Wire Fraud in Real Estate Transactions Craig Goldenberg Senior - - PowerPoint PPT Presentation

Wire Fraud in Real Estate Transactions

Craig Goldenberg Senior Division President

Craig Goldenberg

Senior Division President – Direct Operations in ME, NH, NY, NJ, MD, DC, VA Division President of New York Direct Operations CIO of Stewart Title Insurance Company Email: Craig.Goldenberg@stewart.com Phone: 212.922.0050

Why are we talking about it?

Maryland, August 2017: The FBI says fraudsters used fake emails to fool a settlement company into wiring them the proceeds of the sale of a couple’s home. Amount lost: $411,548 New York, June 2017: A judge trying to sell her apartment received an email she thought was from her real estate lawyer telling her to wire money to an account. Amount lost: $1 million. Washington, D.C., May 2017: The homebuyers sued the title company for the lost money, but also close to $5 million for an alleged violation of the RICO Act. The title company, which denies it had anything to do with the money going missing, said that it immediately contacted the FBI when the attack was discovered. Amount lost: $1.57 million.

Colorado, March 2017: A couple, who lost their life savings while trying to buy their dream retirement home, has filed suit alleging that none of the companies involved in the transaction—including a title company—did enough to protect sensitive financial information. Amount lost: $272,000 Minneapolis, September 2016: A retired couple hoping to buy a townhouse to be closer to their grandchildren received an email that looked like it came from the title company with instructions to wire money before the closing. They did. The email was fake. Amount lost: $205,000.

Why are we talking about it?

• Real estate transaction schemes increased 480% in 2016
• NY was 4th largest state in 2016 by number of reported

victims – 16,426

• NY was 2nd largest state in victim monies lost in 2016 at

$106M

• By category Real Estate fraud had 12,500 victims in 2016

worth $47M

• Online bank accounts takeover increasing by 150% annually.
• Hackers creating over 57,000 fake (virus filled) websites

weekly.

Why are we talking about it?

“There are only two types of companies: those that have been hacked & those that will be. Even that is merging into one category: those that have been hacked & will be again”

• Robert Mueller, Former FBI Director

Terminology

Social Engineering

psychological manipulation of people into performing actions or divulging confidential information. A type of confidence trick for the purpose of information gathering, fraud, or system access.

Terminology

…it is much easier to fool someone into giving you their password than it is for you to try hacking their password

Social Engineering examples

Terminology

Spoofing Phishing Spear Phishing Clone Phishing Pharming Vishing Smishing BEC/EAC

Email information is masked in an attempt to trick recipients into believing the message came from someone else.

Spoofing

Phishing

The attacker recreates the website or support portal of a renowned company and sends the link to targets via emails

• r social media platforms.

"We suspect an unauthorized transaction on your account. To ensure that your account is not compromised, please click the link below and confirm your identity.“ "During our regular verification of accounts, we couldn't verify your information. Please click here to update and verify your

• information. Failure to act immediately…"

“Our records indicate that your account was

• vercharged. You must call us within 7 days to

receive your refund.”

Spear Phishing

Email or electronic communications scam targeted towards a specific individual, organization or business

Clone Phishing

Previously sent legitimate email is resent to recipient however with malicious attachment or link

Pharming

an attack intended to redirect a website’s traffic to another, bogus site

Vishing

tactic in which individuals are tricked into revealing critical financial or personal information to unauthorized entities. Can be used in conjunction with spear fishing for greater effectiveness

Smishing

uses mobile phone text messages (SMS) to trick victims into taking an immediate action

BEC

Business Email Compromise

Scam targeting businesses that regularly perform wire transfer payments.

EAC

Email Account Compromise

Similar to BEC but targets individuals rather than businesses

Anatomy of Wire Fraud

Agent, broker, seller

• r buyer receives

phishing email Criminal compromises user email account Criminal monitors and reads all user emails Last minute, adversary modifies wiring instructions

Original Bank New Bank

Banks and accounts are substituted for a “mule” account Criminal collects the money

BEC/EAC is here to stay 2,370%

Increase in exposed losses from BEC from January 2015 to December 2016

$5,302,890,448

Dollar amount of exposed losses from 2013 to 2016 BEC has affected people in all 50 states & in 131 countries

BEC/EAC Why does it work

• Sense of urgency, bad timing
• Take advantage of the “weakest link”
• Distracted, Overworked, Disengaged Employees
• Similarity in tone & wording but with noticeable differences
• Takes advantage of natural trust

