We’ve all heard of hackers going extreme lengths to steal information from their victims, but just how far will they go? A couple from North Carolina can attest to these unfathomable measures, having lost the contract on their new home to email hackers. An article on Graham Cluley depicts the nightmare suffered by the couple.
Jon and Dorothy Little were planning to close on a $200,000, North Carolina home in November 2016. The couple’s realtor had reached out for payment instructions from the law firm who was handling the closing of the Little’s new home. The instructions arrived on letterhead from the law firm and stated the closing costs were to be paid via a wire transfer to a Bank of America account.
The Littles had sent the law firm some extra funds, and went to the firm on the intended date of closing to find out if they would get the money back. Unfortunately, (and shockingly), the law firm had never received the money.
Security journalist, Brian Krebs lays out what went wrong:
“After some disagreement, both legitimate parties to the transaction agreed that someone’s email had been hacked by the fraudsters, and was used to divert the wired funds to an account the criminals controlled. The hackers had forged a copy of the law firm’s letterhead, and beneath it placed their own Bank of America account information….”
Krebs continues explaining the incident, indicating that the owner of the Bank of America account was acting as a money mule, forwarding 90 percent of the funds sent by the Littles to a TD Bank. The FBI was able to freeze the money at the TD Bank, however the couple was unable to recover their funds immediately due to a “hold harmless” agreement.
The Little’s credit union refused to sign the agreement, which would give their credit union legal responsibility if costs were incurred by Bank of America resulting from the customer (hacker) challenging the reversal of the wire transfer. Since the Littles had wired the money willingly, even though they unknowingly sent it to the wrong recipient, the credit union declined to sign the agreement.
Jon Little recalls the difficult and frustrating process that he went through during this process:
“I talked to the wire dept multiple times. They finally put me through to the vice president of loss prevention at the credit union. I’m not sure they even believed all that was going on. They finally came back and told me they couldn’t do it. Their rules would not allow them to send a hold harmless letter because I had asked them to do something and they had done it. They had a big meeting last week with apparently the CEO of the credit union and several other people. Then they called me on Monday again and told me they would not could not do it.”
Not long after Krebs published his article regarding business email compromise (BEC) scams, specifically how one was successfully carried out on the Littles, their credit union notified them that the Bank of America would receive the hold harmless document. With the Bank of America receiving the document, the Littles could reclaim their stolen $180,000.
Unfortunately, the closing date for the house the Littles were planning to purchase in Hendersonville, NC passed, and the couple had no choice but to cancel their contract on purchasing the home. The Littles were able to purchase a townhouse with a very heavy mortgage, which they are now able to pay off using the recovered funds.
The moral of the story
Always verify payment instructions for a transaction. In this situation, the realtor should have verified the instructions with the law firm to confirm the bank account number provided on the letterhead.
Act quickly if a wire transfer feels suspicious or does not go as planned. In this situation, the Littles money had not left the United States, which may have been the sole factor allowing them to recover their funds.