Twenty days after selling his house, Rich Hopen received an alert from his bank about the monthly mortgage payment for the house he no longer owned.
Confused, Hopen called his mortgage lender to try and understand what happened – only to learn that the lender had never received his mortgage payoff. Instead, his $239,000 had been stolen by a criminal committing wire fraud. And if it could happen to Hopen, a Redfin real estate agent himself, it could happen to anyone.
Wire fraud is an escalating problem for those in the real estate and mortgage space, and a category of crime that merits more attention. According to the Coalition to Stop Real Estate Wire Fraud, email phishing scams targeting real estate transactions increased by 1,100% between 2015 and 2017. Between 2017 and 2018, Federal Bureau of Investigation data shows a 166% increase in the amount of money lost due to real estate wire fraud in the United States – the FBI’s Internet Crime Report shows that 11,300 victims lost nearly $150 million in 2018 alone.
That’s a lot of money, much of which was taken directly from borrowers who thought they were wiring over funds to secure their dream home and instead lost, in some cases, their entire life savings.
The home-buying process is attractive to fraudsters due to the amount of money involved and the many parties included in the transaction. Relatively speaking, it doesn’t take much work for cyber criminals to profit off homebuyers. Whether criminals use email spoofing, phishing or account takeover, if they find one weak link among all the participants, they can make a great deal of money all at once.
“I think that’s why this is going to become kind of a meaty and interesting subject for bad actors, because it only takes one account to get a really good payday,” said Kim Smathers, head of information security at Snapdocs. “You don’t have to go and breach a system. You’re breaching non-technical people. Notaries are not very technical; consumers are not very technical.”
Cyber criminals use a few methods when conducting real estate wire fraud. In email spoofing, criminals mislead targets with emails that seem like they’re coming from a legitimate source – the notary, for example – falsely alerting the target of “new” or “changed” account information for the transfer of their funds. All the criminal has to do is make the email look legitimate enough to convince the homebuyer to send money to their account instead of the account originally indicated by the notary, and they capture a lot of money in one fell swoop.
A criminal has the option to phish any participant in the mortgage transaction by emailing them bogus links that look legitimate but allow the criminal to capture the participant’s login information. If in one situation a real estate agent’s account is compromised, a criminal could log in and find all the information they need to convince buyers to transfer funds to their fraudulent account. The same situation could happen if a notary’s login credentials are compromised, with criminals potentially diverting the mortgage funds for a lot of people by breaching just one account.
Who’s talking about wire fraud?
While the problem of wire fraud is growing exponentially, awareness of the issue is not, with few borrowers understanding the looming threat and how to protect themselves. The Coalition to Stop Real Estate Wire Fraud aims to combat that by educating homebuyers, real estate and mortgage professionals and legislators about the issue.
“One of the drivers behind the coalition was, we’ve got to get everybody in the ecosystem talking about this,” said Mary O’Donnell, president of the American Land Title Association, which partners with the coalition. She said that sometimes, professionals and consumers in the early stages of a mortgage transaction may not be aware of wire fraud unless they know someone who’s been affected by it.
However, while information and education for consumers and professionals is “absolutely critical” when it comes to preventing wire fraud, O’Donnell said the industry needs to go further than simply raising awareness of the issue.
“Sometimes we talk about data privacy, but I do think what we need to focus on is data protection, which is actually slightly different. The consumer thinks about data privacy – privacy of their personal information – and that’s important,” she said.
However, she explained that the industry has to look at how it operates and how the consumer is protecting their own data. There’s an overarching need for everyone involved in the transaction to assess how data is being protected.
What preventative actions could help?
The mortgage process encompasses one of the most important financial transactions of a consumer’s life and involves a lot of sensitive data – as well as large amounts of money changing hands.
“The thing that bothers me the most is the lack of comprehensive controls from a governing body that you would expect to see around this,” Smathers said. “I think it’ll come but I just don’t think that it’s there yet.”
She cited the Payment Card Industry Data Security Standard (PCI DSS) as a set of regulations that the mortgage industry could take as a model for its own financial transactions. The PCI DSS is a set of security standards with which all companies that accept, process, store or transmit credit card information are required to comply.
Smathers explained that if there was a regulatory body with PCI-like requirements that said companies had to protect accounts with fraud protection and audited companies based on this, companies would have something to hand to a consumer or lender to prove that they were certified in managing their accounts and data for fraud.
Smathers anticipates that this sort of regulation will come to pass “if there are enough complaints around this type of fraud,” noting that the regulation could be handled by the Consumer Financial Protection Bureau or added to the Gramm-Leach-Bliley Act. The act requires financial institutions to explain their information-sharing practices to their customers and to protect sensitive data. As part of the Federal Trade Commission’s implementation of this act, the commission issued the Safeguards rule, which requires financial institutions under its jurisdiction to have a written information security plan that describes their program to protect customer information.
“The vendors that are going to be able to offer that [type of fraud protection] are the ones that are going to ultimately rise to the top,” Smathers added.
