Impressed But Not Fooled By This Scam

The Real Estate Espresso Podcast

Impressed But Not Fooled By This Scam

Spotify Google Podcast Apple Podcast Subscribe via RSS Leave a Review

Impressed But Not Fooled By This Scam

Welcome to the Real Estate Espresso Podcast. Your morning shot of what’s new in the world of real estate investing. I’m your host, Victor Menasce. On today’s show, we’re talking about ways in which business people and regular citizens are being targeted for financial fraud. This discussion was prompted by an attempt to extract $9,000 from our organization earlier this week.

The attempt to defraud us failed, but it showcased how much more sophisticated these attempts are becoming. The case in question involves a site plan application for one of our projects in Utah. The application was approved. We received an email that seemingly came from the city, addressed to the principal applicant on our site plan application. It had all of the relevant details on our project and the invoice stated that now our application was approved and a fee was payable of $9,000.

The invoice appeared very convincing with all of the details being accurate. There was only one small problem: the city officers are about a 90-minute drive from one of our staff and we had previously asked the city if we could make a payment on the application fees electronically. We were already aware that the city would not accept electronic payments for application fees, as they had to be paid in person. Conscious of this fact, we knew the invoice could not be legitimate.

We were not fooled by the invoice, but we were impressed by the quality of it. This fraudster invoice was far more sophisticated than most. The site plan application is a matter of public record, which makes it easy for someone to impersonate a city official and create a convincing looking invoice, since all other project details are publicly available.

Most of these deceptive schemes involve the culprits interposing themselves in a trusted communication. Business email compromise is arguably one of the most financially damaging of all forms of email fraud. Unlike broad phishing campaigns, email compromise is a highly targeted attack which uses manipulative tactics to trick employees into making fraudulent payments or revealing sensitive information.

Attackers typically impersonate a high-level executive, vendor, or a business partner. Sometimes, they replicate the company’s CEO or another executive and send an urgent email to an employee, often in finance, demanding a wire transfer for a supposedly confidential or critical business matter.

Often, the attacker gains access to a legitimate business email account and either sends a fake invoice or alters the payment details on a real invoice, redirecting the payment to their own bank. In other instances, the scammer gains control of a real employee’s email account, sometimes using stolen credentials. They then monitor email conversations to insert themselves into an ongoing conversation, like a vendor payment, and change the wire instructions.

Beyond the traditional email scam, attackers are inventing new tactics to bypass security filters and deceive users. One common technique is what is called a reply chain attack. The attacker infiltrates a legitimate email thread and then inserts a malicious reply. As the email appears to be part of an ongoing trusted conversation, the recipient is more likely to fall for the scam.

There are also QR code phishing scams. This involves a text link being replaced by a QR code in an email. When the user scans the code with their smartphone, it redirects them to a fake login page or downloads malware. This method bypasses traditional email filters that are designed to scan for malicious content.

Now, QR Codes are being increasingly used in parking lot scams, including city parking meters. For example, the City of Montreal is transitioning to a new system for city parking, which will involve a more convenient smartphone payment method. Scammers knew about the transition and they began distributing thousands of QR Codes across city parking spaces, enticing motorists with this convenient new method of payment. Many motorists were only alerted to this scam when they received a parking ticket.

As real estate investors, we are often working with lenders. In one case, we were introduced to a lender by a broker and we became suspicious of the requirement to escrow a large deposit with the lender before they would fund the loan. These lenders were asking for this large deposit upfront and, of course, asking for all the usual business and personal details. It was this requirement for the large deposit that raised a red flag.

In a typical construction loan, the lender escrows the equity and then disburses the funds using construction draws. Most land scammers are hoping to get an application fee. In our case, we didn’t pay any fees and we did not disclose any personal information before withdrawing from the conversation. We concluded that the loan offer was indeed a scam.

These attempts at fraud are becoming increasingly sophisticated. A fresh point of vulnerability, in my opinion, is the email address that AI-based accounting software will use to accept invoices for approval. A human operator still needs to approve the invoice. However, inputting the invoice into the accounting system is one step closer to getting it paid. Consequently, the approval process requires extra vigilance.

Furthermore, it’s essential that the approved invoice isn’t delegated to someone who lacks the knowledge to identify a legitimate invoice. This is particularly true even for small invoices. Many accounting departments are allowing low-level individuals to approve the payment of small-value invoices. This common practice leaves most organizations vulnerable to this type of fraud.

As you think about this, have an awesome rest of your day. Go out and make something great happen today.

Stay connected and discover more about my work in real estate by visiting and following me on various platforms: