Phishing Cyber Attack Attempts Against Real Estate Agents, How to Spot Them
I've been recently getting several phishing emails that take on a new tactic. They are looking for an agent to work with on a relocation this year or early next year. These have many red flags that immediately sound the alarm for me, but I've noticed several agents not seeing the same red flags so I'm writing this article to help.
Three of the ones I've recently seen are below. I'll call them the "The Relocation", "The daughter" and "Yellow Snow" in this article.
On the surface, this email seems like a good thing, but let's dissect this sentence by sentence. The "Good day" sentence, nothing wrong here. The next sentence, "hubby" isn't a term used often as it is usually a nickname not spoken to strangers, but that can pass. What I like is that I showed up on a search for "good realtors in California." That's a nice way to butter someone up, but still nothing that hits the red flags. Planning to relocate to the area... this sentence I would expect the city name (or at least the county name) to be used here, especially since I cover multiple cities. "We are also first time buyer so we were advice to..." and this is where you go from writing at an adult level to that of a robot that doesn't understand grammar and sentence structure. Big red flag there. "Are u full time?" and "Also how do u get paid?" Ok, so I'm hitting two sentences at once here. The use of "u" instead of "you" is again not a manner in which people talk and write emails (texts yes, emails no). Full-time is not a typical question people ask, even first time buyers. The how do you get paid question is a good one though.
That concludes the body of the email. Now I have my email program configured to display the full headers (the part where the "To" and "From" are listed) and this is where it gets full of red flags. "Lynn Hamilton" sending an email but her email address is "MariaBennetabe", that fails the sniff test right there. With an email address based on a name, you'd expect it to say "Lynn" somewhere in there, like on the reply to line where it says "LynnSullivan36", that makes more sense. Of course, the fact that you have the email coming from one address with a reply-to as another address is another red flag. The biggest red flag, where my email program tells me I was BCC'd (Blind Copied) and not put in the "To" line. If you're sending a legitimate business email to someone, you put their email in the "To" line.
Now for fun I replied with a basic "Hi, what area are you looking at" email and received the below response:
So now let's dissect this one!
In the header the email address I had replied to (LynnSullivan) writes back and uses the name Lynn Hamilton. I'd expect the Lynn Hamilton part (I actually saw one that didn't do that), but you'll notice the reply-to address is now "LynnTon001" so their switching to yet another fake email address. Most of these scammers stay with one email the entire time, this person must be new! At least I'm in the "To" line this time!!!
Now for the body. "Thank u... at such short notice" Again with the text speak of "u" and now something about short notice. That doesn't make sense since that phrase doesn't apply to anything in this email chain. Next sentence, her "husband James" instead of "hubby" from the first email and the improper capitalization of the word "I". That's second first grade English class stuff. Really, a process MIGHT seem new to you as first time buyers? My guess is it WOULD BE new to you! Final sentence could be worded better, but at this point I'm just glad they can string a sentence together! Now for the last line in the email... "Aproval.pdf" First of all... is should be spelled "Approval" not "Aproval". Second of all, this is a link instead of an attached document. If you hover over the link (but don't click on it) you will see it points to an "gajaria.in" website. The ".in" means it is an URL registered in India. I put the link into URLScan.io, a tool that checks websites to see where they are located, if they have any malicious code, technologies used and much more. The key thing is on the right hand side a screenshot of the website. This is a page made to look like the Google login screen. The goal of the attacker is to steal your Google account credentials and to hopefully use that to gain access to your transactions. Assuming that you send your emails through that Google address, they could then insert themselves into the transaction and send fake wiring instructions to your clients as you!
This one is just fun!
The header: NOTHING WRONG here! Unlike the last one, "Jennifer Kumar" is sending from and email "JennyKumar1" and the email is only addressed to me. All legitimate.
The body: This is where it gets fun. Who starts off a business email with "Hey there"? Not "Hey Ryan" or "Hey Mr. Huggins" or even the proper "Hello" or "Good Day"! The first sentence is ok. If I were an English teacher, I'd mark points off for the use of the plural "homes" unless the daughter really wants to buy multiple homes. The second paragraph says to "Call, text or email" that's fine except for that no phone number was given. One should follow the "Call, text" or at the very least be under her name in the farewell. Again, to be nit-picky, these are the needs of her daughter, not "my real estate needs" (my being Jennifer).
This one started a big discussion on Lab Coat Agents today and is why I wrote this article. Like the old joke about eating yellow snow, you don't want to get involved with this email either.
The header: Like "The Daughter" this header has nothing wrong with it. Let's note the name of the sender though, Tom Kluivert, as we'll need that for later.
The body: "Hi," ok, this is starting out good. "I am Paul Snow" wait, isn't this email sent from a Tom Kluivert's email? Ok, that's a big red flag! Let us continue. "I and my family" proper grammar would be "My family and I". They are looking for a five bedroom house and a lovely apartment? I'm not going to lie, I had to read this line three times just to make sure I read that right. What does he want? Does he have two families? A five bedroom house and an apartment... building maybe? "...i have been pre approved and can forward you my pre approval letter if this will help you understand what i am searching for Kindly advise." Again with the lower case "i", but forget that for a second. I honestly don't think a pre-approval letter is going to help ANYONE figure out what he is searching for! And while we're at it, there needs to be a period after "for."
I've received some fun ones in the past (sorry no photos) where they are looking to move to my "City". This one throws up the flag because not only is "City" capitalized, but they don't list which city.