Cybersecurity and wire fraud are constantly making headlines in real estate and title industry news outlets. We hear of the buy-side scams often, a nice couple losing their nest egg in a cash-to-close transaction because they were given fake wire instructions. Poof! $200,000 transferred into the hands of a criminal. Many don’t realize they’ve been had until it’s far too late to recover the funds.
As often as we hear about these unfortunate consumers, everyone, including the title agents, real estate attorneys, and lenders are vulnerable to the sophisticated scams of fraudsters. If a fraud attempt hasn’t happened to you yet, it’s only a matter of time.
I spoke with Tom Cronkright of CertifID (pronounced “certified”) and Sun Title in Grand Rapids, Michigan to see how his company is proactively addressing this increasing concern of wire fraud in the title and real estate industry.
CertifID was born out of necessity and has the potential to solve one of the industry’s biggest threats to the real estate transaction process.
A bit of background
Tom and his partner, Lawrence Duthler, started Sun Title at the beginning of 2005. They have since grown to be one of the larger agencies in Michigan. Their first encounter with wire fraud happened a decade later in the spring of 2015. The company lost $180,000 in a single scam that rocked the entire organization. As an owner, it was an especially sobering event.
“We’re in West Michigan, which is a high trusting, conservative family values area and what we experienced wasn’t even really on the radar,” Tom explains. “We had no idea of the level of sophistication that fraudsters were gaining and honing in on title operations as a target, including the ability to insert themselves between our escrow account and moving money out of that escrow account to sellers or lenders after closing, so we found ourselves ill-prepared for that threat at the time.”
Sun Title’s fraud incident involved a commercial transaction and there was a purchase agreement with a West Coast buyer that was in actuality a stolen identity. Tom and others at his company could have had no idea that the person on the other end of the transaction was running the same scam on multiple companies across six states.
At the time, Sun Title confirmed the transfer using all their best practices. All seemed well until the check bounced.
Consumers are more likely to go to the news or hire an attorney when it happens to them. Despite wanting to avoid those optics, these scams are affecting more and more real estate professionals, but accurate statistics showing just how common it is for lenders, title, and real estate companies are almost non-existent. Indeed, the fraud that Tom’s company experienced never hit the media or was recorded with FBI statistics. So many of these incidences go unreported.
Steps to recovery
When Sun Title fell victim to this scam, there were no clear steps to recover their losses or assistance from federal or state authorities. There was no known, well-defined process with the FBI at the time, so the company had to figure out what to do on their own. “Our only hope for recovery was through civil litigation - a long and expensive process,” says Tom. “We were able to do that and recover $140,000 of the $180,000 but it took two years... and Herculean effort at that.”
These are sophisticated networks of multiple people across the globe. Tom says their fraud scam stemmed from one of the most sophisticated global cybercrime rings originating from Nigeria. “Our cast of fraud characters spanned several continents and multiple countries and ultimately landed stateside where there were a series of what are called ‘money mules,’ people who worked together to receive transfers of money and then break it out in multiple states to avoid recovery.”
These cybercriminals have perfected their scams in the three years since Sun Title first fell prey. The fraudsters are better informed on a title company’s next steps when wire fraud happens that they are able to give themselves more time by exploiting the typical best practices.
For example, Tom recently heard of another title company that was scammed. He detailed how the fraudsters know how to alleviate any concerns or suspicions about the transfer by proactively calling and posing as the fraud desk at the bank dealing with the money. “They are very sinister and manipulative people,” says Tom.
Even after three years and with the majority of the funds having been recovered, Tom and his company are still involved in this case. More nefarious characters keep popping up with a portion of the remaining money they weren’t initially able to collect. After discussing his case with a U.S. District Attorney in another state, it’s likely that the known ring of bandits is just a drop in the bucket as to how wide this particular criminal network is.
Why Real Estate?
“If you take a step back and look at how the industry operates, it is incredibly fragmented,” said Tom.
Buying and Selling a home is typically the largest financial transaction for the average U.S. consumer. The large amount of money being moved on a global or national basis at one time makes the real estate industry an attractive target for criminals. Gone are the days of casing a corner bank and robbing the teller. Now, a network of criminals doesn’t have to leave their homes or change out of their pajamas for a payday. For example, the average bank robbery is only $7,000, while the average wire fraud is $137,000.
The second appealing aspect is human tendency to trust. Technology has advanced the communication of real estate professionals and speed of transactions without providing any safety net to confirm the identity of those on the other side.
“We describe it as ‘digital distance’,” explains Tom “Because not only the transactional workflow but the communication links sit within that ‘digital distance’ and criminals are able to impersonate someone at critical points in the transaction and trick a title agent or lender.
What is social engineering?
In the context of information security, social engineering is emotional and psychological manipulation of targeted people into performing actions or divulging confidential information. In the case of homebuyers and even real estate professionals, there is a lot of pressure and stress to get to the closing table within a tight time frame. Criminals know this and exploit that stress and gaps in communication and identity verification within the industry side as well as capitalizing on the lack of experience on the buyer side.
“The weak link in all of it is the people. Every time.”
