Regulatory

How hackers are targeting title and settlement companies

Wire transfers in the crosshairs

#div-oas-ad-article1, #div-oas-ad-article2, #div-oas-ad-article3 {display: none;}

Olympic Peninsula Title Co. CFO Maureen Pfaff knew something was off when she received an email from her dad, the company president, marked with a red exclamation point. In a formal tone, he was asking her to wire money immediately to an account she didn’t recognize.

“We have big (job) titles, but we’re a small, family-owned company and we work in the same building,” she said of her Port Angeles, Washington-based company that has 22 employees and two locations. “My dad is not involved in that part of the business, so I knew this was probably not my dad sending the email.”

Pfaff had heard of this scam from another title company similar in size. In that case, the father, who was the CFO, fell for it and sent the money to the fraudsters.

Because title companies often handle the closing and disbursing of funds, they are a huge target for hackers and scammers. According to Booz Allen Hamilton, third parties were the No. 1 security risk to financial services firms in 2015.

Olympic Peninsula has been the target of wire fraud three times in the last six months. In the first instance, a hacker infiltrated one of the seller’s accounts on a $350,000 sale, but it was derailed when staff noticed the sender’s email address contained .com.za. The company’s policies ensure staff is in touch with all transaction parties on the day of the closing and has an iron-clad rule to confirm any changes.

“When you think of how chaotic it can be on closing day and if we’re closing 10 transactions that day, we can never stress enough to our staff that time is of the essence,” she said. “You have to double-check everything you do.”

THE GROWING THREAT

For title and settlement companies, the money they handle for other people is the lifeblood of their business, and any actions that compromise the security of that money is the quickest way to go out of business.

Dick Reass, founder and CEO of RynohLive, a financial management and fraud prevention system designed for title agents, identifies email and Internet use as the two greatest threats to a company’s security. To avoid security intrusions, he recommends title and settlement companies do the following:

  • Limit where employees can go on the Internet, including social media
  • Don’t allow employees to access personal emails via work laptops, etc.
  • Don’t allow the downloading of non-work-related pictures

Reass also said agencies should be using dedicated stand-alone, non-networked computers for online banking with dual authentication.

Hackers are evolving their methods, using malware to breach emails and firewalls. They can mimic emails and voice mails and convince unwitting employees to redirect wire transfers, so training employees to slow down and question anything that seems “off” is key. 

“It only takes one person in your organization to open the wrong email or go on the network with an iPhone and empty out your account,” he said. “Policies and procedures are the most important part in making sure you have all the controls in place and that you’re constantly checking them.”

Cybersecurity has become such a big concern that the American Land Title Association offered seven professional development sessions on the topic at its 2016 Business Strategies Conference in March. ALTA has also created well-known best practices to help guide the industry’s polices and procedures.

But the threats to title company security aren’t just hackers: Fraudsters can also lurk inside the business. Defalcation, when an owner commits fraud, has cost title companies millions of dollars in recent years.

In February, the Texas Department of Insurance seized a Dallas-area title insurance agency after allegations surfaced that the company’s owner disappeared with millions of customers’ money. Millennium Title’s owner, Nancy Jackson Carroll, was arrested less than two weeks later.F1 sidebar

In a case last year, Robert M. Sebia, owner and operator of Crystal Title Agency in Pennsylvania, pleaded guilty to stealing $7.7 million that was supposed to be used to pay off more than 28 mortgages on properties that were sold.

Another CEO, Nathan Hardwick of LandCastle Title, was recently arrested on charges of embezzling at least $20 million from that company.

Escrow theft by the owner or an agent also is a problem. According to a report by Demotech Inc., one of the most common forms of escrow theft occurs “when a settlement agent receives funds to apply to a real estate transaction, but rather than disbursing the funds properly, the agent steals the funds for his or her own benefit. The agent will often continue making payments to the previous lender, which keeps the loan current and covers the fraudulent activity for a time.”

In the 2014 U.S. State of Cybercrime Survey, 28% of cybersecurity incidents were blamed on current or former employees, contractors and other trusted parties. Almost a third said such incidents cost more or inflicted more damage than outside attacks.

Reass, a former title company owner, used to perform escrow reconciliation once a month, but with up to $80 million running through escrow, he knew he needed a system that could run the checks and balances on a daily basis, so he created one.

“Our system addresses that problem,” he said, noting that RynohLive identifies and prevents escrow theft, wire and ACH fraud, stops employee embezzlements, and eliminates check fraud and disbursing errors. “You need to balance your checkbook and make sure nobody is putting their hands in the cookie jar.”

SAFEGUARDING PERSONAL DATA

The title and settlement industry traffics in some of the most toxic nonpublic information imaginable, and until recently has not been aware of or instituted best practices regarding information security, according to Chris Gulotta, founder and CEO of Real Estate Data Shield Inc., a provider of security compliance solutions.

The 1003 uniform residential loan application requires buyers to list the last things they’d want data thieves to know: date of birth, Social Security number, bank account information and credit card numbers, just to name a few.

There were about 5 million mortgage transactions last year with each involving about 10 pages of documents that contain consumer nonpublic information. Add that to the seven years’ worth of documents that must be retained and it’s easy to see how a title company’s data is a hacker’s dream.

“That data is at risk whether it’s in motion or at rest,” he said.

