Hackers and Mortgage Fraud: The Perils of Using Free E-Mail Providers

Do you use a free e-mail account for work? If you don’t, does anyone in the e-mail list on a pending transaction utilize a free e-mail account (as opposed to a company-issued e-mail)? Beware: these free e-mail accounts may have security vulnerabilities that substantially increase the risk of fraud and theft in real estate transactions. While free e-mail accounts offer both convenience and portability, many lack the firewalls, virus protection, and other security apparatuses of company-issued e-mail accounts. The mortgage industry should be on alert for these risks, as exemplified by the series of events below.

Recently, a lender and borrower nearly suffered a $500,000 loss after a Russian hacker assumed control over the Gmail account of the borrower’s real estate broker. The transaction involved the borrower’s purchase of a new $500,000 home; the borrower put $46,000 down, and financed the rest with a $454,000 mortgage loan. The borrower was represented by a real estate broker, who utilized his Gmail account to communicate with all parties to the transaction, including the borrower, lender, and escrow company.

Unbeknownst to the broker, a Russian hacker had gained access to the broker’s Gmail account with a virus that the hacker had transmitted through an e-mail to the broker’s Gmail account; a virus that provided the hacker with full access to the broker’s account (your company-issued e-mail account likely has firewalls and other security apparatuses to prevent a hacker’s access). Once the virus was planted, the Russian hacker patiently monitored the broker’s communications. The hacker watched as the broker congratulated the borrower when the seller accepted the borrower’s offer; watched as the broker opened escrow; watched as the broker communicated with the lender about the borrower’s lending arrangements; and watched as the transaction prepared to close. Importantly, the last e-mail chain in the transaction occurred less than 24 hours prior to closing, and included wire instructions from the escrow company for the down payment and loan proceeds, that were transmitted to the broker, borrower, lender, and the lender’s bank holding the loan proceeds.

At this point, there was nothing left to do in the transaction but wire money. The borrower’s loan had been approved, the borrower had signed their loan documents, and everything had been submitted to escrow for recordation. It was during this window that the Russian hacker emerged to hijack the wires. With full access to the broker’s Gmail account, the hacker wrote an e-mail from the broker’s account to the borrower, instructing the borrower to tell his bank to wire his down payment funds to a new bank. In these new instructions, the payee became the hacker’s intermediary bank account in the Philippines, which was set up to immediately route the wired funds to the hacker’s bank account in Russia. The unsuspecting borrower contacted their bank and provided these new wire instructions.

The hacker’s next move was to send these same wire instructions to the lender’s bank. The hacker was sophisticated enough to recognize that a mere e-mail request would not do, and created a forged set of escrow instructions on the escrow company’s letterhead that contained the new wire instructions. These forged instructions were then e-mailed through the broker’s Gmail account to the lender’s bank. Additionally, and to avoid any suspicion, the hacker’s e-mail to the bank not only included the complete chain of e-mails between the parties, but also made it appear that the escrow company itself was included on the e-mail. The broker did so by subtly altering the escrow officer’s legitimate e-mail account by merely deleting one letter (thus, rather than the e-mail going to, it went to With the escrow officer cut out of the loop, nobody suspected that the wire instructions that appeared on the escrow company’s own letterhead were forged. Like the borrower, the lender’s bank followed these new instructions and wired $454,000 to the hacker’s bank in the Philippines.

The day of closing, the escrow officer received a call from the broker: “where are the keys?” With escrow not having received any funds to close, it had not released the keys to the borrower’s new home. Because of the quick thinking and action by the escrow officer and others at the escrow company, the hacker’s plot was foiled at the last possible moment.

Immediately upon learning that the wires had not hit the escrow company’s bank account, a team at escrow, comprised of corporate decision makers and the escrow officer, became involved. The escrow company immediately took steps to trace the wires from the banks of the borrower and the lender. Upon discovering that the wires had been issued to a bank account in the Philippines, the escrow officer contacted the Philippine bank. Within minutes of being on the phone with the bank, the first wire with the borrower’s $46,000 down payment hit. A few minutes after that, the second wire with the lender’s $456,000 loan proceeds hit. While both wires were automatically set to be routed to the hacker’s Russian bank account, that transfer was put on hold by the Philippine bank while it investigated. Once the escrow company provided sufficient information to confirm the fraudulent nature of the wires, the Philippine bank rejected both wires, and the funds went back to the respective bank accounts of the bank and the borrower . . . Crisis (and lawsuit) averted.

Had the broker not utilized an unprotected and unsecured e-mail account, the hacker likely would not have been in a position to get so close to stealing such a large amount of money. Fortunately, quick thinking by the escrow company narrowly averted this crisis, and it is now being reported as a cautionary tale, rather than forming the basis of a lawsuit between the borrower, broker, lender, banks, and others.

With the electronic communication of sensitive information such as wire instructions occurring on a regular basis in the course of any given mortgage or real estate transaction, it is critical that each party in the chain of those communications use a safe and protected company-issued e-mail account. Chances are that a free e-mail provider simply does not offer the same level of security as your company-issued e-mail account.

Thus, free e-mail accounts are a weak link in the chain that add an unnecessary layer of significant risk to a mortgage transaction by clearing hurdles such as firewalls and virus protection. The individuals that seek to capitalize upon these weak links, who are located both domestically and abroad, are no Nigerian Prince scammers. They are sophisticated criminals that have a sufficient level of knowledge of mortgage and real estate transactions to be highly effective. Indeed, you may face significant exposure to liability if your own free e-mail account opens the door to a hacker’s fraud. Accordingly, members of the industry should take a close hard look at their e-mail practices, and seek to reduce or eliminate the use of free, unprotected e-mail providers in mortgage transactions.

By: Artin Betpera, Esq.
Provided by Green & Hall Attorneys at Law

Leave a Comment (0) ↓