Hacked, Scammed, Spoofed, Spear-Phished: no matter what you call it—these are really just other names for Business E-mail Compromise (BEC) or E-mail Account Compromise (EAC). It’s a crime on the rise, targeting businesses that regularly perform wire transfer payments—such as title companies. According to the FBI, from 2013 to 2016, the number of BEC scams skyrocketed more than 2000 percent. Victims lost an estimated 1.5 BILLION dollars.
The fact is, real estate transactions are especially attractive to cyber-criminals. In the last two years, the FBI’s Internet Complaint Center has seen a 480 percent increase in the number of business email compromise scams reported by title companies. That’s the bad news. The good news– BEC can be prevented. While we take every precaution to protect our clients at Landmark Title, it is most important to understand and learn how to protect your own accounts as well.
Taking a closer look at Business Email Compromise (BEC)
The FBI reports that it can take a variety of forms:
- Social Engineering: Social engineering is the art of gathering information, mining data from social media and other sources and using it to manipulate people into giving up confidential information—such as passwords or bank account information.
- Spear-phishing: This comes under the umbrellas of social engineering. It’s differs from regular phishing in that the attackers have used social engineering to gather information about the intended target, so they can personalize the spear-phishing attack. Criminals send email-spoofs to a specific individual, requesting sensitive information, such as account numbers and passwords. The emails appear to come from a trusted source and look quite real.
- Identity Theft: This is the crime of using someone else’s personal information and credit history to buy things or borrow money.
- Use of malware: Spoof emails often contain a malicious link to a website set up to trick you into giving sensitive information such as passwords, credit card information or other account data. Sometimes a spoof email, when opened installs malware right onto your computer, which then gives hackers access to your most private information.
How Business Email Compromise works
As we mentioned, real estate settlements often involve wire transfers of payments, and make a very attractive target for scammers. This is generally how it works: criminals follow information about upcoming real estate transactions online on the MLS or in public records. They use whatever information they have obtained to send a spoof email to the buyer. The e-mail informs the buyer that there has been a last-minute change to the wiring instructions. The buyer is then instructed to wire the closing costs to a different account, which actually belongs to the scammer. If the buyer falls for it, thousands and thousands of dollars can disappear in a matter of minutes.
These cyber-attacks have grown in their sophistication and ability to manipulate, but they can be prevented. It requires that each party involved in the transaction take an active role in stopping the theft before it starts. The FBI offers these prevention tips.
Know your stuff. Understand each step in the settlement process from start to end. If there is something you don’t understand or makes you uncomfortable, speak up. Ask questions until you get it.
- At the beginning of a transaction, set up a contact log. This should contain the contact information for the principals involved: title agent, lender, real estate broker or agent, attorney, seller and buyer.
- Do not use phone numbers and links in emails. Only use the information in the contact log to send a communication.
- Scrutinize emails that ask for sensitive information or request that funds be transferred.
- Verify the authenticity of any request to wire or send money.
- Be suspicious of requests for secrecy or pressure to take action quickly.
- Avoid using public wi-fi even if it is protected by passwords.
- If you have to use public wi-fi, use a virtual private network to encrypt data.
- Keep all devices updated with the latest versions or releases to protect against vulnerabilities in security.
- Verify any fund transfers immediately.
For Title Companies and Real Estate Agents:
- Avoid free web-based e-mail accounts: Establish a company domain name and use it to establish company e-mail accounts in lieu of free, web-based accounts.
- Be careful what you post to social media and company websites, especially job duties and descriptions, hierarchal information, and out-of-office details.
- Use additional IT and financial security procedures. This includes implementing two-factor authentication for corporate e-mail accounts and to verify significant transactions.
- Arrange this two-factor authentication early in the relationship and not through e-mail. You want to avoid any chance at this information being intercepted.
- Immediately report and delete unsolicited e-mail (spam) from unknown parties. DO NOT open spam e-mail, click on links in the e-mail, or open attachments.
- Do not use the “Reply” option to respond to any business e-mails. Instead, use the forward option and type in the correct email yourself.
- Be suspicious of sudden changes in business practices. For example, if a current business contact suddenly asks to be contacted via their personal e-mail address when all previous official correspondence has been through company e-mail, the request could be fraudulent.
- Create intrusion detection system rules that flag e-mails with extensions that are similar to the company’s email address.
Landmark Title Agency works with all participants in a commercial and residential real estate transactions to help make sure your information and processing is kept as secure as possible. This requires constant attention to our best practice regarding security and staying up to date on all the latest BEC/AEC scams. Remember, this is not a case of a company website being hacked and your data being taken, these scammers are posing as companies to get you to hand over your own information. If you have any questions or concerns regarding the security of your real estate transaction, please call us at (602) 768-2800 or visit our website.