In the case of Sun Title, the company’s system wasn’t hacked. Their systems were secure. Instead, they were simply tricked into wiring money off a “cashiers” check that later bounced. Even though we hear about the unfortunate buyers who are using cash to close, cybercrime rings are after the money at every touch point in the transaction, from the banks sending money to escrow companies to the wires for payoffs coming from the title companies.
How CertifID protects title industry professionals
Even though Sun Title experienced their first wire fraud scam in 2015, it wasn’t until Fall of the following year, after a series of other attempted frauds, that Tom and his partner realized they needed a better solution to the unyielding security risks. The level of detailed communication from imposters was so sophisticated and convincing that the company realized it was only a matter of time until they were hit again.
They set out to find a solution that would solve for two important needs:
1. How do we confirm the identity of the person at the other end of the device communicating with us in real time?
2. Once we confirm that identity, how can we share that critical information that someone will later rely upon?
Tom wasn’t looking for a project like this when he and his partner decided to create CertifID. They assumed that there would be a solution already available, but they had trouble finding a tool that addressed their two main concerns. “The pieces and parts were there,” explains Tom, “but the aggregation and decisioning engine were not, so we started to build it last year. We went to market right after the ALTA annual conference in November.”
“There is not a platform that performs the level of proofing or has any guarantee associated with it. We have a half-a-million-dollar guarantee on each wire.” Tom says it’s significant because there are gaps in the title industry E&O coverage in cyber policy and social engineering riders. “All these things we in the industry use to protect ourselves, there are all these carve-outs. And even if you were able to get a claim covered, insurance is challenging when you have a big claim, and you’re up for renewal. You risk not being able to get renewed.”
Get your Roadmap for Recovery Ready Now
Phishing is so commonplace now that Tom says agents can expect to be targeted on a weekly basis.
“We had one fraudster on the line that was trying to impersonate me to my COO to pay some invoice two weeks ago while I was with him. We kept him on the line until we could ID him through the IP address where he was located. We notified the bank where he wanted the money and then the FBI, so that guy probably had a very bad weekend.”
“I can’t say that it’s one thing that will keep us safe 100% of the time - its a layered approach that involves people, process, and technology. If you are not committed to improving in these areas, it’s only a matter of time before something will happen.”
The FBI states the first 72 hours will give you an indication of whether or not the funds you lost will be recovered, but Tom says it’s really the first 12 to 24 hours. Thankfully, the FBI now has a roadmap to follow when a title company is hit with wire fraud, outlined here. After filing a complaint on the website of IC3 (Internet Crime Complaint Center), your local FBI field office will pull the financial fraud kill chain. This gives the FBI the ability to identify where the funds have flowed, freeze, and assist in the recovery of them.
“You have to engage with your bank to blow the whistle so no further transfer can be made out of accounts that received your money. You have to drop everything. You have to follow that road map if you want to recover a dime.”
Test your vulnerabilities
In addition to having a roadmap for recovery if you are hit, there is a detailed set of best practices that the industry needs to adopt.
First, hire a third party to test the vulnerabilities in your company.
The first suggestion Tom has for those looking to improve their cybersecurity is to have a penetration test conducted on your system and hire a company to phish your team. The goal is to see what information your people unknowingly give up and how far that company can get once they have that information. You’ll get a report that shows where your vulnerabilities are between your technology and your people.
Email and Education
Next, you will be able to determine where to make your investments to increase security and mitigate risks. It’s a two-prong approach to adjust and update technology as well as continuing education for staff and consumers on phishing attempts.
Email communications are a major point of technological vulnerability. Many email systems automatically block obvious malicious programs, so attackers will conceal a piece of malware inside other types of commonly emailed files. Once the malware is installed it’s capable of destroying data and stealing information. Some of these programs can allow the attacker to take control of the user’s computer, give access to the screen, capture keystrokes, and access other network systems. Whenever Tom’s organization receives an electronic document, their IT scrubs every single attachment before it’s sent to the end user. So many of the documents sent via email have some type of malicious attribute associated with them.
Updating your systems won’t be enough. Title companies also need to be sure to have critical communications in place to prevent a scam from succeeding. Continuous education on how to identify a phishy email and check-ins with employees are vital.
“You’ll never get a 100% rate of people who can identify a phishing attempt. But you have to make the commitment to invest in continuing to educate.” Tom also suggests having real-time alerts that go out every time a wire fraud attempt comes in.
Those who don’t adapt will be left behind
Whether you realize it or not, every aspect of the real estate industry, lending, title insurance, and attorneys, is experiencing a tech revolution.
Sun Title completed its first remote e-signing back in 2007. The novelty of eClosings fizzled out after that, but Tom believes that eClosing will really “grip the road this year.”
“I’m excited about the direction that state lawmakers are adopting to allow eClosings to become commonplace over the next several years. It will take a lot of friction and busy work out of our closing process,” he said.
Biometrics is another exciting development with huge implications for many industries. The insights on user identity captured by devices on a more granular level will help to create even more security.
“You just can’t rely on a phone call to confirm identity because unless you know the person on the other end, that level of attestation isn’t enough anymore. I think it’s going to drive further investment in tech and consolidation across the board,” said Tom. “Those companies, big or small, that aren’t embracing those best practices, they are gonna get left behind.”