Editor’s note: This feature originally appeared in the May issue of MReport, out now.
By now, we’ve all heard horror stories about home buyers and sellers who were instructed to wire funds into a fake account and ended up losing hundreds of thousands of dollars and, in some cases, a place to live. Yet, most people have no idea how often these attacks happen—and how easy they are to commit.
A key component to wire fraud is email phishing—a type of scam, where someone uses a fake email address and pretends to be a loan officer, title agent, or real estate agent to get a home buyer or seller to wire money into a fake account. The prime targets of email phishing are real estate closings when buyers and sellers are getting ready to transfer large sums of money to close their deals.
The good news is that the signs of wire fraud are easy to identify. What isn’t so easy is raising awareness of these scams among housing consumers. But if we hope to stem the tide of attacks, it’s critical that we make sure everyone can recognize the dangers and then change their behavior accordingly.
It’s alarming how quickly wire fraud is growing in terms of the number of attacks and the rate of success of these scams. In 2016, the FBI’s Internet Crime Complaints Center reported $360 million in losses from compromised emails. In 2017, the number jumped 85 percent to $676 million. And last year, according to the latest numbers we uncovered at WFG National Title Insurance Co., the cost was $1.5 billion. That’s over a 300 percent increase in just two years!
We also know that once cybercriminals find a weakness and launch a successful attack, they keep attacking. Word spreads too, as there is an entire criminal underground online community where thieves share their techniques and sell pools of consumer information. As long as they are successful, these numbers won’t ratchet back any time soon.
The trouble is email phishing is incredibly easy to commit. Most people don’t buy homes very frequently, so the risk is not usually at the top of their mind when going through the many different steps it takes to close a property transaction. Even within our industry, many loan officers and real estate agents seem unaware of how their behaviors can increase the risk of wire fraud.
Email phishing schemes are often successful for two reasons: First, email is inherently unsafe and easy to fake. Second, cybercriminals rely on social engineering which involves tricking the victim into doing something that helps the criminal. This involves creating a sense of urgency and presenting a consequence if the victim doesn’t act. For example, in a typical wire fraud scheme, the criminal will send an email saying there’s been a change in closing instructions and that funds need to be wired within an hour or else the transaction will fall apart.
Wire fraud often works because consumers don’t understand the risks associated with using the internet. For example, when most of us join a social media website and come across a several-pageslong terms-of-service, we don’t read it—we simply click through, completely unaware of the privacy rights we may be signing away.
Wire fraud also works because nearly everyone involved in closing transactions—the real estate agent, the loan officer, the title agent, and the consumer—uses email, which is usually the means for all of the communication around where to wire funds after closing. This puts every transaction in the crosshairs of criminals.
Loan officers can fall prey to these scams too. That’s why most of the largest national title companies do not use email for sharing sensitive information. People login to their portals where wire instructions are published. However, some loan officers want title companies to email the wire instructions because it’s more convenient for them. This places them at risk because emails can be easily spoofed.
Email spoofing—the forgery of an email header so that the message appears to have originated from someone or somewhere other than the actual source—can be done by almost anyone, especially if it is from a free email account like Gmail or Yahoo. I don’t use free email accounts for work, but if I did, and someone wanted to impersonate me and my user name was “bphillips” that person could just put the number “1” for the two l’s in my last name (“bphi11ips”). The lowercased “l” and the number one look similar. So does zero and the letter “O.” After faking an email address, a criminal can put any name at the form at the top of the email, because Google and Yahoo do not check to see whether their users are using their real names. Criminals also often copy the email signatures used by actual loan officers and title agents to impersonate them on fake email accounts.
Wire fraud at closing is just one of the many types of cyberfraud using email. Another way criminals operate is by breaking into email accounts. Often, they “spoof” the victim with a faked email message that says “click here” to access an important document. The email will include a link to a spoofed website that is made to look like a legitimate company, perhaps the victim’s lender or title company. It may even have the company’s logo. The victim is asked to enter their email and password in order to access a document. But instead of retrieving the document, they unwittingly just gave the criminal their email username and password.
After getting the victim’s email and password, the criminal then goes through the victim’s email account and uses it to commit more fraud. The criminal will often use this information to break into the victim’s other online accounts, and even the victim’s bank account. This is because all too often people use the same usernames and passwords for all their online activity.
See the Signs
Fortunately, there are several telltale signs that someone is trying to commit wire fraud during a closing transaction: An unsuspected change in the transaction, like a new routing number for wiring funds; a sense of urgency tied to the request; and a consequence if the victim doesn’t follow through. These three things together should make someone stop and say, “This may not be right.”
The first thing a loan officer or a borrower should do after receiving a suspicious email is to call the phone number they already have—not any phone number included in the email—and tell their loan officer about the email and to confirm the numbers for the wire transfer.
If you suspect that a wire transfer was made fraudulently, the first thing you need to do is order a freeze on the money. Call your bank and say, “That was a fraudulent wire, please stop it.” The magic phrase is “fraudulent wire.”
Once you say it, it kicks everything into gear. If you don’t freeze the account, the money is gone.
You’ve probably heard that it’s a good idea to regularly change your email password, and that’s true. But the second, more secure way of protecting your email is something called second-factor authentication.
This type of authentication is exactly what it sounds like. If you are opening up your email, after you enter your password, you can elect to receive a text message to your phone to verify that the person opening up your email is you. When second-factor authentication is turned on, a criminal not only needs your password, but they need your phone, too. While wire transfer information should never be sent by email, simply using second-factor authentication will generally stop wire fraud from happening.
As an industry, the best thing we can do is spread the word and educate borrowers about how to spot phishing schemes and use email safely. This effort can’t be limited to just mortgage lenders, either. It must involve real estate agents, title insurance companies, third-party service providers everybody involved needs to know about the dangers of online and email fraud, especially during the closing period.
The biggest challenge is educating consumers and making sure they understand the gravity and size of this problem. Most have no idea. After all, people do not buy homes very frequently, so they may be completely unaware of the risk until the moment they become victims of a scam. Even when consumers are told about the risk of sending wire fraud information over email, the message doesn’t always resonate. The message needs to be repeated again and again until it sinks in. It’s not enough to slip a disclaimer into every email—we need to remind consumers at every turn about the very real danger of phishing expeditions.
As industry professionals, we must also demand of each other that we do business more safely and securely.
Remember the three things to watch for—an unexpected change, such as an email with instructions to wire money to a such-and-such bank account; a deadline or a sense of urgency attached to the instruction; and a consequence for not following through. When all three factors are present, the chances are high that someone is trying to commit wire fraud.
While it’s true that cybercriminals will continue to devise ways to steal, it’s never too late to raise awareness and educate each other and, most importantly, consumers about the growing wire fraud problem. If we don’t and phishing, as well as other types of cyberfraud, continue to grow, we risk losing the public’s trust in our financial system. It’s time we step up our game.