it can happen to you - ClickDimensions

3 downloads 189 Views 869KB Size Report
the highest level of customer service in order to ensure a continuing ... Title and escrow agents have a number of tools
I T C A N H A P P E N TO YO U

In June 2017, Lori Sattler prepared to sell her Manhattan apartment. She received an email from someone she believed to be her attorney, requesting that she send money to an account. Following the instructions, Sattler wired nearly $1.1 million to the account. The funds were diverted to Commerce Bank of China, never to be recovered. Sattler was not just a home seller; she is also a New York State Supreme Court judge. While it may surprise you to learn that a public figure with advanced legal experience could fall victim to an email phishing attack, cyber crime targeting real estate transactions has become a serious threat to anyone involved in the sale or purchase of a home. Virtually everyone — from someone with the legal expertise of Sattler to an administrative professional in a small, one-county title shop — can be a target for a cyber criminal. Each player in the transaction has the power to allow fraud to occur, or prevent it from impacting a client or customer. Here are five common victims of real estate cyberfraud scams, the particular fraud attempts frequently aimed at them and some tips for how they can become more Cyber Strong.

Party: Title/escrow agents Impact: Compromise of wire instructions/funds Prevention/remedies: Provide detailed wire instructions to customers at time order is opened; verify requests to change wire instructions with customers in person or via telephone using contact information on file; never share wire instructions via unsecured/unencrypted email; do not respond to requests for last-minute changes or to speed up transaction. Fraudsters have become very knowledgeable about title and settlement practices. They understand the title agent receives and disburses closing funds received from the parties and lenders. This knowledge makes the title agent a strong potential target of social engineering attacks that seek to gain access to wired funds. Escrow officers are often the business generators for the title company. They have relationships with lender or real estate customers, and ensure that all parties provide the highest level of customer service in order to ensure a continuing stream of referrals. They are often the first party to connect with the fraudster, and in striving to appease their customer, they may pass on false information or comply with a sudden demand for speed in the transaction. Title and escrow agents have a number of tools to combat these threats. First, they can provide their lender and real estate customers with a detailed plan for how funds are to be wired at the time an order is opened. They should emphasize to their customers that wire instructions are unlikely to change at the last minute. However, if such a request is made, they may require the party to appear in person in the settlement agent’s office and present a photo ID to confirm their identity, or call them using the contact information on file. Email accounts should be

secured and encrypted to lessen the risk of hacking, and title and escrow agents should refrain from discussing or sharing wire information via email. They should also resist any requests to speed up the transaction and take the time to ensure that all of these practices are followed. Finally, they should train their staff at all levels to expect these attacks and share these steps to thwart them.

Party: Attorneys/law firms Impact: Compromise of wire instructions/funds Prevention/remedies: Use only secured, encrypted email accounts; never use free e-mail services; use dualauthentication processes/secure client portals; scrutinize all sender/recipient email addresses to verify that emails match your clients’ email addresses on record. Attorneys and law firms communicate daily with clients, customers and consumers. Many have implemented protections for their systems and confidential client information, such as using secure, encrypted email accounts. However, it is important to remember that other parties may not have implemented the same level of protection. Transaction details are only as safe as the weakest link. If clients’ parties are using free email servers, for example, any exchange can be easily intercepted by a fraudster who clones an email exchange or slightly modifies an email address (e.g., [email protected] vs. [email protected]). Attorneys and law firms can employ dual-authentication processes and client portals through which verified clients can access documents and email exchanges with their counsel without threat of phishing or other cyber attacks. They should also scrutinize all sender/recipient email addresses to verify that emails match those they have on record.

Party: Real estate professionals Impact: Email hacking/phishing scams; theft of clients’ nonpublic personal information (NPI) Prevention/remedies: Secure/encrypted email accounts; follow pre-established wire plan; safeguard NPI with electronic/physical storage and destruction methods. Real estate professionals are a fertile target for cyber criminals. Although many large real estate companies have effective e-mail encryption tools in place, these can be costly and often overlooked tools for smaller shops. Even when a real estate sales professional is associated with a national company with all the bells and whistles for protection, the individual may want to keep his customer lists confidential and resort to using his personal email account. This opens exchanges with buyers, sellers, lenders, attorneys and title agents, as well as consumers’ nonpublic private information (NPI), to spear phishing attacks. Real estate agents and brokers should use only secure, encrypted email accounts to communicate with clients and other parties to the transaction. When a title or settlement agent sets a plan for how wire instructions are to be carried out, real estate professionals should follow it and question any deviation or requested changes with the title/settlement agent, either in person or via telephone. To protect clients’ sensitive information, real estate professionals should follow best practices concerning the storage and destruction of such records.

Party: Lenders Impact: Business email compromise; theft of clients’ NPI Prevention/remedies: Use secure/encrypted email accounts; follow pre-established wire plan; safeguard NPI with electronic/physical storage and destruction methods; obtain closing protection letter (CPL, in applicable states). As email exchanges which precede a closing bounce back and forth, lender representatives can be the victims of business email compromise directed at obtaining the private financial information of the parties to the transaction. While many larger institutions have strict protocols and processes that are designed to prevent release of that data, they are still at risk. Many smaller and local lenders and banks may not be as sophisticated, and in their pursuit of the highest level of customer service, release private financial details that fraudsters

can use to their advantage. E-mails sent directly to a bank officer by a hacker posing as a high-net worth bank customer may cause these professionals to set aside strict protocols in favor of a consumer-friendly approach with correspondingly lower security protections. Like other parties to the transaction, lenders should use only secure, encrypted email accounts and follow the wire transfer plan established when an order is opened. They should also follow best practices concerning the storage and destruction of clients’ NPI. They may also take advantage of closing protection letters (CPLs) in states where they are available to protect themselves from the fraudulent acts of a title/settlement agent in handling funds.

Party: Consumers Impact: Theft of NPI and closing funds Prevention/remedies: Monitor suspicious activity; litigation.

credit

reports

for

Despite news of recent attacks on credit reporting agencies such as Equifax, where the personal financial details of thousands of consumers have been hacked, many consumers are still unaware of the scope of cyber criminals’ infiltration into the real estate and title industry. The average consumer may only buy and sell a home once or twice in their lifetime, so they are novices who are unprepared to thwart the attacks of fraudsters. What’s more, the increased use of electronic mortgage applications may also build a false sense of security for other, less secure exchanges involving a real estate transaction. It is incumbent on the professionals in these transactions to warn consumers at every opportunity. However, if a consumer has reason to suspect that his NPI or funds have been compromised, it is advisable to check his credit report on a regular basis for any suspicious activity. Consumers harmed by cyber attacks are also increasingly turning to litigation against their real estate, mortgage and settlement service providers. Proof of which party to the transaction was the weak link that resulted in the cyber crime is difficult to secure, so all parties are at risk for being brought into litigation to answer for a significant loss. This report is part of our 2018 Cyber Strong campaign. You will continue to receive news and tips from NATIC to fight the growing incidence of cyberfraud. Next up: A review of current litigation involving cyberfraud.

www.natic.com

©2018 North American Title Group, LLC and its subsidiaries. All Rights Reserved. North American Title Group, LLC and its subsidiaries are not responsible for any errors or omissions, or for the results obtained from the use of this information. North American Title Company and NATIC and related designs and Simple. Done Right. are service marks or registered service marks of North American Title Group, LLC or its corporate parent. | NATIC 18-12489 R 1.22.18