When Hackers Strike
By: Troy Crawford | Claims Counsel
Lawyers Mutual Liability Insurance Company of North Carolina
A REALTORS®’ purpose is to help clients find a home, a safe haven for their families and loved ones. So, what happens when hackers strike and completely rob that family of their security and dream?
Picture this scenario…a young couple is very excited about closing on their first home, one they saved for years to purchase. Throughout the process, they worked with a REALTOR®, and thought nothing of it when they received an email from this REALTOR® requesting they change the wiring instructions to a different account with the closing attorney. Little did they know this email was a scam. In an instant, all of their hard-earned savings was gone…all of it. Without the available funds, the couple is unable to move into their new home, and with no other existing residence under contract, faces the future with no place to call home and no way to pay for alternate housing.
This situation is based upon hundreds of similar accounts across the United States, resulting in tens of millions of dollars being directed to international criminal organizations. These scammers are smart, sophisticated, and their methods are constantly evolving. So, how do they do it?
1. Extraction: The hacker uses something called an “email extractor,” or software that enables them to collect addresses for thousands of people in a particular industry. If they were to choose the real estate industry, for example, agents, brokers, officers and anyone with a real estate-related extension in their email address gets targeted.
2. Phishing: The hacker sends a phishing email to the thousands of addresses they just harvested. These emails are designed to look very official and include links or attachments. All the hacker needs is one agent to take the bait, and they’re in, with full access to that particular agent’s account and client information.
3. Research: The hacker then takes the time to learn everything from listing addresses to sales prices to loan amounts and title company names. Sometimes hackers observe accounts for months at a time to learn local and industry-specific terminology, processes, diction and individual transaction details.
4. The strike: The hacker uses this research to send an email to buyers, instructing them to reroute funding from their lender to a new, fraudulent account. Since the hacker is actually inside the agent’s email account, it looks like a very legitimate message and buyers are likely to trust it and the instructions.
Reports of wire scams surfaced in North Carolina beginning in 2015, but over the last two years, several dozen instances have been reported. The money stolen in those instances includes both incoming funds necessary to complete a home purchase and the net proceeds due to sellers. Additionally, there have been instances of loan payoffs being diverted. In an effort to educate the real property lawyers to the risks and available preventative efforts to protect home buyers and sellers, Lawyers Mutual, the North Carolina State Bar Association, various title insurers and their agencies produced numerous alerts, articles, continuing education seminars and videos. However, the instances of fraud continue to increase, with more reported events in the first five months of 2017 than in 2015 and 2016 combined.
Real estate professionals rely on technology for instant and remote communication and the ability to close back-to-back transactions, including sending and receiving wires. It is also no longer practical for closing attorneys to deposit checks and wait for the funds to clear the Federal Reserve banking system. Because of this, professionals must work diligently to avoid being the source of a compromise.
Keep Your Clients Safe
Additionally, real estate professionals must educate clients to the risks presented in sending and receiving wires. Unfortunately, clients are the parties most likely to be inconvenienced by new preventative measures, during what is admittedly an already hectic and stressful time. Here are a few important recommendations to communicate to your clients:
1. Wiring instructions should only be provided in communications directly between the closing attorney and the party sending or receiving a wire. Allowing wiring instructions to be forwarded through a REALTOR® or other party allows an additional point of interception, adds to the delay of their receipt, prevents other security measures and potentially creates liability for the REALTOR® or added party.
2. EVERY wire request initiated by the closing attorney should be verified and the more personal the verification, the better. For seller proceeds, it is important for insureds to verify wiring instructions in-person at the closing ceremony. There is no known wire fraud that has taken place in the United States when an in-person verification occurred.
If all sellers are unable to attend the ceremony, it is recommended that wiring instructions be included in the same package as the deed, lien waiver and other original closing documents. Also utilize a signed and notarized seller wiring directive, if possible. But even then, the closing attorney should attempt to verify the instructions over the telephone directly with the seller. Reminding your seller client that such a call will likely be necessary can avoid additional delay in disbursement of funds. Email verification alone is inadequate.
3. Before sending any wire, buyers, their parents or anyone sending funds on the buyer’s behalf should verify the accuracy of the wiring instructions directly and exclusively with the closing attorney. Contact information should be obtained directly from the attorney’s web page, and not from the email used to transmit the wiring instructions.
4. Any request to change wiring instructions should be assumed to be fraudulent. Hackers often use the phrase “wiring instructions changed due to a banking error or other fraudulent activity” when trying to extract funds from buyers and sellers. Any email with that phrase or similar, must be treated as suspicious and be followed up with a phone call to verify authenticity.
Closing attorneys will not change wiring instructions during the course of an individual closing except under the most extreme of circumstances. Should sellers legitimately need to change wiring instructions themselves, they should understand this will be considered a major red flag to the closing attorney and extensive verification will be required. Insureds are advised not to accept changes to wiring instructions and to only transmit a check when instructions change.
5. Faxed wiring instructions should not be assumed to be any safer than those received via email. Numerous ‘spoofing’ services exist which allow a sender to display any number on Caller ID and the printed sender line. Like all other wiring instructions, those received via facsimile transmission should be verified in person or through a telephone call to the law office, using contact information not included in the fax.
6. Wires to a closing attorney should be sent only to the law firm’s trust account. The name on the trust account should match the law firm name exactly and should be in the same geographic location as the office.
7. Attorneys should never send wires overseas. Once money leaves the United States, it is likely gone forever. Most individuals and small businesses owning property in the United States should have a domestic banking relationship.
8. After initiating a wire transfer, buyers should telephone the law office and provide details of the wire transmission and specifically request the attorney’s office confirm receipt. If the wire is not received in a timely manner, the delay should be investigated and possible remedial action taken. The ability to reverse wires is more successful when fraudulent activity is detected within 24 hours of transmission.
Again, the confirmation of transmission telephone call should be made using contact information directly from the attorneys’ website and not the email or fax containing the wiring instructions.
9. Likewise, sellers should expect to receive a telephone call from the closing attorney verifying their proceeds were transmitted and the details of the wire. Sellers should review the details to make sure they are accurate and immediately inform the attorney.
Best Practices for Agents
While additional security procedures are encouraged beyond the scope of this article, those listed here are free and easy to implement. Users with even minimal technical knowledge should be able to apply these measures to day-to-day business operations. For even more protection, however, consult an IT professional to ensure security measures are up to industry standards.
Here are a few recommendations for all real estate professionals to adopt:
1. Proper password security. Not only should passwords be sufficiently complex, they should change regularly. A key element of wire scams is the hacker’s research stage, where they are monitoring email accounts for lengthy periods of time. Changing passwords regularly may deny access to hackers before the opportunity to strike ripens.
2. Multi-factor authentication. This service is provided for no charge under most email programs including Outlook 365 and Gmail. While the specifics vary, utilizing this feature requires a user to complete additional verification steps before new computers or devices can access an email account. For example, an account holder will receive a six-digit code via text message, which then must be entered into the new accessing device. Should an unauthorized device be used in an attempt to access the account, the user is notified immediately.
3. Reviewing IP logs. While potentially more technical than the other steps, this free, preventative measure allows the user to see the physical location of devices accessing the account. If devices appear outside the United States or anywhere the user has not traveled, fraudulent activity should be presumed.