Wire Fraud in Real Estate Transactions Craig Goldenberg Senior - PowerPoint PPT Presentation

Wire Fraud in Real Estate Transactions Craig Goldenberg Senior Division President

Craig Goldenberg Senior Division President – Direct Operations in ME, NH, NY, NJ, MD, DC, VA Division President of New York Direct Operations CIO of Stewart Title Insurance Company Email: Craig.Goldenberg@stewart.com Phone: 212.922.0050

Why are we talking about it? Maryland, August 2017: The FBI says fraudsters used fake emails to fool a settlement company into wiring them the proceeds of the sale of a couple’s home. Amount lost: $411,548 New York, June 2017: A judge trying to sell her apartment received an email she thought was from her real estate lawyer telling her to wire money to an account. Amount lost: $1 million. Washington, D.C., May 2017: The homebuyers sued the title company for the lost money, but also close to $5 million for an alleged violation of the RICO Act. The title company, which denies it had anything to do with the money going missing, said that it immediately contacted the FBI when the attack was discovered. Amount lost: $1.57 million.

Why are we talking about it? Colorado, March 2017: A couple, who lost their life savings while trying to buy their dream retirement home, has filed suit alleging that none of the companies involved in the transaction — including a title company — did enough to protect sensitive financial information. Amount lost: $272,000 Minneapolis, September 2016: A retired couple hoping to buy a townhouse to be closer to their grandchildren received an email that looked like it came from the title company with instructions to wire money before the closing. They did. The email was fake. Amount lost: $205,000.

Why are we talking about it? • Real estate transaction schemes increased 480% in 2016 • NY was 4 th largest state in 2016 by number of reported victims – 16,426 • NY was 2 nd largest state in victim monies lost in 2016 at $106M • By category Real Estate fraud had 12,500 victims in 2016 worth $47M • Online bank accounts takeover increasing by 150% annually. • Hackers creating over 57,000 fake (virus filled) websites weekly.

“There are only two types of companies: those that have been hacked & those that will be. Even that is merging into one category: those that have been hacked & will be again” -Robert Mueller, Former FBI Director

Terminology

Terminology Social Engineering psychological manipulation of people into performing actions or divulging confidential information. A type of confidence trick for the purpose of information gathering, fraud, or system access. …it is much easier to fool someone into giving you their password than it is for you to try hacking their password

Terminology Social Engineering examples Spoofing Pharming Phishing Vishing Spear Phishing Smishing Clone Phishing BEC/EAC

Spoofing Email information is masked in an attempt to trick recipients into believing the message came from someone else.

Phishing The attacker recreates the website or support portal of a renowned company and sends the link to targets via emails or social media platforms.

"We suspect an unauthorized transaction on your account. To ensure that your account is not compromised, please click the link below and confirm your identity.“ "During our regular verification of accounts, we couldn't verify your information. Please click here to update and verify your information. Failure to act immediately…" “Our records indicate that your account was overcharged. You must call us within 7 days to receive your refund.”

Spear Phishing Email or electronic communications scam targeted towards a specific individual, organization or business

Clone Phishing Previously sent legitimate email is resent to recipient however with malicious attachment or link

Pharming an attack intended to redirect a website’s traffic to another, bogus site

Vishing tactic in which individuals are tricked into revealing critical financial or personal information to unauthorized entities. Can be used in conjunction with spear fishing for greater effectiveness

Smishing uses mobile phone text messages (SMS) to trick victims into taking an immediate action

BEC Business Email Compromise Scam targeting businesses that regularly perform wire transfer payments.

EAC Email Account Compromise Similar to BEC but targets individuals rather than businesses

Anatomy of Wire Fraud Agent, broker, seller Criminal Criminal monitors and or buyer receives compromises user reads all user emails phishing email email account Original New Bank Bank Criminal collects the Banks and accounts are Last minute, adversary money substituted for a “mule” modifies wiring instructions account

BEC/EAC is here to stay 2,370% $5,302,890,448 Increase in exposed losses from BEC from Dollar amount of exposed losses from January 2015 to December 2016 2013 to 2016 BEC has affected people in all 50 states & in 131 countries

BEC/EAC Why does it work • Sense of urgency, bad timing • Take advantage of the “weakest link” • Distracted, Overworked, Disengaged Employees • Similarity in tone & wording but with noticeable differences • Takes advantage of natural trust In a social engineering test, 50% of a lender’s employees click on a phishing email. 20% click on an attachment or grant permissions to enable macros or other highly dangerous behavior. 5% of the employees are “serial” clickers…they click on everything

How do we defend ourselves

How to defend ourselves • IT hardening – Security Stack • Various layers of perimeter and network security designed to prevent data breaches and hacker exploits • Endpoint monitoring to rapidly identify a security flaw/breach and allow for immediate response and remediation 90% of breaches and hacker exploits start with social engineering. Humans remain the most vulnerable link in information security

How to defend ourselves – Security Stack • Register all company domains that are slightly different than the actual company domain • Establish a company domain name, avoid free web based accounts • Two Factor Authentication Email • Do not use Hotel & Public Wi-Fi • Do not comingle personal assets with work • Use Corporate VPN • Use Personal VPN • Set Passcodes on mobile devices • Passwords…

How to defend ourselves – Phishing Detection • Misspelled email domains Steewart.com • Double letters Bankofamerica.om • Look-a-likes Youtube.om • Vowels replaced • Facebookc.om Grammar Problems • Sense of Urgency • Similar (but not the same emails) • Foreign Bank • Weekends and Holidays • Emailed change in instructions • New beneficiary

How to defend ourselves – Phishing Prevention • Hover over links to view URL, do not click • Double check email addresses in header of email • Know the habits of your customers, including the details of, reasons behind & amount of payments • Do not use “Reply” option, use “Forward” and type email address of recipient • Slow it down – does it really have to go out now • Assume email has already been compromised

How to defend ourselves – Phishing Prevention • Don’t be so open on social media • Be careful what you post on company websites, especially job duties & descriptions, hierarchal information & out of office details • Know the habits of your customers • Have I been pwned? https://haveibeenpwned.com/

How to defend ourselves – Phishing Prevention from the Enterprise • Increase training & awareness • Establish & Communicate verification process with clients • Limit number of employees within a business who have authority to approve &/or conduct wire transfers • Identify your “crown jewels” • Restrict access to Non-Public Personal Information to authorized employees who have undergone background checks • Establish plan for disposal and maintenance of Non-Public Personal Information

Wire Fraud Happened, Now What?

Wire Fraud Happened, Now What? • Contact the financial institution immediately upon discovering the fraudulent transfer. • Request that the financial institution contact the corresponding financial institution where the fraudulent transfer was sent. • Contact your local Federal Bureau of Investigation (FBI) office if the wire is recent. The FBI, working with the United States Department of Treasury Financial Crimes Enforcement Network, might be able to help return or freeze the funds. • File a complaint, regardless of dollar loss, with Internet Crime Complaint Center www.ic3.gov or, for BEC/EAC victims, bec.ic3.gov

Recent Changes in New York

Regulations guiding our industry • Gramm-Leach-Bliley Act (GLBA) 1999 • Safeguards Rule, which stipulates that financial institutions must implement security programs to protect private financial information • Cybersecurity Regulation (23 NYCRR Part 500) • Requires supervised entities to asses their cybersecurity risk profiles and implement a comprehensive plan that recognizes and mitigates that risk.