Devastating email compromise scheme robs home buyers of life’s savings


Cybercriminals are employing a devastating fraud scheme that leaves victims in financial ruin and despair. They breach real estate agencies, intercept emails, and lurk, waiting until the final moment when home buyers are ready to make a down payment.

More than 400 Americans have been defrauded by a cybercriminal from Nigeria, who was sentenced to ten years last week.

Of these victims, 231 were unable to reverse the wire transactions in time and lost their entire transaction for the real estate. They collectively lost almost $20 million, or, on average, $85 thousand each.

ADVERTISEMENT

The cybercriminals compromised real estate agents’ email accounts and stepped in at the very last moment, sending home buyers fraudulent wiring instructions.

33-year-old Babatunde Francis Ayeni, a Nigerian citizen living in the United Kingdom at the time of his arrest, was the mastermind of a sophisticated business e-mail compromise scheme. In April 2024, Ayeni pleaded guilty to conspiracy to commit wire fraud.

The conspirators from Nigeria and the United Arab Emirates first targeted real estate agents, attorneys, and title companies across the US, sending phishing emails with malicious links or attachments.

If the receivers made a mistake and clicked, they were prompted to enter email login credentials, which were then harvested and sent to criminals.

The second phase could be described as a waiting game. Cybercrooks stealthily monitored the correspondence between realtors and home buyers. Once the payment for a real estate transaction was scheduled, fraudsters sent an email to the purchaser from the compromised email account with wiring instructions.

“The money was deposited into bank accounts associated with the criminals instead of the legitimate real estate transaction,” the US Department of Justice (DOJ) said in a press release.

This case highlights the importance of cybersecurity for small businesses, Bitdefender believes.

Devastating impact

ADVERTISEMENT

The cybercriminals stole the email credentials of a real estate title company in Gulf Shores, Alabama.

The victims of this type of business email compromise scheme were left devastated. More than 20 victims provided impact statements about how the crime affected them to US District Judge Terry Moore during a multi-day sentencing hearing.

“In addition to losing all of the money they saved for the purchase of a new home, they felt significant shame, despair, and depression due to being victimized the way they were,” the press release describes.

Konstancija Gasaityte profile Gintaras Radauskas Paulina Okunyte jurgita
Get our latest stories today on Google News

US Attorney Sean P. Costello notes that cybercrimes cause substantial and lasting harm to victims in an instant, while the perpetrators think they “are safe behind their keyboards.”

“After listening to our citizens speak about how the loss of funds impacted their lives and the subsequent loss of what they thought was down payments for their future homes, I am pleased to see Ayeni receive a substantial sentence for these crimes,” said Paul Brown, Special Agent in Charge of the Mobile Division of the FBI.

According to The Record, one victim lost $100,000 after he tried to buy his elderly father a home following a Parkinson's diagnosis. Meanwhile, cybercriminals used the funds to purchase bitcoins and spent at least $40,000 of the stolen funds at a Louis Vuitton store in a Dubai mall.

Two other co-defendants, accused in this case, have not been apprehended yet and are believed to be living outside the US. The authorities continue to actively seek their arrest and extradition.

Small firms ‘must take cybersecurity seriously’

Bitdefender warns that unfortunate events, such as small and medium-sized organizations like consultancies, law firms, and real estate companies running into hackers, can lead to dire consequences.

ADVERTISEMENT

The DOJ did not detail whether the affected firms had multi-factor authentication enabled for email accounts – a simple feature that would have made it very hard to compromise the accounts.

“It’s fair to assume they hadn’t, in what can only be described as a massive oversight,” Bitdefender assesses in a blog post.

The clients had no way of telling what was happening behind the scenes.

The cybersecurity firm urges small firms to also deploy dedicated security solutions to limit any chances of a successful breach.

According to the FBI, business email compromise is one of the most financially damaging online crimes. It exploits the reliance on email when conducting personal and professional business. In many cases, thousands – or even hundreds of thousands – of dollars were sent to criminals. Here, you can find an FBI advisory to learn more about BEC scams.