A group of email hackers set off a chain of events that cost a couple the contract on their new home.
In late November 2016, Jon and Dorothy Little were ready to close on a $200,000 house in Hendersonville, North Carolina. Their realtor reached out to the law firm handling the closing and asked for payment instructions. The law firm responded by telling the realtor to wire the money to a Bank of America account. These instructions arrived on letterhead used by the firm.
On the intended date of closing, the Littles went to the law firm and asked if they would get back extra money they had sent over. There was just one problem. The firm had never received the money!
So what happened?
Investigative information security journalist Brian Krebs lays it all out:
"After some disagreement, both legitimate parties to the transaction agreed that someone’s email had been hacked by the fraudsters, and was used to divert the wired funds to an account the criminals controlled. The hackers had forged a copy of the law firm’s letterhead, and beneath it placed their own Bank of America account information...."
Krebs goes on to explain that the owner of the Bank of America account had acted as a money mule by forwarding 90 percent of the money to a TD Bank. Fortunately, the FBI succeeded in freezing the money there. Unfortunately, the couple didn't immediately receive their money back. That's because their credit union refused to give Bank of America a "hold harmless" agreement, a document accepting legal responsibility for costs Bank of America might incur if its customer challenged the reversal of the original wire transfer to their account.
Its reasoning? The Littles had willingly and knowingly authorized the wire transfer even though they had unknowingly sent the money to the wrong recipient.
Mr. Little told Krebs about the frustrating appeals process that ensued:
"I talked to the wire dept multiple times. They finally put me through to the vice president of loss prevention at the credit union. I’m not sure they even believed all that was going on. They finally came back and told me they couldn’t do it. Their rules would not allow them to send a hold harmless letter because I had asked them to do something and they had done it. They had a big meeting last week with apparently the CEO of the credit union and several other people. Then they called me on Monday again and told me they would not could not do it."
Shortly after Brian Krebs published his article about the Littles' experience with a successful business email compromise (BEC) scam, their credit union told the couple that Bank of America would soon receive its hold harmless document. Such an announcement means the Littles can reclaim their stolen $180,000. But they won't be using it to cover the Hendersonville house. The closing date came and went, and with the owner eager to sell, the Littles had no choice but to cancel the contract on their home. Instead they purchased a heavily mortgaged townhouse, a second-choice which they can now pay off using their recovered funds.
If we are to learn anything from this story, it's that parties engaged in a transaction should verify the payment instructions. The realtor, for instance, should have called the law firm to confirm the bank account number. Hopefully, organizations will read this story and use it for future business deals.
It's also a reminder to act quickly if a wire transfer doesn't go exactly as planned. The Littles were lucky. Had the money made it out of the United States, they probably would have lost their funds for good. Which is why it's necessary to take your financial life seriously and to stay on top of your accounts.