…That Keeps Working
Criminals have found a novel way to intercept wire transfers for down payments. Can a small team of Secret Service agents prevent your worst real estate nightmare?
Natalie Wong with Bloomberg.com – Businessweek –
For weeks, the Secret Service agent had been trying to identify the scammers moving millions of stolen dollars through banks around the New York tri-state area. His quest had begun on a quiet afternoon in May 2020, when the streets of New York were still mostly empty. Cases were moving slowly, and legal processes were delayed. The agent was restless, trying to keep busy during what he thought would be a short-lived pandemic.
Sitting in his office, in a gray tower near the Brooklyn Bridge, the agent, whom we’ll call Alex (he asked to protect his identity because of the undercover nature of his job), started the routine process of scouring a government database called the Internet Crime Complaint Center. The IC3, as the database is known, is accessible to all domestic law enforcement agencies and spans more than two dozen types of crimes, including credit card frauds, ransomware attacks, and identity thefts. Last year it received an average of more than 2,300 cybercrime complaints a day, about one every 37 seconds. Alex was looking for business email compromises, or BECs, a type of scam where hackers infiltrate corporate accounts to send fake wire requests, such as an invoice or a contract payment.
BEC scams indiscriminately target all types of industries, but over the past few years they’ve found a new kind of victim: the eager homebuyer. Individuals and couples who, anxious to close on their dream home and inundated with paperwork and emails, think they’re transferring their down payment to a title company or a lawyer handling the closing process. Instead—by missing an impossibly subtle detail in an email, such as a spelling error or an extra character, indicating it’s a fake—they mistakenly wire tens or hundreds of thousands of dollars to a hacker.
In a single moment, they’re losing their entire nest egg, along with the home they thought they were about to move into, with little chance of ever getting the money back. “I was shellshocked for a couple of days. I just didn’t sleep,” says Christopher Garris, a 35-year-old assistant professor who lost almost $150,000 in 2021 when he tried to buy a condo in Boston after landing a position at Harvard. “It caused problems between my wife and I, and it caused a lot of stress. Having lost considerable money we saved for a long time—it’s been a big source of anxiety for us.”
Garris in Boston.Photographer: Philip Keith for Bloomberg Businessweek
Alex, whose work focuses on BEC crimes, was on a case that required him to screen complaints logged in the IC3 in his geographic area. He noticed an attempted hack on a construction company in Long Island, in which thieves tried to steal $30,000 by sending fake statement claims. By heist standards, it was a minuscule amount that most agencies wouldn’t have bothered to investigate. But a newly attempted hack can reveal fresh clues that the culprit might have been left behind, potentially opening doors to other cases.
There are several ways to try to locate the person behind a BEC scam: email or internet addresses, bank accounts where the money is wired, and phone numbers, to name a few. Alex did a wider database search to see if other complaints had indicators matching the $30,000 hack attempt. There were plenty. It ended up leading to more than $9 million worth of stolen funds affecting 50-plus victims across different sectors, with real estate losses amounting to more than $2 million, according to a source familiar with the matter who asked not to be named because of the confidential nature of the case. The tens of thousands “may not seem like a lot of money to the government or attorney’s office, but if I lost it, I’d be really upset,” Alex says. “That’s a lot of money to me.”
BEC scammers typically engage in what Alex calls a shotgun approach. They compile contact information for random players involved in any real estate transaction—lawyers, brokers, title agencies, mortgage lenders—then send mass phishing emails to this database, waiting for someone to take the bait. In the email, the scammers might provide a link that leads to a website resembling the real estate agent or title company’s email login page. The duped individual will type out their credentials, which might lead to an error page. Most think nothing of it—perhaps it was merely an internet connection problem. They don’t realize they’ve sent their login information to the hacker, who now has access to their email and confidential company information. Critically, they are also able to track conversations about impending home sales with buyers, ultimately zeroing in on the specific deals they want to infiltrate.