Hopen said that any party involved in the sending or receiving of wire transfers should purchase and use two-factor authentication software to help verify that the wiring transfer instructions are correct and that the funds are set to be transferred to the right account.
“Right now, the best practice is verification with phone calls and a back-and-forth to make sure you have the correct wiring instructions, but that is rife with so many problems,” he said. “Very few people do that, and they’re confused by it. But there’s software out there that allows you to do that.”
O’Donnell said the coalition is working with regulators to see what can be done to protect consumer data and money. One tactic that the group thinks would be “enormously helpful,” she said, would be to implement payee matching on wire transfers at the financial institution level.
With mandatory payee matching, financial institutions handling wire transfers would be required to check that the name given for the account matches the name associated with the account number. This practice would potentially stop fraudulent wires from going through, as the name on the fraudster’s account number would not match the name or institution associated with the legitimate wire transfer.
O’Donnell said she has done quite a bit of work speaking with regulators and lobbying to have this become a mandatory practice.
“This is a very simple fix that’s not required today by the Federal Reserve as part of the wiring process,” she said. “It wouldn’t eliminate [wire transfer fraud], but it would absolutely, we believe, reduce significantly the amount of these that actually go through.”
Hopen also cited payee matching as an action that could have prevented his own wire fraud experience. “It’s absolutely crazy to me that a bank can accept the wire deposit and they don’t need to check the account number with the account holder. If that had happened in my situation, the money would not have been deposited in the wrong account.”
He acknowledged that regulation and legislation are a big undertaking but said he believes change will happen faster once more parties are held professionally responsible for wire fraud taking place and face consequences as a result.
“When a company or an industry starts being held liable, and there’s a financial cost to that, that will change behavior,” Hopen said.
What are those in the industry currently doing to prevent wire fraud?
In the meantime, there are methods by which companies are actively working to prevent wire fraud.
Snapdocs is working with security experts to add fraud detection and account takeover prevention to its platform logon experience, Smathers said. Part of the fraud detection element would involve checking information from a user’s login session – including geolocation, IP address and the hardware signature of the phone or computer used – against a database that includes hardware signatures for devices that have been identified in previous fraudulent activity.
On the title and settlement side, O’Donnell said that one of the ways some companies try to help consumers protect themselves is by using encrypted email protections to protect the flow of financial information and by including a consumer warning about security and fraud at the bottom of every email. Education for consumers and professionals remains critical as well.
At the time of the wire transfer itself, title companies will send notices to the consumer and real estate agent to let them know that the company will not alert people of changes via email, O’Donnell said – a vital reminder, as so much of wire transfer fraud happens because people trust fraudulent emails without question.
Companies urge their consumers and partners in the mortgage process to call and verify instructions verbally with people on staff. The importance of people picking up the phone to verify wire transfer information with their notary or title company could not be stressed enough, O’Donnell said.
What can borrowers do to protect themselves?
The Coalition advises borrowers to stay vigilant and protect their money during the buying process, recommending the following actions:
- Confirm wiring instructions by phone by calling a known number before transferring funds. Don’t follow phone numbers of links from an email.
- Be suspicious of any emails that include changes in wiring instructions and payment information, as title companies don’t usually communicate that information via email.
- When responding to an email, hit forward instead of reply, and type in the recipient’s email address. This can help clarify whether an email came from a fraudulent, spoofed source or the legitimate email address.
- Ask your bank to confirm the name on the account before sending a wire transfer.
- As soon as a wire transfer is sent, call the title company or real estate agent to verify that the funds have been received.
The sooner a consumer detects that their money was sent to the wrong account, the better the odds are that the money can be recovered.
In his list of best practices for wiring money, Hopen notes that home sellers whose mortgage is being paid off should call their mortgage lender immediately after closing to confirm the mortgage payoff was received.
Hopen added that in the situation that the money was wired into a fraudulent account, the following actions should be taken immediately:
- Report the fraudulent wire transfer to the sending and receiving banks.
- Contact the sending bank’s fraud department and initiate a swift recall on the wire. Request a recall of the wire be sent to the receiving bank. Provide the wiring details and ask the bank to alert all other banks that may have received your funds to place a fraud alert or security hold on the funds so they’re not withdrawn or transferred to another account.
- Request the bank initiate the FBI’s Financial Fraud Kill Chain.
- Report any fraudulent activity to the FBI via its Internet Crime Complaint Center – www.ic3.gov and call your local FBI field office to assist in the recovery of your funds.
- Inform all parties in the transaction of the fraud, including the title insurance carrier.
Hopen said he is “continually astounded that this issue isn’t front and center” in all discussions between real estate professionals and their clients. As a result of his own experience with wire fraud, he now takes the time to explain wire fraud and how to prevent it in every consultation he has with a seller or homebuyer.
“That conversation should happen in every single transaction until the problem is addressed with technology or changing regulation,” he said.