Every month, we host a Fraud Briefing webinar where our CEO, Tom Cronkright, discusses the latest fraud trends, security best practices, and ways to protect your company and customers.
In this article, we are going to answer 5 questions that were asked during the Q&A after the Wire Fraud Playbook Webinar. You can watch the full Wire Fraud Playbook Webinar here.
Are fraudsters using real email addresses or is the email address always a tip-off?
In order to answer this question, we have to discuss the difference between being impersonated and truly being hacked. If it’s hacked, then it’s coming from the actual email. That’s what we’ve seen most frequently is that someone is hacked. For example, in the Bain case, it came from the seller’s email account, the wiring instructions that went to the buyer, and then the buyer was defrauded. We’ve also had situations where a mortgage broker’s email was compromised and revised CDs and instructions were being sent to the closing parties.
A spoofed email is one that looks really similar. So for example, instead of suntitle.com, a hacker could register a domain suntitles.com. Or, they could register, rather than the L in “Title” they could register an I. So it looks like it is coming from the right company, but it’s not. If you’re being spoofed it’s a good indication that you’re not hacked, and that someone else in the transaction is hacked and is being influenced by that communication.
To answer the question directly, we’re seeing both. We’re seeing companies hacked and fraudsters have control over the email. They’ll write scripts that any email communication in this fraud chain get dumped into a deleted folder, or swept away so the actual account holder can’t see it. But also we’re seeing next level spoofs where you hover over the email address in your email client, it looks like it’s coming from ABC Bank or ABC Title. But you have to dive a little further in to see the root domain of it – it’s called second-level masking.
We receive many phishing emails, but we are safe as long as we don’t click on them, right?
Absolutely. This is a situation where training and education is our best line of defense, internally and externally. We’ve got to train our staff. If you’re not expecting an email, or the email just seems out of the ordinary, the timing of the email seems odd. All those things need to be red flags. Before you click on an attachment send it to your IT provider and make sure it’s clean. Education and sending the emails to your IT provider are the best things you can do because sometimes just clicking on it you could install a little piece of software called malware. After the malware is installed, they can monitor keystrokes, sessions and screen views.
How many mortgage payoff frauds were there where the title agency was held responsible?
Here’s the maddening thing about fraud right now, is that we’re not talking enough about it. So what I’m about to say just you could multiply probably by 100, maybe 200 around the country, maybe even more. People just aren’t raising their hands saying, “Yeah, I sent money to a fraudster thinking I was sending it to ABC Bank.” So I know of at least a half a dozen successful mortgage payoffs that were diverted last year based on just the communications that we’ve had directly with customers. I’m sure the FBI has seen hundreds and hundreds more.
So I’m hoping that this is the year where we as an industry come out and say, “You know what? We didn’t create the problem. The problem isn’t going away. Let’s have a more honest timely conversation with everyone about what this means,” internally and externally. Just because you had a fraud attempt or you were being profiled or you had a near miss, it’s not your fault. You’re just doing business.
Why aren’t banks able to actually verify identity? How are they letting fraudsters open fake accounts?
I don’t mean to be too cavalier about this, but the “know your customer” rules under Dodd-Frank simply aren’t working. I could go into the dark web, and for depending on the profile and the person I’m trying to impersonate, $15 to maybe $40 on the high side, and I could have every piece of information on an individual that I’d like. What’s interesting is when the bank is in front of you and you’re doing this kind of weird conversation to meet their “know your customers”, they don’t have a picture of you on their screen. So you could present to them a fake driver’s license and a second form of a fake ID, along with anything else that they have made, and you’re gonna get account access. The same is true if you’re doing the account access online.
What are the risks of accepting cashier’s checks?
Cashier’s checks are great if they’re drawn on the right institution, okay. So the challenge, if you’re in a table-funded state, if I’m taking a cashier’s check in at closing. I’m taking it in and I’m going to deposit it. Tt’s likely not going to clear the Federal Reserve for between three and seven days depending on where it’s drawn. That’s what we learned. It’s no different than a personal check these days. There’s no such thing as certified funds anymore. It’s the same as a starter check.
So you just have to season that in your account, make sure it’s fully iron-clad clear, I mean cleared through the Federal Reserve before you wire against it. Because you know the dirty secret is I take in a check and then I wire out a few hours later, I’m not wiring funds off that check. I’m wiring funds off a check that had cleared yesterday or the day before. So that’s the risk. Haven’t found the ability, to certify the sequence, the integrity, and whether or not the check has absolute good funds. So we deposit it and we have to let it season for 10 days.