That’s the easy part. What follows is complex social engineering, in which the scammers monitor correspondence about a specific transaction for months. Without tipping off anyone, they learn the minute details of a deal. When it becomes apparent that a down payment is about to be wired, they jump in with a fraudulent email to the buyer, pretending to give official instructions from the real estate or title agent: Please wire your money to this bank account. The email can be sent from the compromised account or from a fake one that looks almost identical to that of the agent in the deal. The unsuspecting buyer wires their life savings to a criminal.
“If we don’t get to it [the stolen down payment] within about 36 hours, it’s pretty much gone”
Reports about this alarming scheme exploded during the pandemic, when home prices, bidding wars, and cash deals all rose. As transaction volume swelled, so did profits for real estate companies, lenders, and banks, and hackers smelled a growing opportunity. By targeting escrow wires, scammers are able to single out a particularly easy jackpot, a transaction involving multiple parties without proper internet security and the rare instance in which a giant sum of cash is sent in a single wire. In 2020 and 2021 the FBI labeled BECs the costliest cyberthreat, accounting for reported losses of $4.2 billion, with real estate wire fraud becoming one of the most targeted sectors. “Those numbers are floors, not ceilings,” says Crane Hassold, director of threat intelligence at Abnormal Security, an email security company. “There’s a lot that doesn’t get reported.”
BECs were already a growing problem in 2017, when the Secret Service started the Global Investigative Operations Center (GIOC) as a pilot project aiming to tackle cybercrime. Historically, different government agencies including the Secret Service, the FBI, Homeland Security, the IRS, and state and local law enforcement independently tackled cybersecurity cases. But agents would find themselves tracking small deals that led nowhere, only to find out much later that they overlapped with others. The GIOC, which became operational later that year, would be a coordination center that could streamline reports and investigations as cyberfraud grew more sophisticated and frequent. As a bonus, it was also a chance for the Secret Service to finally gain more respect as a formidable agency fighting financial criminals, a label usually enjoyed by their far larger and better-funded peers at the FBI.
Agents working at the Secret Service headquarters, located in a bland brick office building in downtown Washington, are quick to tout the agency’s lineage. It was founded in 1865 as a branch of the US Department of Treasury to combat currency counterfeiting; by the end of the Civil War almost a third of all currency in circulation was fake. The Secret Service was only tasked with guarding the president after William McKinley’s assassination in 1901. It’s still responsible for investigating financial crimes including counterfeiting, identity theft, and other felonies against federally insured financial institutions.
Secret Service agents in the Global Investigative Operations Center in D.C.Photographer: Greg Kahn for Bloomberg Businessweek
In 2019 the GIOC formalized a small team of BEC-focused agents, a few of whom, including Alex, relocated from New York to Washington in the past few years. So far it’s helped recover more than $244 million in stolen BEC funds, of which roughly a third is from real estate deals.
In a BEC scam, after a homebuyer realizes what’s happened—which usually takes a few days—they reach out to their bank, title agency, local law enforcement, or a private cybersecurity company and are often told to file an IC3 complaint. As soon as GIOC agents have the file, it becomes a race against time: The agents inform their contacts at various banks, credit unions, crypto exchanges, and other government agencies to freeze and recall the money before it’s cashed out or moved abroad, where it’s far harder to trace. Every minute that passes reduces the odds they’ll be able to recoup the stolen funds. “If we don’t get to it within about 36 hours, it’s pretty much gone,” Alex says. “These guys know how quickly we try to work, and they know they need to get the money out now.”
The same month Alex began trying to track down the scammers, Danny Gonzales was planning to celebrate his wedding anniversary. Pandemic shutdowns meant Gonzales and his wife couldn’t go out to a fancy restaurant or hotel to toast eight years of marriage, but they’d mark it with another momentous occasion: closing on a new home.
Two months earlier, Gonzales had decided to move his family from San Antonio to the Austin area. He wanted to live in a neighborhood near a hockey rink and a dual-language elementary school for his young sons. He also had a daughter from a previous marriage, and moving would bring him closer to her. The house they found, a four-bedroom on 1.5-acres, had been on the market only for a day before the Gonzaleses went to look at it. As they were finishing their tour, they saw several other interested buyers waiting outside, so they submitted their bid two hours later. Luckily the seller accepted their offer quickly.
