Man-in-the-Middle Attacks: When Scammers Intercept Connections
A couple in Melbourne was purchasing their first home in 2025. Their conveyancer emailed wire transfer instructions for the $380,000 deposit. What they did not know: an attacker had been silently reading their conveyancer's email for three weeks, waiting for exactly this moment. The attacker intercepted the email, replaced the bank account details, and forwarded the modified message to the couple. They wired $380,000 to a criminal's account. The money was gone within minutes.
This is a man-in-the-middle (MITM) attack — an interception technique where the attacker secretly positions themselves between two parties who believe they are communicating directly. The attacker can eavesdrop, modify messages, and impersonate either party without either side knowing.
Types of MITM Attacks
Email interception. The most financially damaging variant. Attackers compromise an email account (often through phishing) and set up forwarding rules that copy all incoming mail. They monitor conversations silently for weeks, waiting for high-value transactions — real estate closings, vendor payments, investment transfers. When the moment arrives, they modify payment instructions in transit.
WiFi eavesdropping. On unsecured or compromised WiFi networks, attackers capture traffic between your device and the router. Evil twin attacks (covered separately) are a common setup for WiFi-based MITM.
ARP spoofing. On local networks, attackers send fake Address Resolution Protocol messages to associate their MAC address with the IP address of the default gateway. All traffic intended for the internet is routed through the attacker's machine first.
Think it might be a scam?
Paste it here for a free, instant verdict.
Free · No signup required · Cmd+Enter to scan
SSL stripping. The attacker intercepts your connection to an HTTPS website and downgrades it to HTTP. Your browser communicates with the attacker over HTTP while the attacker communicates with the real site over HTTPS. You see no padlock, but many users do not notice.
DNS spoofing. The attacker modifies DNS responses to redirect you to malicious servers. You type the correct URL but arrive at the wrong destination — similar to pharming but executed at the network level during an active MITM session.
The Real Estate MITM Epidemic
Real estate transactions have become a primary target for MITM attacks because they involve large wire transfers, tight deadlines, and multiple parties communicating via email. The FBI reported that real estate wire fraud losses exceeded $400 million in 2024.
"We are writing to confirm the updated wire instructions for your closing tomorrow. Due to a recent audit, our banking details have changed. Please use the account information below for your deposit. Time is of the essence as the seller has a hard deadline." — Intercepted and modified email from a compromised title company account.
The attack works because buyers are already stressed, the amounts are expected, and the urgency is genuine. Legitimate closings do have hard deadlines. Legitimate wire instructions do change occasionally. The context makes the fraud invisible.
How to Detect MITM Attacks
Certificate warnings. Your browser warns you when a site's SSL certificate does not match expectations. During an MITM attack, the attacker may present their own certificate, triggering this warning. Never ignore certificate errors.
Missing HTTPS. If a site that normally shows a padlock suddenly loads without one, an SSL stripping attack may be in progress. Bookmark important sites with their HTTPS URLs.
Changed payment instructions. Any change to wire transfer details — especially last-minute changes sent by email — should be treated as a potential MITM indicator until verified by phone.
Email forwarding rules you did not create. Check your email account's forwarding and filter settings regularly. MITM attackers frequently create auto-forwarding rules that persist even after you change your password.
Unusual login locations. If your email provider shows logins from unfamiliar locations or devices, your account may be compromised and used for MITM interception.
How to Protect Yourself
Always verify wire transfers by phone. Call the recipient using a phone number you obtained independently — not from the email containing the wire instructions. This single step prevents the vast majority of MITM wire fraud.
Use a VPN on public networks. A VPN encrypts your traffic end-to-end, preventing eavesdropping even on compromised networks.
Enable HTTPS-only mode. Modern browsers can refuse to load HTTP sites entirely. Enable this in your browser settings to prevent SSL stripping.
Implement email encryption. For sensitive business communications, use S/MIME or PGP encryption. Encrypted emails cannot be read or modified by an attacker who has compromised the mail server.
Monitor email account settings. Regularly check for unauthorized forwarding rules, delegates, connected applications, and recent login activity in your email account.
Use multi-factor authentication. MFA makes email account compromise significantly harder, reducing the attacker's ability to set up MITM interception.
If you receive unexpected payment instruction changes, wire transfer requests, or any communication that involves sending money, paste the details into IsThisAScam to check for known fraud patterns before acting.
Received something suspicious? Check it now for free →