded to include all aspects of the real estate transaction chain, including renovations. In Corcoran’s case, the attackers focused on her bookkeeper and sent a fake invoice for real estate renovation supposedly (but not actually) from her assistant. This is consistent with attack trends we’ve seen. The attackers targeted an important person in the company with the ability to expedite money transfers. They provided false but plausible instructions from someone their target would trust, in this case Corcoran’s assistant and they used an urgent fake renovation invoice.
Other reports indicate that Corcoran’s bookkeeper replied to the email asking questions and received replies from the attackers, which is also consistent with BEC attacks. Sometimes the attacker will engage in back-and-forth exchanges, helping to increase the credibility of the social engineering used in the attack. Further, the attackers made sure to use a real company in Germany as the ostensible payee to increase the credibility of the attack.
Corcoran continues to explain how this unfolded saying, “The money was wired to the scammer yesterday and my bookkeeper copied my assistant, who was shocked to see her name on the correspondence. The detail that no one caught was that my assistant’s email address was misspelled by one letter, making it the fake email address set up by the scammers.” This is consistent with BEC attacks: the attackers used a fake email account that was easy to mistake as being legitimate.
Corcoran goes on to say, “The scammer disappeared, and I’m told that it’s a common practice, and I won’t be getting the money back.” Sadly, she is likely correct on both counts. Typically, once money is wired out like this, it’s nearly impossible to recover if an attack is discovered after the fact.
How to Better Protect Yourself
We commend Corcoran for being open about how she was targeted by BEC attackers. By raising awareness that BEC attacks are very pervasive and can target anyone she will likely help stop similar attacks from being successful. If Barbara Corcoran’s company can fall victim to this, it means many others can too.
From a protection standpoint, if you are in the real estate industry or are involved in a transaction, it’s important to understand that you are at a very high risk when it comes to cybercrime. We’ve seen phishing attackers targeting homebuyers, real estate agents, contractors, insurance agents, and others. Everyone involved in real estate transactions is at risk of these kinds of attacks.
Second, be sure you have visibility into your most targeted employees, your security technology stops BEC attacks before they can reach employees, and provide cybersecurity awareness training to help your most at risk employees spot cybercriminal behavior. People like bookkeepers, chief financial officers, their assistants are all higher value targets for BEC attackers.
Third, exercise caution with emails and communications that you receive, especially when it involves financial or legal transaction information. Take time to verify through another channel that instructions you’ve received are legitimate. Take a moment and call the purported sender at a phone number you know is accurate to "voice-verify" the legitimacy of the request. A two-minute call to verify can literally save hundreds of thousands of dollars.
While there is no “silver bullet” to prevent BEC attacks, they often follow predictable patterns. By understanding what happened to Corcoran’s company, you can better understand how it could happen to you and take steps to better protect yourself. To learn more about how to protect people against BEC and EAC attacks, watch our How to Solve the $26 Billion Problem of BEC and EAC webinar. For more information on defending against identity deception tactics used in BEC attacks, be sure to read our Guide to Stopping Email Fraud.
*Update: This story turns out to have a happy ending. On March 2, 2020, it was reported that Corcoran was able to recover her lost funds. While Corcoran’s story ended well, recovering stolen money is extremely rare in most situations. The attack that Corcoran described serves as a reminder of the importance of taking steps to protect against these kinds of threats.