As we move into the busy spring real estate cycle, criminals are targeting real estate agents and closing attorneys with increasing frequency. The scam begins with what appears to be a legitimate email from a party involved in a real estate transaction with the anticipated wire transfer instructions. The email is sent from a buyer's real estate agent with instructions on where the buyer should send a down payment, or from seller's counsel to the closing attorney. What you don't know is that a criminal has been broken into the email of the realtor, watched email traffic and sent an instruction to wire the funds to their account rather than the valid account. Once the funds are wired, the thief tests the transaction via a transfer to another bank or an over-the-counter withdrawal that is typically under the $10,000 reporting threshold. If that transfer or withdrawal is successful, the remaining funds usually disappear within 24 hours.
Those involved in the real estate industry should implement a series of protocols designed to identify potentially fraudulent emails before a wire transfer is sent that includes the following tenets:
- Realtors, lawyers, and settlement agencies should all be utilizing multi-factor authentication for email. If they have not implemented this control, then sensitive information should NOT be sent via email. The Federal Trade Commission has cautioned, "Email is not a secure way to send financial information, and your real estate professional or title company should know that."
- Do not attach sensitive information to an unencrypted email, such as a closing package sent within a .PDF file. If files must be sent via email, the .PDF should be protected, and a password provided over the telephone or by mail.
- Do not allow funds to be wired without confirming the information via telephone, to a verified telephone number and individual. Do not rely on email signatures sent within an email containing wire instructions to provide contact information. These criminals are sophisticated and will alter signatures to reflect their telephone numbers to flout your attempt at confirmation.
- Do not click on links in unverified emails. Malware, ransomware, and other viruses continue to be an issue across all industries.
- Do not forgo annual training on security issues for your employees. Hackers are utilizing increasingly sophisticated techniques to gain access to secure systems. Annual training on your company's requirements to secure information and protect against potential fraud is vital to protecting your business's reputation.
- Change passwords more frequently, as in every 30 days, until multi-factor authentication can be implemented.
If an incident occurs, you should immediately consult your data breach response plan to formulate next steps. In cases where the fraudulent wire has already been sent, immediately contact banks or other financial institutions in an attempt to stop the wire. Then, file a police report and contact the Federal Bureau of Investigations to submit a report.
Those in the real estate industry have seen wire fraud scams increase exponentially in the past few years, with hundreds – if not thousands – of closings affected. Businesses can effectively insulate themselves from these attacks by utilizing the expertise of cybersecurity professionals to craft appropriate procedures that will help prevent scammers from gaining access to their secure systems.