Wire fraud continues to make headlines across the nation. Recently, a family in Orlando lost $46,000 in a title company imposter scheme. There’s a lot of talk in the industry and in media about the buyer losing money from these types of schemes, but those on the business side in the real estate and title industry often stay silent when they are victimized.
While at ALTA ONE this past year, we ran into Tom Cronkright of CertifID and Sun Title after his session on cybersecurity. He wants people in the industry to start talking more about the problem. His title company fell prey to a business side wire fraud scam years ago. After realizing there were significant shortfalls in protecting title companies from these kinds of attacks, it inspired him to create a technology to verify the identity of parties receiving funds from settlement agents. He’s sounding the alarm on the latest way fraudsters are targeting title agents and law firms. Watch our interview with him to learn more.
What is payoff fraud?
Payoff fraud is when fraudsters impersonate a lender or another title company to receive the funds from disbursement after the settlement process, either from refinancing or the sale of a property. Fraudsters use common tactics found other wire fraud scams to send a falsified payoff statement with wiring instructions to the targeted settlement agent.
Tom predicts that in the coming months, payoff fraud will “dwarf the buyer-side fraud because there is so much more money moving on payoffs to mortgage companies than there are seller proceeds after close.” This is especially true for those agents working on commercial real estate deals. The couple in Orlando lost $46,000 dollars, but that’s chump change compared to the amount of money that’s transferred on the business side of real estate settlements. The fraudsters know it and formulate ways to insert themselves into the transaction.
How do cybercriminals commit payoff fraud?
The usual phishing and social engineering are part of the payoff fraud scheme, but they also create elaborate spoofed portals and pose as individuals involved in the transaction, usually the lender or mortgage holder.
The internet has made our lives easier in a lot of ways, and it’s made doing business more transparent and accessible. Unfortunately, the accessibility and transparency that the internet provides mean that cybercriminals have all the information they need to pose as an entity’s website and impersonate an individual that’s part of your upcoming transaction.
A spoofed portal or website is a page that mirrors another site’s URL and page content. Unsuspecting victims are usually lead to these sites by clicking on a link in an email that looks like a legitimate communication from a financial institution or another title company. If a company hasn’t taken proper cybersecurity precautions, it’s also possible for hackers to gain access to the site itself and redirect visitors to a fake site where the criminals capture sensitive information like social security numbers and bank account routing numbers.
Tom mentions how fraudsters will often redirect settlement agents going to a bank or lender site to request a payoff letter to a spoofed site. Here they will download a falsified document with fake wiring instructions.
Spoofing of treasury management platforms is another way in which fraudsters gain access to your account information and then proceed to drain out all the money.
Faxes should also not be considered safe. Many companies use online faxing services, whose URL can also be easily spoofed. Only use online faxing companies with secured lines that encrypt transmitted data and stored pages. Follow the same best practices for password protection for your fax accounts as you would for your email accounts.
Verification of identity over the phone is always considered good practice, but there are ways that fraudster can even intercept calls and fool you into thinking you’re speaking to someone you aren’t. Technology is sometimes working against us. The app, SpoofCard, is touted as a popular way to “protect your privacy every call.” While it’s absolutely illegal to use these kinds of apps to intentionally defraud someone, that doesn’t stop criminals from using it for nefarious purposes. They’ll be prosecuted should they ever be caught, but catching cybercriminals is nearly impossible.
To prevent being the victim of a spoofed call, never wire instructions based off a call you received. Instead, always be sure you are the one to place the call based on the original contact information you have from the lender or title company. Be sure to always follow up with the party after placing the wire to make sure the funds were received. If possible, pay the lender or title company an office visit in person to confirm.
How do we stop payoff fraud?
The same way we prevent any type of fraud. Tom advises that after the identity of all the parties involved is verified, title companies should be:
- Educating buyers and sellers
- Training their staff on how to spot a phishing attempt or social engineering scam
- Leveraging technology to stop attempts
“We’re the custodians, we’re the protectors and the guardians of the transaction,” says Tom.
Title agents and attorneys should do more to protect the consumer, especially those who are first time buyers, from being defrauded through education.
Educating buyers and sellers
The American Land Title Association created this video to educate buyers on wire fraud and how to avoid it. Share content like this with the real estate agents you work with regularly or share it directly with the buyers you’re working with. If possible, add it to your website and share it on your social media platforms. Make sure real estate agents also understand how these same tactics are used against them as was the case in the story of the Orlando couple. Here are five tips for real estate professionals to follow to prevent their email from being hacked.
Training internal staff
Be sure your team knows how to spot an imposter. Whether it’s a buyer or business side, there are common factors to every wire fraud attempt.
Three red flags that you might be getting scammed:
- New or changed contact information and wiring instructions
- A sense of urgency
- Something bad will happen if you don’t act now
In addition to paying attention to the psychological tools of manipulation, there are other ways to spot a phishing attempt. Spend time training your eye on how to find a spoofed URL from the emails you receive. As Tom states in the video, some of the dead giveaways of a fake email is the use of certain words and grammar. This quiz from Jigsaw and Google was designed to test users’ ability to spot the latest and most sophisticated scams based on cybersecurity training with more than 10,000 journalists, activists, and politicians around the world. Take a minute to try it out. See if you can beat my score of 6 out of 8!
Leverage technology to stop attempts
The technological and psychological tactics that cybercriminals use to defraud people is often developing faster than any best practices and training your company puts in place. It’s a shame that intelligent and creative people are using their talents to create devastating chaos in the lives of others, but title and real estate professionals need to stay ahead of their games.
In addition to the usual tactics to ward off cyber attacks like setting up firewalls to filter out harmful emails, VPNs, and two-factor verification, there are a few tech companies focused on providing an added layer of protection against wire fraud. CertifID, Tom’s company, was one of the first on the scene with a tool for title agents to help by verifying individual’s identity by any device, whether it be their business desktop or personal phone, and confirming lenders by certifying their bank accounts. If you’re a ResWare user, you’ll be happy to know that CertifID recently integrated with their platform.
Other companies offering security on wire transfers include Vialok and Safechain. If you’re looking for extra peace of mind to add to your title company’s process, consider using one of these companies to protect you and your clients from wire fraud.