Using tools and services widely available in the cybercriminal underground, criminals need a single compromised account to steal from a business. In the title industry, perpetrators monitor the real estate proceeding and pick the time to make a fraudulent request to change the payment type or change it from a legitimate account to one under their control. As reported by Forbes this summer, thieves have been known to research how a CEO communicates and even his or her travel schedule to make it easier to trick employees to comply with fraudulent requests. FBI Special Agent Martin Licciardo said the best defense in that case is “walking into the CEO’s office or speaking to him or her directly on the phone. Don’t rely on email alone.”
That logical advice is not so easy to accomplish if the company hasn’t built a culture based on adhering to best practices to avoid business email compromise (BEC).
Admit Your Business is at Risk
The first step is recognizing that BEC is a real and present danger facing the title industry. ALTA Dispatches from the front lines:
• Maryland, August 2017: The FBI says fraudsters used fake emails to fool a settlement company into wiring them the proceeds of the sale of a couple’s home. Amount lost: $411,548.
• New York, June 2017: A Judge trying to sell her apartment received an email she thought was from her real estate lawyer telling her to wire money to an account. Amount lost: $1 million.
• Washington, D.C., May 2017: The homebuyers sued the title company for the lost money due to BEC, but also close to $5 million for an alleged violation of the RICO Act. The title company, which denies it had anything to do with the money going missing, said that it immediately contacted the FBI when the attack was discovered. Amount lost: $1.57 million.
• Colorado, March 2017: A couple, who lost their life savings while trying to buy their dream retirement home, has filed suit alleging that none of the companies involved in the transaction—including a title company—did enough to protect sensitive financial information. Amount lost: $272,000.
But could it happen to you? Let’s imagine a criminal impersonates a trusted Counter Party in the RE Transaction by hacking into and using the email account of a Borrower’s RE Agent or Settlement Attorney to send fraudulent wire transfer instructions to the Borrower/Buyer. Based on the Borrower/Buyer’s subsequent request, their financial institution executes an authorized wire transfer to an account the criminal controls. Yes, unless you have built your defenses, you are under threat of attack.
Understand the battlefield and make sure you are using the right weapons to combat BEC:
• Establish a company domain name and use it to establish company email accounts instead of free web-based email accounts.
• Create intrusion detection system rules that flag emails with extensions that are similar to your company’s. For example, legitimate email of abc_company.com would flag fraudulent email of abc-company.com.
• Create an email rule to flag emails where the “reply” email address is different than the “from” email address shown.
• Color code emails from your employee/internal accounts a different color than those from non-employee/external accounts.
Rally the troops and commit to training employees, reviewing company policies and developing good security habits:
• Be careful posting to social media and the company’s website information about job duties and descriptions, hierarchical information and out-of-office details that can give criminals the information they need to impersonate a trusted Counter Party.
• Train your team to carefully scrutinize all emails and not be afraid to use face-to-face or voice-to-voice communications when in doubt.
• Be wary of irregular emails sent by high-level executives, as they can be used to trick employees into acting with urgency.
• Review and verify emails requesting funds to determine if the requests are out of the ordinary.
• Confirm requests for transfers of funds by using phone verification as part of a two factor authentication; use previously known numbers, not the numbers provided in the email request.
• Verify any changes in vendor payment location by following a call back procedure using contact information on file or having secondary sign-off by company personnel.
• Similarly, stay updated on customers’ habits, including the details and reasons behind payments.
Communicate Any Breaches Immediately
The following are recommended steps to take if and when you are a victim of outbound wire fraud:
• Ensure all employees have the information on whom to contact.
• Contact your banking team immediately via telephone and email to inform it of the fraudulent transaction.
• Provide a screen shot of the outbound wire if possible.
• Once informed, your bank will alert its fraud department and law enforcement.
• The bank will contact the Beneficiary Bank to alert of the fraudulent transaction, get a status update on the transaction and begin recall process.
• Your banking team should keep you fully informed of the status and any additional steps such as completing an Affidavit of Forgery, Hold Harmless Approval, etc.
• Once funds are secured, your bank will make restitution to the proper account.
The Internet Crime Complaint Center (a multi-agency task force made up by the FBI, National White Collar Crime Center and Bureau of Justice Assistance that is commonly referred to as the IC3) notes that all participants in real estate transactions, including buyers, sellers, agents and lawyers are at risk. The IC3 saw a 480 percent increase in the number of complaints in 2016 filed by title companies that were the primary target of the BEC/EAC scam. Be sure that you and your banking team remain vigilant and prepared to meet this growing threat.
Joseph Curran is senior executive vice president and managing director at BankUnited N.A. He may
be reached at firstname.lastname@example.org.
Copyright © 2004-2018 American Land Title Association. All rights reserved.
This article has been used and reprinted with the permission of The American Land Title Association. The material is for general information purposes only and is not to be relied upon or used for any particular purpose. Title Industry Assurance Company, RRG and The American Land Title Association shall not be held responsible in any way for, and specifically disclaims any liability arising out of or in any way connected to, reliance on or use of any of the information contained or referenced in this article. The information contained or referenced in this article is not intended to constitute and should not be considered legal or professional advice, nor shall it serve as a substitute for the recipient obtaining such advice.