If you are an attorney, title agent, realtor, broker, lender, home buyer or seller, or an individual or business that even occasionally sends or receives wire transfers, there is significant likelihood that a skilled hacker is working feverishly on conscripting you and your business into a $5 billion (and growing) illegal industry. Importantly, the perpetrators track and target emails, so even if you are not involved in the actual sending or receiving of wire transfers, the aforementioned parties could be unwitting enablers and facilitators of fraud.
This article will address relevant terminology, common scams, strategies to help minimize your risk, and share suggestions if you or a client becomes a victim of such a scam.
Among the new terms of art and acronyms to be incorporated into our lexicon in 2018 are the following:
- Business Email Compromise (BEC). A sophisticated scam targeting businesses [often, but not exclusively] working with foreign suppliers or businesses that regularly perform wire transfer payments. BEC is the broader term often used for more specific types of scams, including EAC, defined below. Victims of BEC are typically businesses that deal with suppliers, and although BEC scams are not being addressed specifically in this article, the types of scams discussed below are sometimes generically referred to by law enforcement as BEC. While not the focus of this article, BEC is often used generally to identify these types of schemes.
- Email Account Compromise (EAC). This self-descriptive term is the more likely scam to affect the business and individuals mentioned in the introductory paragraph. This is sometimes referred to as “account hijacking.”
- Data Breach. A leak of, or unauthorized access to data from a secure location to an untrusted environment.
- Federal Bureau of Investigation Internet Crime Complaint Center (IC3). The FBI’s reporting center where internet crimes can be reported and information pertaining to internet crimes obtained.
- Financial Recipient. An account holder receiving fraudulent funds.
- Malware/Scareware. Malicious software intended to damage and in some cases disable computers and systems.
- Phishing. While not a new term, “phishing” plays a role in many of these scams. It involves emailing potential victims in an attempt to scam the user into surrendering private information.
- Spoofing. Forged or fake electronic documents. This includes forged emails that have the appearance of, and look substantially similar to an email from a trusted colleague, client, attorney, vendor or service provider. This is the lifeblood of EAC.
Social media and particularly emails are being monitored. Perpetrators monitor the status of real estate closings and financings. This may be in the form of monitoring a buyer or seller’s email, realtor’s or title agent’s email, or any other party to the transaction. At the appropriate juncture in the transaction, the perpetrator will email one or more parties with a spoofed email, and typically request a change in payment type–perhaps from check to wire transfer, or change in wire instructions directing funds to the recipient bank/account number.
A challenge in properly protecting against EAC is the notation that a spoofed email is easily identified. In this billion dollar a year industry, the perpetrators are advancing in sophistication. Consider the following example: Seller lists her home for $1M with Realtor One. Buyer communicates with his realtor, Realtor Two. A contract is entered into. Seller communicates with Attorney One, Buyer with Attorney Two and with Mortgage Broker. Realtor One, Realtor Two and Mortgage Broker in turn send emails to individuals within and outside of their respective organizations. Buyer may also send the contract and loan commitment to the absolute best real estate attorney in the world, his daughter, a former insurance defense attorney. Now we have Attorney Three in the loop and more than ten people exchanging emails, likely forwarding threads containing email addresses and email signature blocks. All that is needed is one person’s in the loop email being monitored.
The perpetrator will create a fake email address that looks substantially like that of a trusted party, transposing two letters, but the mimicked email will look in all material respects like an authentic email. Buyer, in this example, will receive a purported authentic email, advising that the closing agent has changed wire instructions, and asking that Buyer disregard the original instructions and utilize the new wire instructions. Buyer sends the wire, and a day or so after closing, Buyer receives a request for status of closing proceeds, and quickly the scam unfolds.
The financial recipient can be–but not always–the name of a shell business, with a name very similar to a title company, real estate office, etc. The account is referred to as a “drop account.” Funds are quickly moved from the drop account to other accounts by way of bank check, wire or cash withdrawal.
Personal email accounts as may be used by your client, or a vendor such as a realtor or title agent are particularly vulnerable.
Practices to Minimize the Threat
If you are involved in real estate closing or financing, you, your firm and your clients are targets. Big firm, small firm; large institutional client or mom-and-pop. With the volume of parties involved in a typical transaction, the possibility of an EAC and spoof emails multiply.
The best protective protocol is advising the client, at the outset of your representation, that any wire transfers sent on their behalf, even to them, will require their written and verbal consent. For instance, if you are serving as closing agent and paying off a loan pursuant to a payoff letter, call the lender to confirm wire instructions. And yes, call your own client to confirm accurate wire instructions in the event your client’s email was hacked and you are the recipient of false wire instructions.
Let your client know that you will not change your wire insurrections during the pendency of the transaction, absent both written and verbal communication from you. Moreover, your client should confirm wire instructions to any third party with you, and alert you if they receive a direction to alter a payment.
- Being aware of the scams, and maintaining a heightened sense of concern and scrutiny is warranted, and will aid in the identifying and reduction of fraud.
- Review emails with a critical eye.
- Compare actual email addresses, not just names of senders.
- Error on the side of making an inquiry.
- Initiate a dialogue with your bank in advance of any issue. Know with whom you should contact, bearing in mind that their wire fraud/business crimes department may be out of state. Time is of the essence when facing a wire fraud. Ideally you will have appropriate contact people at your fingertips.
How to Address Actual Wire Fraud
The worst nightmare for a title agent, realtor or attorney, and even more devastating to our clients, is becoming a victim of wire fraud. To remedy the situation, timing is absolutely critical. The first call should be to your bank that initiated the wire. Can they reverse the wire? While the ideal result, it is often too late or not an option for your bank. Both your bank and the financial recipient bank should immediately commence investigations. Requests should be made for the financial recipient’s account to be frozen. This may require your bank and likely other parties entering into hold harmless and indemnification agreements. You should also ask your bank or the recipient bank to send a Financial Fraud Kill Chain request to the FBI.
Jurisdiction for wire fraud cases are shared by the FBI and U.S. Secret Service. Both agencies should be contacted immediately in the event of an actual or attempted wire fraud. In addition to their assistance in investigating these matters and tracking funds, they may have the appropriate contact information for people within the financial institution. Your goal is to get beyond the wire room and speak directly with the bank’s financial crimes or similar department.
There is a significant risk that a transaction your firm is working on will, in some way, be compromised due to a data breach, EAC, or other scam. By educating staff and clients, incorporating reasonable, protective protocols, understanding the trends in email and wire related scams and knowing who to call in the event of a breach, you will be doing your clients a tremendous service and substantially reduce your risk of becoming a victim of wire fraud.
Daniel A. Kaskel is a partner with Sachs Sax Caplan in Boca Raton and chairs the firm’s transactional law group. Contact him at dkaskel@sccLawFirm.com.