If a fraudster wants to try to convince a home buyer to wire the down payment for their new home to a fake account, they need two things to do it well:
- A convincing impersonation of the person working for the title company sending the wiring instructions, and
- The date and time the transaction is supposed to take place.
The problem the industry is currently facing is that all of the communication about a home purchase occurs over email, and if anyone on a single group email account is compromised, the fraudster has all the ingredients they need to swoop in right before the purchase and convince the buyer to wire their down payment to a different account.
Title companies have fought back against this fraud by creating email signatures that say OUR COMPANY DOES NOT CHANGE ITS TITLE INSTRUCTIONS! This signature helps, but clever fraudsters have still been able to convince buyers to wire the money to the wrong place through confusion and other tricks. If the home buyer doesn’t alert their bank and the FBI within 24 hours, the money is likely lost forever. Reputations are tarnished all around, but the real weight of the loss falls on the buyer.
Whichever software the title company uses, be it ResWare, Qualia, SoftPro, or one of the many others, most communication is done over email. In these transactions, there are always at least three parties involved: The title company, the realtor, and the buyer. Let’s pretend that we are criminals, and we want to steal the down payment on a home purchase. Who should we go after?
If we could trick the title company, we would be in for a massive payout. A medium-sized title company is responsible for 10-100 wire transfers per day. However, they have lots of security protocols in place. Multi-factor authentication is enforced. Email authentication protocols like SPF, DMARC, and DKIM records make it hard to spoof their email addresses. Their insurers require firewalls, disaster recovery plans, and audits. An employee who has worked there for any duration has seen and heard of lots of different types of attempted scams so they’re not likely to fall for it. It would be difficult to compromise a title company's security.
How about the buyer? They are the source of the cash, but it’s hard to obtain enough buyers’ email addresses to make our efforts worthwhile.
And then there’s the realtor. Some real estate companies take security very seriously. These agencies employ realtors with their own @domain.com email addresses, so they can enforce multi-factor authentication, investigate suspicious login attempts, provide secure computers, and stop an attacker from setting up email forwarding. This approach is becoming less popular, however, in favor of the ‘Agent-Centric’ business model. In this environment, the parent company provides public PCs, printers, and office space to smaller realty companies. In exchange, the smaller companies pay a portion of their sale commissions for access to these resources and help with the paperwork.
Small realty companies that work in this environment are juicy targets. Shared computers and network drives at these offices can be security nightmares. Their success relies heavily on communicating with lots of people and opening email attachments, which are inherent risks. Once an account is compromised, a stealthy attacker can set up forwarding rules to a new email address; this means that even if the realtor changes their password, the fraudster will still be able to read all the realtor’s incoming mail.
So, what else can each of the three groups do, to combat wire transfer fraud?
- Only provide schedules and wiring instructions directly to the buyer, when possible. If a realtor’s email account is compromised, you will be enabling the fraudsters.
- Flag any transaction where you receive a report that the buyer received fake wiring instructions. Document which realtors, loan agencies, banks, and buyers were involved in the communication of this transaction. If any party is ever flagged twice, refuse to do business with them again until they perform a security audit. We perform these audits regularly - please send an email to firstname.lastname@example.org if you are interested.
- MULTI-FACTOR AUTHENTICATION, multi-factor authentication, multi-factor authentication.
- Paying a small monthly cost for an MSP or IT contractor is worth it. They will keep your devices, security software, and email accounts safe. Again, please contact us at email@example.com if you are interested.
- If any of your clients have ever received fake wiring instructions, reset your password and check your email filters and forwarding rules to see if a third party is receiving copies of your emails.
- When it comes to sending your money, you can never be too careful. Remember that wiring instructions are never changed. Call your title company to confirm the accounts you will be wiring to, at a number on their website - not in any email signature.
- If your realtor is a small outfit, be especially careful. Ask them if they use multi-factor authentication on their email.
By taking a few extra precautions, all three parties can work together to produce a much better outcome for their reputation, and the buyer’s hard-earned cash.