Over the following weeks, Gonzales and his wife dealt with a flood of emails about the transaction. A few days before closing, they received an email that appeared to be from the title agent, with the closing cost and instructions to wire. Because of Covid-19 restrictions at banks, the message read, some funds were taking longer to process. Would they kindly wire the $123,500 three days in advance of the closing date to ensure there would be no delays? Gonzales called the agent’s number provided in the email to confirm but received an immediate text back saying they were busy with another client and to email any questions. On the Tuesday before closing, Gonzales emailed his bank instructions to wire the money. As is standard protocol, the teller asked him to verify the New Jersey Chase Bank account number he was transferring to and the amount. He confirmed. The money went through.
Hacking victim Danny Gonzales and his wife, Shelley, in Leander, Texas.Photographer: Anthony Francis for Bloomberg Businessweek
On Friday, Gonzales received a call from his title agent confirming the closing appointment that day and reminded him to bring a cashier’s check for the down payment. Gonzales was confused and said he’d already wired the money she’d requested by email a few days earlier. The agent paused. She never sent any email about wiring money. He read the email to her, including the email address. Sure enough, it looked identical to hers, except for an “e” that was changed to a “c” and that it was sent from a Gmail account, which wasn’t visible on his mobile phone. “My heart dropped,” Gonzales says. “I felt a sudden rush. It was a weird experience, like, ‘This cannot be happening. It’s not real.’ ”
The agent told him he’d likely been scammed. When Gonzales hung up the phone, he had to tell his wife that he’d just wired their down payment to hackers—the same ones, he’d later discover, Alex was trying to hunt down. Her face went white. His agent told him to immediately contact law enforcement and report his case. He tried to call Chase, where he’d wired the money, but they wouldn’t give him any information or freeze the account the money was wired to. He called the president of his own bank, a smaller institution where he’s been a client for decades, but was told that they could recall the money only on Monday, because it was Friday afternoon and the Federal Reserve was already closed. He contacted the sheriff of his county, a detective in New Jersey, and the Secret Service, but by the time they were able to look into the receiving account, all the funds were gone.
Gonzales would have to sit tight until Monday. Passing that time was painful. He couldn’t sleep. His emotions ranged from helplessness to anger, disappointment to guilt. How could he be so gullible? Were there signs he missed? He knew now that the email address was off, but no one had warned him to check. Nothing seemed amiss in the message—the font, signature, and numbers were all accurate.
Then he remembered something odd about his interaction with the title agent the day he found out about the hack. She didn’t seem surprised. In fact, she told him that a year earlier, the same thing happened to another client who never retrieved their stolen funds. Right after, she made a point to ask him to read a tiny disclaimer at the very bottom of her email that says never to respond to instructions to wire money by email. Gonzales was incredulous. He might have read that the first time she emailed him but never again. If this was such a rampant scam, why didn’t they emphasize the risk? “They were already aware about this hack,” he says. “But they didn’t warn me.”
“You could arrest dozens, hundreds of these guys, and frankly, you wouldn’t make much of an impact”
A BEC is typically coordinated by a loose network of perps: the hackers, who gain access into a company or individual’s network; money mules, who (sometimes unwittingly) open accounts to launder money on behalf of the hackers; and the orchestrators of the entire scheme, who control the international bank accounts accepting these transfers.
Many cases the GIOC team investigated lead back to West Africa, but the geographic footprint keeps expanding. Other criminals have “seen how lucrative BEC is—it averages about $150,000 per incident right now—so we have groups that are all over the world,” says GIOC agent Stephen Dougherty. Many fraudsters are also working as part of global crime syndicates, which are hard to dismantle because of the sheer number of actors involved. Even if a group is taken down, the low barrier to entry means new ones are constantly popping up. “It’s not a problem that can be effectively mitigated solely through arresting people,” says Abnormal Security’s Hassold. “You could arrest dozens, hundreds of these guys, and frankly, you wouldn’t make much of an impact in the day-to-day BEC volume.”
The allure of BECs is irresistible for those looking for fast cash. One money mule Alex caught said he fell into it after meeting a man at a nightclub who was casually throwing around $100 bills. Curious, he asked the flashy individual how he made his money, and the guy offered him a job on the spot. He accepted, and eventually his wife became a money mule, too. Now they’re both in a California prison.
Bloomberg Businessweek spoke with reformed hackers from Nigeria who asked for anonymity out of fear of imprisonment or retribution from crime syndicates. Hackers often get involved with BEC groups at a young age, 11 to 18, when, either fresh out of primary or secondary school, they’re facing some of the highest unemployment rates worldwide for young men. They might get involved for a variety of reasons: peer pressure, the promise of fast money, or, for many impressionable boys, pure curiosity. And the rewards often outweigh the possibility of being caught by law enforcement. “With the economic situation in the country, I don’t think people mind the risk anymore,” says one of the reformed hackers, who says he’s since become a cybersecurity consultant. “So the community is still growing despite the risk growing.”
The Gonzales case in Texas would eventually end up in the Secret Service’s files. (Although the agency declined to disclose details about specific cases, people familiar with those details did.) The New Jersey account Gonzales had wired the money to belonged to one of the money mules Alex had been tracking. Once he found enough overlapping evidence across various complaints, he recruited his colleague, Claire, to help him. (Claire’s name has also been changed to protect her identity because of the undercover nature of her job.)
Together, the agents conducted dozens of interviews with traumatized victims from all over the country, listening for clues. It was emotionally exhausting. Claire called one couple who’d just sold their home and were driving in a U-Haul to their new one in Wyoming. She had to break the news that the $400,000 they’d wired to close on the house had gone directly into a fraudster’s account. “I still remember the panic in their voice, knowing they were homeless,” she says.
The rare moments when the Secret Service was actually able to intercept a hack, it wasn’t uncommon for the agents to find themselves having to convince victims that they weren’t the fraudsters. One Christmas, agent Dougherty was huddled in the basement at his in-laws’ house, avoiding holiday togetherness, when he saw a complaint come in for a missing $13,000. He immediately contacted the receiving bank, and as they looked into the account where the money had been deposited, an additional $350,000 suddenly appeared. “We were able to locate the victim, and I’m cold-calling them asking if they sent the $350,000 wire,” Dougherty says. “They thought I was scamming them.” He reassured the victim he was a government agent, offering to FaceTime and suggesting they call another agent to confirm. They ended up looking him up, and Dougherty was able to recoup all the money. “If we hadn’t looked at the smaller one, we wouldn’t have caught the bigger one,” he says.
After victims wire funds to a fraudster’s account, the money launderers break up the wire quickly to evade authorities, starting with domestic accounts and eventually moving it to a foreign account or crypto wallets. In some cases they cash it out and park it in physical property such as real estate or jewelry. Alex and Claire, who along with the Secret Service, declined to share details about this case, monitored this type of movement to track other criminals involved. As they studied bank transaction statements and analyzed personal information used to open the accounts, similar details emerged, including IP addresses, account logins, emails, and call detail records.
It still took weeks to physically locate the criminals. Many used aliases to create passports from all over the world—Benin, Ghana, Malta, South Africa, the UK—that were then used to open accounts across major banks operating in New York and New Jersey, a disturbingly easy feat. Even after monitoring hours of video surveillance, it was hard to identify the culprits, who were typically wearing pandemic face masks like everyone else at the time.
After several months, the agents spotted their first target, a Nigerian woman in her mid-20s wearing a bright pink Nike cap, purchasing a cashier’s check—a quick way to cash out the freshly transferred money—at a bank branch in Brooklyn. They were finally able to put a face to the person attempting to receive the stolen money they’d been tracking. The agents continued seeing “Pink Hat Girl,” as they nicknamed her, pop up at different banks, where she used more than a half-dozen different names. Eventually they identified her as Oluwadamilola Akinpelu, her license plate ultimately giving her away.
