If a fraudster wants to try to convince a home buyer to wire the down payment for their new home to a fake account, they need two things to do it well:
The problem the industry is currently facing is that all of the communication about a home purchase occurs over email, and if anyone on a single group email account is compromised, the fraudster has all the ingredients they need to swoop in right before the purchase and convince the buyer to wire their down payment to a different account.
Title companies have fought back against this fraud by creating email signatures that say OUR COMPANY DOES NOT CHANGE ITS TITLE INSTRUCTIONS! This signature helps, but clever fraudsters have still been able to convince buyers to wire the money to the wrong place through confusion and other tricks. If the home buyer doesn’t alert their bank and the FBI within 24 hours, the money is likely lost forever. Reputations are tarnished all around, but the real weight of the loss falls on the buyer.
Whichever software the title company uses, be it ResWare, Qualia, SoftPro, or one of the many others, most communication is done over email. In these transactions, there are always at least three parties involved: The title company, the realtor, and the buyer. Let’s pretend that we are criminals, and we want to steal the down payment on a home purchase. Who should we go after?
If we could trick the title company, we would be in for a massive payout. A medium-sized title company is responsible for 10-100 wire transfers per day. However, they have lots of security protocols in place. Multi-factor authentication is enforced. Email authentication protocols like SPF, DMARC, and DKIM records make it hard to spoof their email addresses. Their insurers require firewalls, disaster recovery plans, and audits. An employee who has worked there for any duration has seen and heard of lots of different types of attempted scams so they’re not likely to fall for it. It would be difficult to compromise a title company's security.
How about the buyer? They are the source of the cash, but it’s hard to obtain enough buyers’ email addresses to make our efforts worthwhile.
And then there’s the realtor. Some real estate companies take security very seriously. These agencies employ realtors with their own @domain.com email addresses, so they can enforce multi-factor authentication, investigate suspicious login attempts, provide secure computers, and stop an attacker from setting up email forwarding. This approach is becoming less popular, however, in favor of the ‘Agent-Centric’ business model. In this environment, the parent company provides public PCs, printers, and office space to smaller realty companies. In exchange, the smaller companies pay a portion of their sale commissions for access to these resources and help with the paperwork.
Small realty companies that work in this environment are juicy targets. Shared computers and network drives at these offices can be security nightmares. Their success relies heavily on communicating with lots of people and opening email attachments, which are inherent risks. Once an account is compromised, a stealthy attacker can set up forwarding rules to a new email address; this means that even if the realtor changes their password, the fraudster will still be able to read all the realtor’s incoming mail.
So, what else can each of the three groups do, to combat wire transfer fraud?
Title Companies
Realtors
Buyers
By taking a few extra precautions, all three parties can work together to produce a much better outcome for their reputation, and the buyer’s hard-earned cash.
We believe in the power of proactive IT management. That’s why we provide comprehensive monitoring, security, and support to keep your business running smoothly and securely.