{"id":13200,"date":"2017-07-05T19:39:00","date_gmt":"2017-07-05T19:39:00","guid":{"rendered":"https:\/\/digital-sentinel.com\/?p=13200"},"modified":"2017-10-01T10:32:47","modified_gmt":"2017-10-01T10:32:47","slug":"blind-trust-email-cost-home","status":"publish","type":"post","link":"https:\/\/digital-sentinel.com\/breach\/email\/blind-trust-email-cost-home\/","title":{"rendered":"Blind Trust in Email Could Cost You Your Home"},"content":{"rendered":"

The process of buying or selling a home can be extremely stressful and complex, but imagine the stress that would boil up if\u00a0\u2014 at settlement \u2014 your money was wired to scammers in another country instead of to the settlement firm or escrow company. Here\u2019s the story about a phishing email that cost a couple their home and left them scrambling for months to recover hundreds of thousands in cash that went missing.<\/p>\n

It was late November 2016, and\u00a0Jon and Dorothy Little<\/strong>\u00a0were all set to close on a $200,000 home in Hendersonville,\u00a0North Carolina. Just prior to the closing date on Dec. 2 their realtor sent an email to the Little\u2019s and to the law firm handling the closing, asking the settlement firm for instructions on wiring the money to an escrow account.<\/p>\n

 <\/p>\n

\"The<\/p>\n

 <\/p>\n

\n

The fraudulent wire instructions apparently sent by the hackers via the settlement law firm.<\/p>\n<\/div>\n

An attorney with the closing firm responded with wiring instructions as requested, attaching a document that had the law firm\u2019s logo and some bank account information that was represented as the seller\u2019s account number. The Little\u2019s realtor sent the wire on Thursday morning, the day before settlement.<\/p>\n

\u201cWe went to closing at 1 p.m. on Friday, and after we signed all the papers, we asked the lawyers if we were going to get back the extra money we had sent them, because they hadn\u2019t be able to give us an exact amount in the wiring instructions. At that point they told us they had never gotten the money.\u201d<\/p>\n

After some disagreement, both legitimate parties to the transaction agreed that someone\u2019s email had been hacked by the fraudsters, and was used to divert the wired funds to an account\u00a0the criminals controlled. The hackers had forged\u00a0a copy of the law firm\u2019s letterhead, and beneath it placed their own Bank of America account information (see screen shot above).<\/p>\n

The owner of the Bank of America account appears to have been a willing or unwitting accomplice \u2014 also know as a \u201cmoney mule<\/a>\u201d \u2014 recruited through work-at-home job schemes to receive and forward funds stolen from hacked business accounts. In this case, the money mule wired all but 10 percent of the money (a typical money mule commission) to an account at TD Bank.<\/p>\n

Fortunately for the Littles, the FBI succeeded in having the resulting $180,000 wire\u00a0transfer frozen once it hit the TD Bank account. However, efforts to recover the stolen funds were stymied immediately when the Littles\u2019 credit union refused to give Bank of America a so-called \u201chold harmless\u201d agreement that the bigger bank\u00a0wanted as a legal guarantee before agreeing to help.<\/p>\n

Charisse Castagnoli<\/strong>, an\u00a0adjunct professor of law at the\u00a0John Marshall Law School<\/strong>, said\u00a0banks have a fiduciary duty to their customers to honor their requests in good faith, and as such they tend to be very nervous legally about colluding with another bank to reverse payment instructions by one of their own customers. The \u201chold harmless\u201d agreement is usually sought by the bank which received a fraudulent wire transfer, Castagnoli said, and it requires the responding bank to assume any and all liability for costs that the requesting bank may later incur should the owner of account which received the fraudulent wire decide to dispute the payment reversal.<\/p>\n

\u201cWhen it comes to wire fraud cases the banks have to move very quickly because once the wires make it outside the U.S. to foreign banks, the money is usually as good as gone,\u201d Castagnoli said. \u201cThe receiver or transferee usually insists on a hold harmless agreement because they\u2019re moving the money on behalf of their own account holder, kind of going against their own client which is a big \u2018no-no\u2019 when you\u2019re a fiduciary.\u201d<\/p>\n

But in this case, the credit union in which the Littles had invested virtually all of their money for more than 40 years decided it could not in good faith provide that hold harmless agreement, because doing so would stipulate that the credit union affirms the victim (the Littles) hadn\u2019t willingly and knowing initiated the wire, when in fact they had.<\/p>\n

\u201cI talked to the wire dept multiple times,\u201d Mr. Little said of the folks at his financial institution, Atlanta, Ga.-based\u00a0Delta Community Credit Union<\/strong>\u00a0(DCCU). \u201cThey finally put me through to the vice president of loss prevention at the credit union. I\u2019m not sure they even believed all that was going on. They finally came back and told me they couldn\u2019t do it. Their rules would not allow them to send a hold harmless letter because I had asked them to do something and they had done it. They had a big meeting last week with apparently the CEO of the credit union and several other people. Then they called me on Monday again and told me they would not could not do it.\u201d<\/span><\/p>\n

The Littles had to cancel the contract on the house they were prepared to occupy in December. Most of their cash was tied up in this account that the banks were haggling over, and so\u00a0they opted to get a heavily mortgaged small townhome\u00a0instead, with the intention of paying off the mortgage when their stolen funds are returned.<\/p>\n

\u201cWe canceled the contract on the house because the sellers really needed to sell it,\u201d Jon Little said.<\/p>\n

The DCCU has yet to respond to my requests for comment. But less than a day after KrebsOnSecurity reached out to the credit union\u00a0for comment about the Littles\u2019 story, the bank informed the Littles that the other bank would soon have its hold harmless letter \u2014 freeing up their $180,000 after more than four\u00a0months in legal limbo.<\/p>\n

The Littles\u2019 story has a fairly happy ending, however\u00a0most of the other few dozens stories previously featured on this blog about wayward mortgage, escrow and payroll payments wound up with the victim losing six figures at least.<\/p>\n

One of the more recent advertisers on this blog \u2014\u00a0Ninjio<\/a>\u00a0\u2014\u00a0specializes in developing custom, \u201cgamified\u201d security awareness training videos for clients. \u201cThe Homeless Homebuyer,\u201d one of the videos Ninjio produced for a government client seems appropriate here: It features an animated FBI agent breaking the bad news to some would-be homeowners that their money is gone and so are their dreams of a new home \u2014 all because everyone blindly trusted unsecured email for what is essentially a high-risk cash transaction.<\/p>\n

I like the video because its message is fairly stark and real: You could get screwed if you don\u2019t take this seriously and proceed carefully, because once the money\u2019s gone it\u00a0usually stays gone<\/a>. Check it out here:<\/p>\n