TheMReport — News and strategies for the evolving mortgage marketplace.
Issue link: http://digital.themreport.com/i/1108750
24 | TH E M R EP O RT FEATURE Don't Rise to the Bait As phishing schemes and wire fraud increase, especially while closing on mortgage loans, it is time for the industry to step in and raise awareness about data security. By Bruce Phillips B y now, we've all heard horror stories about home buyers and sellers who were instructed to wire funds into a fake account and ended up losing hundreds of thousands of dollars and, in some cases, a place to live. Yet, most people have no idea how often these attacks happen—and how easy they are to commit. A key component to wire fraud is email phishing—a type of scam, where someone uses a fake email address and pretends to be a loan officer, title agent, or real estate agent to get a home buyer or seller to wire money into a fake account. The prime targets of email phish- ing are real estate closings when buyers and sellers are getting ready to transfer large sums of money to close their deals. The good news is that the signs of wire fraud are easy to identify. What isn't so easy is raising aware- ness of these scams among hous- ing consumers. But if we hope to stem the tide of attacks, it's critical that we make sure everyone can recognize the dangers and then change their behavior accordingly. Easy Prey I t's alarming how quickly wire fraud is growing in terms of the number of attacks and the rate of success of these scams. In 2016, the FBI's Internet Crime Complaints Center reported $360 million in losses from compro- mised emails. In 2017, the number jumped 85 percent to $676 mil- lion. And last year, according to the latest numbers we uncovered at WFG National Title Insurance Co., the cost was $1.5 billion. That's over a 300 percent increase in just two years! We also know that once cy- bercriminals find a weakness and launch a successful attack, they keep attacking. Word spreads too, as there is an entire criminal underground online community where thieves share their tech- niques and sell pools of consumer information. As long as they are successful, these numbers won't ratchet back any time soon. The trouble is email phishing is incredibly easy to commit. Most people don't buy homes very frequently, so the risk is not usu- ally at the top of their mind when going through the many different steps it takes to close a property transaction. Even within our industry, many loan officers and real estate agents seem unaware of how their behaviors can increase the risk of wire fraud. Email phishing schemes are often successful for two reasons: First, email is inherently unsafe and easy to fake. Second, cyber- criminals rely on social engineer- ing which involves tricking the victim into doing something that helps the criminal. This involves creating a sense of urgency and presenting a consequence if the victim doesn't act. For example, in a typical wire fraud scheme, the criminal will send an email saying there's been a change in closing instructions and that funds need to be wired within an hour or else the transaction will fall apart. Wire fraud often works because consumers don't understand the risks associated with using the internet. For example, when most of us join a social media website and come across a several-pages- long terms-of-service, we don't read it—we simply click through, completely unaware of the privacy rights we may be signing away. Wire fraud also works because nearly everyone involved in clos- ing transactions—the real estate agent, the loan officer, the title agent, and the consumer—uses email, which is usually the means for all of the communication around where to wire funds after closing. This puts every transac- tion in the crosshairs of criminals. Loan officers can fall prey to these scams too. That's why most of the largest national title compa- nies do not use email for shar- ing sensitive information. People login to their portals where wire instructions are published. However, some loan officers want title companies to email the wire instructions because it's more convenient for them. This places them at risk because emails can be easily spoofed. Faking It E mail spoofing—the forgery of an email header so that the message appears to have originat- ed from someone or somewhere other than the actual source— can be done by almost anyone, especially if it is from a free email account like Gmail or Yahoo. I don't use free email accounts for work, but if I did, and someone wanted to impersonate me and my user name was "bphillips" that person could just put the number "1" for the two l's in my last name ("bphi11ips"). The lower- cased "l" and the number one look similar. So does zero and the letter "O." After faking an email address, a criminal can put any name at the form at the top of the email, because Google and Yahoo do not check to see whether their users are using their real names. Criminals also often copy the email signatures used by actual loan officers and title agents to impersonate them on fake email accounts. Wire fraud at closing is just one of the many types of cyberfraud