On March 30, FinCEN released a Financial Trend Analysis examining threat patterns and trends identified in Bank Secrecy Act (BSA) data relating to business email compromise (BEC) in the real estate sector during 2020 and 2021. According to the analysis, BEC attackers target businesses and financial institutions that routinely conduct large wire transfers and rely on email for communication about these wires. FinCEN explained in its announcement that attackers “may obtain unauthorized access to networks and systems to misappropriate confidential and proprietary information,” noting in its analysis that “[p]erpetrators typically compromise a key email account by using computer intrusions or social engineering and send an email that fraudulently directs funds to criminal-controlled accounts” where many times “the victim is tricked into thinking a legitimate email from a trusted person or entity is directing them to make a payment.” According to the Federal Bureau of Investigation’s Internet Crime Compliant Center, BEC incidents resulted in more than $43 billion in worldwide losses between June 2016 and December 2021.

FinCEN’s analysis found that attackers most commonly impersonated title and closing entities and personnel, and that 1,767 incidents involved initial domestic transfers of fraudulent funds to accounts at U.S. depository institutions (151 incidents involved initial transfers of fraudulent funds to international institutions). Additionally, the analysis found that 83 of the 2,103 reported real estate-related BEC incidents involved convertible virtual currency.

FinCEN reiterated that financial institutions, real estate sector entities, and the public “may all play an important role in protecting the U.S. financial system from [real estate] BEC attacks through awareness of actions to detect and mitigate attacks, information sharing mechanisms that can prevent attacks, and various ways to report incidents when they occur.” FinCEN further encouraged these entities to “[a]ssess the vulnerability of their business processes with respect to BEC and consider actions to ‘harden’ or increase the resiliency of their processes and systems against email fraud schemes.” This includes understanding quantifiable risks associated with the authentication of participants involved in communications, the authorization of transactions, and the communication of information and changes about transactions. Additionally, entities should “[a]dopt a multi-faceted transaction verification process—as well as training and awareness-building—to identify and evade spear phishing attempts.” FinCEN emphasized that “[i]dentifying fraudulent transaction payment instructions before payments are issued is essential to preventing and reducing unauthorized transactions.”