Gulotta launched Real Estate Data Shield in 2012 to create an awareness of the Gramm-Leach-Bliley Act and the Federal Trade Commission’s Safeguards Rule, which require financial institutions that are significantly engaged in financial transactions to safeguard sensitive data.

While banks and other financial institutions started embracing things like clean desk policy, document destruction and security safeguards in the early 2000s, these practices didn’t immediately trickle down to the vendors that work between the lender and the borrower.

In reaction to that, in 2012 the Office of the Comptroller of the Currency, the Consumer Financial Protection Bureau and the Federal Deposit Insurance Corp. all released stricter standards for lender oversight of third-party vendors.

“If a title company in Chicago has 18,000 files breached digitally or physically, it’s not that company that’s going to make it to the cover of the Wall Street Journal — it’s Wells Fargo,” Gulotta said. “They have reputation risk and monetary risk and that small agent is not going to have the resources to overcome the data breach. So who’s left cleaning up that mess?”

Four large financial institutions — JPMorgan Chase & Co., Bank of America, Citigroup and Wells Fargo — will collectively spend $1.5 billion on cybersecurity annually, according to a Forbes article. But the average title and settlement company has seven to 10 employees, and typically can’t spend six figures on security training. 

Gartner Inc. reports that chief information security officers are increasingly turning to educational security awareness solutions to help improve organizational compliance, expand security knowledge and change poor security behaviors.

Gulotta designed an industry-specific training program to weave privacy and data security into the daily workday of an agency. The goal is to change the behaviors of professionals, typically aged between 35 and 70, who have never had to embrace security compliance.

“The title and settlement industry can’t hide any longer, and if you’re not really committed to compliance, you’re going to be vetted out by the lenders or you are going to suffer some type of data or monetary incident,” he said.

COMPLIANCE IS THE NEW MARKETING

Because cybersecurity is so important to lenders, third-party vendors who deal with sensitive information should be doing everything they can to become compliant and then shout that from the rooftops.

“Compliance is the new marketing – that’s what you want to be telling your lenders,” Gulotta said. “Tell them ‘I know the OCC and CFPB are putting you under enormous pressure to make sure your vendors are compliant. I invested $25,000 or $50,000. I am information security certified. I am best practice certified. I may not be as secure as American Express and Citibank, but relative to my size and complexity, which is the FTC’s guidance here, I’ve achieved these thresholds.’”

He recommends taking that to lenders and asking for more market share based on the premise that the company is a safe vendor who’s invested from its own pocket to protect the lender from regulators.

Many lenders are now requiring proof of ALTA Best Practices Certification that’s verified from an independent third party, often on an annual basis. One of these independent companies, Security Compliance Associates, has conducted security assessments on more than 100 title agencies, and has recently tripled its revenue from this industry sector. 

Upon successful completion of an information security program assessment and remediation activities, SCA will issue a certification document.

“Early on, when we first moved into this industry, 99.5% were not equipped or prepared for it,” said Matt Froning, SCA’s chief information officer. “That has been steadily improving over the last couple of years. People are starting to understand the importance of information security and their role in protecting clients’ data.”

SCA assesses a title firm’s current environment, including its physical security, to ensure that documents aren’t laying on desks and that a limited number of people have access to servers. The company also examines technical vulnerabilities, security policies, business continuity and discovery plans and other procedures. Froning describes the assessment as a multiphase process designed to help companies become compliant and meet best practices.

“Once we provide recommendations on how to reduce risk, it’s up to them to work within their office and with IT staff to close those holes,” Froning said. “The key is staying focused on it and getting buy-in not just from management, but staff as well.”

How much an organization spends to become compliant depends on its size and individual circumstances. A large agency with multiple offices in several states, for example, will need to spend more than a smaller agency with a handful of employees.

Reass of RynoLive poses it this way: “Is my title company worth more than $50,000?” He estimates, at a minimum, that’s what it will cost in terms of completing the certification and compliance process, but also spending money to fill gaps in servers, firewalls or internal controls. 

Froning said the cost on an annual basis is not as expensive as one would think, as long as companies continue to maintain what they’ve put in place.

Even if all the right controls are in place, a data breach can still occur. If a regulator sees that written policies weren’t being followed it will cost the title agency fines and additional oversight, but also reputation damage and lost business.

Many smaller agencies are choosing to fold or merge under the umbrella of larger companies with deeper pockets. In 2014, Reass said of his 1,500 attorney and title companies, 22 went out of business and two merged. Last year, he lost 56 clients, with the majority of them merging and fewer than 10 closing. He attributes the consolidation to the compliance squeeze, and the fact that some lenders are bringing the title function in-house to regulate it closer.

“It’s a tough time to be in this business,” he said.

Pfaff of Olympic Peninsula Title acknowledges times have changed and that phishing and hacking are part of her new reality. She also tried to do her part to learn more about her recent wire hacker so she could report it to the FBI. She played along and dummied up a wire transfer notification that required him to click on a fake hyperlink. Pfaff was able to capture his IP address and information on two bank accounts, but she’s frustrated that the FBI might not follow up since cyber fraud is so rampant.

“We’re all very cognizant of liability on our end,” she said. “We’ve followed suit using as much technology as we can find to protect the private nonpublic information for all our clients, and not be the source of the problem.” 

Most Popular Articles

3d rendering of a row of luxury townhouses along a street

Log In

Forgot Password?

Don't have an account? Please