How Scammers Stole $20 Million by Hacking Emails of Real Estate Agents – Here’s Why Small Firms Must Take Cybersecurity Seriously

A Nigerian national has been sentenced to 10 years in prison for robbing people of their life’s savings by hacking the emails of their real estate agents and swapping bank accounts. The story offers a clear example why small firms should take cybersecurity seriously.

33-year-old Babatunde Francis Ayeni, a citizen of Nigeria living in the United Kingdom at the time of his arrest, used a sophisticated business e-mail compromise (BEC) scheme targeting real estate transactions in the United States.

Ayeni and at least two other associates operating out of Nigeria and the United Arab Emirates would send phishing e-mails with tainted attachments and links to title companies, real estate agents, and real estate attorneys across the US.

Captured login credentials

“If an employee at a targeted real estate business clicked on the malicious link or attachment, they were prompted to enter their e-mail account login information,” according to the Southern District of Alabama US Attorney's Office. “The employee’s login credentials were captured and sent to e-mail accounts controlled by Ayeni and other co-conspirators.”

With the login credentials in hand, the plotters would access the email accounts and determine when a buyer was scheduled to make a payment as part of a real estate transaction.

Ayeni and his fellow conspirators impersonated the agents, swapped bank accounts with ones in their control, sent e-mails from the compromised e-mail accounts and instructed the buyers to wire the money. Unsuspecting buyers would comply, some sending over their life’s savings for the fictious purchase of a new home.

Victims were in shock

During the multi-day sentencing hearing, some 20 victims appeared before Judge Terry Moorer to describe the harrowing situation they’d found themselves in.

In addition to those who spoke in court, many others provided written impact statements, “noting that in addition to losing all of the money they saved for the purchase of a new home, they felt significant shame, despair, and depression due to being victimized the way they were,” according to the DOJ press release.

Over 400 US citizens were victimized by Ayeni and his fellow perps. Of those, more than half were unable to reverse the wire transactions in time and lost their money. Court documents say those victims lost a combined total of almost 20 million US dollars.

Ayeni pleaded guilty to conspiracy to commit wire fraud in April of 2024 and will now spend the next 10 years behind bars.

His two associates, identified by the DOJ as co-defendants Feyisayo Ogunsanwo and Yusuf Lasisi, remain at-large and are believed to be outside the United States. Authorities are seeking their arrest and extradition.

Whose fault was it?

This case is a stark reminder that small and medium-sized organizations like consultancies, law firms, and real estate companies, face dire consequences in the unfortunate event they run in with hackers.

Read: What Key Cyberthreats Do Small Businesses Face?

Read: The Unique Cybersecurity Threats and Challenges Faced by Consulting Firms

Even worse off, in this instance, were their clients, who couldn’t have possibly suspected what was happening behind the scenes.

The DOJ’s press release doesn’t say if the victim firms had multi-factor authentication enabled for employees’ email accounts, which would have made it hard for Ayeni and his crew to gain access to those emails. It’s fair to assume they hadn’t, in what can only be described as a massive oversight.

Don’t let this happen to your firm

This was a clear case of human error, underscoring the importance of training staff regularly to spot devious phishing attacks and BEC scams.

Read: Five Essential Cybersecurity Tools and Practices for Small Firms

Bitdefender strongly recommends that small firms also deploy dedicated security software on their IT infrastructure to limit the chances of a successful breach.

Bitdefender Ultimate Small Business Security is an extended version of our consumer-friendly security suite and includes malware detection, ransomware prevention, email protection, account breach protection, scam protection, and VPN. It can be administered by anyone in your organization, thanks to a natural, intuitive dashboard designed for use even by non techies.

To see it in action, visit https://www.bitdefender.com/en-us/consumer/small-business-security.