In a social engineering test, 50% of a lender’s employees click on a phishing

• email. 20% click on an attachment or grant permissions to enable macros or
• ther highly dangerous behavior. 5% of the employees are “serial”

clickers…they click on everything

How do we defend ourselves

How to defend ourselves

• IT hardening – Security Stack
• Various layers of perimeter and network security designed to

prevent data breaches and hacker exploits

• Endpoint monitoring to rapidly identify a security flaw/breach

and allow for immediate response and remediation

90% of breaches and hacker exploits start with social engineering. Humans remain the most vulnerable link in information security

How to defend ourselves – Security Stack

• Register all company domains that are slightly different than the actual company

domain

• Establish a company domain name, avoid free web based accounts
• Two Factor Authentication Email
• Do not use Hotel & Public Wi-Fi
• Do not comingle personal assets with work
• Use Corporate VPN
• Use Personal VPN
• Set Passcodes on mobile devices
• Passwords…

How to defend ourselves – Phishing Detection

• Misspelled email domains
• Double letters
• Look-a-likes
• Vowels replaced
• Grammar Problems
• Sense of Urgency
• Similar (but not the same emails)
• Foreign Bank
• Weekends and Holidays
• Emailed change in instructions
• New beneficiary

Steewart.com Bankofamerica.om Youtube.om Facebookc.om

How to defend ourselves – Phishing Prevention

• Hover over links to view URL, do not click
• Double check email addresses in header of email
• Know the habits of your customers, including the details of, reasons behind & amount of

payments

• Do not use “Reply” option, use “Forward” and type email address of recipient
• Slow it down – does it really have to go out now
• Assume email has already been compromised

How to defend ourselves – Phishing Prevention

• Don’t be so open on social media
• Be careful what you post on company websites, especially job duties & descriptions,

hierarchal information & out of office details

• Know the habits of your customers
• Have I been pwned? https://haveibeenpwned.com/

How to defend ourselves – Phishing Prevention from the Enterprise

• Increase training & awareness
• Establish & Communicate verification process with clients
• Limit number of employees within a business who have authority to approve &/or

conduct wire transfers

• Identify your “crown jewels”
• Restrict access to Non-Public Personal Information to authorized employees who have

undergone background checks

• Establish plan for disposal and maintenance of Non-Public Personal Information

Wire Fraud Happened, Now What?

Wire Fraud Happened, Now What?

• Contact the financial institution immediately upon discovering the

fraudulent transfer.

• Request that the financial institution contact the corresponding

financial institution where the fraudulent transfer was sent.

• Contact your local Federal Bureau of Investigation (FBI) office if the

wire is recent. The FBI, working with the United States Department of Treasury Financial Crimes Enforcement Network, might be able to help return or freeze the funds.

• File a complaint, regardless of dollar loss, with Internet Crime

Complaint Center www.ic3.gov or, for BEC/EAC victims, bec.ic3.gov

Recent Changes in New York

Regulations guiding our industry

• Gramm-Leach-Bliley Act (GLBA) 1999
• Safeguards Rule, which stipulates that financial institutions

must implement security programs to protect private financial information

• Cybersecurity Regulation (23 NYCRR Part 500)
• Requires supervised entities to asses their cybersecurity risk

profiles and implement a comprehensive plan that recognizes and mitigates that risk.

NYDFS Cybersecurity Regulation Who is covered

• Licensed lenders
• State-Chartered

Banks

• Trust companies
• Service Contract

Providers

• Private Bankers
• Mortgage Companies
• Insurance Companies

doing business in New York

• Non-U.S. banks

licensed to operate in New York

NYDFS Cybersecurity Regulation Who is exempted

• Fewer than 10 employees
• Less than $5 million in gross annual revenue for

three years

• r
• less than $10 million in year-end total assets

NYDFS Cybersecurity Regulation To be compliant

• Establish an effective cybersecurity program
• Create and maintain a written cybersecurity policy
• Designate a Chief Information Security Officer (CISO)
• Hire qualified cybersecurity personnel or utilize third

party providers

• Establish an incident response plan

NYDFS Cybersecurity Regulation To be compliant

February 15, 2018

• Covered entities must submit their first certification of

compliance

• CISO must file cybersecurity report
• Regularly conduct penetration testing and vulnerability

management

• Conduct Bi-annual risk assessments

Questions