Once they had Akinpelu, it became easier to track other members of the laundering ring who visited each other’s apartments and used each other’s cars. One day, as the agents were staking out a Brooklyn brownstone where an elderly victim had mailed a check, they almost ran into Akinpelu. She was getting out of her Uber right next to their car to visit Adedayo John, whom they would soon discover was a key part of the ring.
The agents spent weeks following members of the money mule network around the New York area, watching them move cash among banks and buy designer clothes, tech gadgets, and cars, which it seemed the crew couldn’t get enough of. Akinpelu had just bought a brand-new Mercedes-Benz, and John had a Mercedes, a Land Rover, and a Lexus. Alex and Claire continued logging every move. “There were a lot of long days,” Alex says.
At about 6 a.m. on Oct 13, 2021, while it was still dark out, Alex, along with 15 other Secret Service agents and New York police officers, rushed into John’s two-bedroom apartment in Brownsville, Brooklyn, seizing his cellphones and multiple computers. In Far Rockaway, Queens, officials moved to arrest Akinpelu. Both of the money mules’ closets flaunted Gucci and Louis Vuitton clothes.
Later that afternoon, the Southern District of New York announced federal felony charges against a total of 11 members of the money laundering ring. John and his counterparts are awaiting trial or plea hearings, charged with conspiracy to commit bank fraud and money laundering; they face a maximum sentence of 30 years in prison. Although authorities were able to freeze their accounts and seize physical properties, such as phones and cars, other goods were already out of reach. One fraudster used her money to purchase the equivalent of a subdivision back home in Nigeria. She still owns that land, and the agents haven’t had much luck working with the Nigerian government to seize it.
Even though Alex didn’t have a lot of sympathy for the perpetrators, it struck him how willing they’d been to take such a big risk. They were only middlemen. They didn’t live in fancy homes. A few of them stated that they worked as ride-share drivers. He’d spent more than a year tracking them, learning everything there was to know about their ways and the damage they caused. During the arrests, which Alex declined to speak about in detail, he was excited to finally meet them. Surprisingly, the culprits, many of whom were around his age, didn’t seem shocked or hostile and were even willing to chat with him for a while. “Any time I finish something like this, it’s always a sense of relief,” Alex says of the sting. “It’s like, wow, I feel like I know everything about you. I know you better than people I’ve known my entire life.” The investigation is still ongoing to determine who the fraudsters were working for abroad.
As for homebuyers, they’re still largely on their own. Businessweek spoke with roughly a dozen victims who all claimed that no one at the real estate firm, title firm, or bank provided adequate warnings about the high risk of fraud. For the most part, the companies involved in real estate transactions are well-insulated from legal recourse. Real estate firms usually have a boilerplate warning about fraud in their emails but don’t mention it otherwise. Some even skirt their own rules by sending confidential information over unsecure accounts during negotiations and closings. “It’s very easy to prevent if you just adequately warn people about it,” says Ian Hicks, a lawyer who represents victims of wire fraud. “But there is a difference between truly trying to warn someone vs. trying to cover yourself legally and having a blank warning in place.”
Banks, meanwhile, are covered by clauses in wire transfers, which often protect the bank from having to notify consumers of potential irregularities. These waivers might also include arbitration clauses, which largely protect it from lawsuits, something a financially devastated client can rarely afford to pursue anyway. “There is a big role banks could play that they’re not playing now,” Hicks says.
Gonzales ended up being one of the few lucky ones. The Secret Service recovered about $27,000 of the stolen $123,500, and he was able to get a loan from his mother to purchase the home he almost lost. Meanwhile, Garris, the professor, hired Hicks earlier this year and is planning to sue his real estate agent, closing attorney, and their employers. The NYPD told Garris that the funds he’d lost in 2021 had been converted to cryptocurrency and traced to an account in Nigeria. He hasn’t recovered any money. “Every one of these cases is a heartbreaking Dickensian nightmare,” Hicks says. “There’s never a situation where it’s not complete emotional and financial devastation.” —With William Turton and Max Abelson
