skip to Main Content

Account Takeover: The Activation Point of Wire Fraud

Tom Cronkright, Published on March 13, 2019

This month’s fraud briefing dives into Account Takeover. Watch to learn why this form of Business Email Compromise is so difficult to detect and how you can better prepare your company and customers to reduce your threat.

Sign up for the next CertifID webinar!

Full webinar transcript:

Good morning, everyone, and thanks for attending this month’s Monthly Fraud Briefing. We are going to go over the topic of Account Takeover, which I think you’ll see over the next few minutes together, a half hour or so, that it is absolutely the activation point of wire fraud. Account takeover is actually the most challenging type of profile that we’re seeing from a defensibility standpoint, which is why I wanted to spend some time on it with you.

By way of housekeeping, if you have any questions, please put them in the question feature of the GoToMeeting box. I will make time for any questions at the end. For those that we’re not able to get to, because we typically get flooded with a lot of different inquiries, I’ll go ahead and stitch video together after, and then I’ll send that along with a follow-up. Everybody today will get a link to this day’s session, so please feel free to use this content to train any staff members that couldn’t attend, colleagues, referral partners, even folks that you’re hoping to maybe do business with in the future.

For those of you I haven’t had the privilege to meet, I’m Tom Cronkright. I’m a recovering lawyer by trade. I’m a Wire Fraud Victim and happen to be the Co-Founder and CEO of CertifiD Wire Fraud Prevention Solution that we’re rolling out nationally now. Also, the owner of a large title agency. Just know that as we’re training on these issues of wire fraud prevention and techniques, it’s because we have gone the distance on this issue, and I’ll get to more about what next month’s session is going to cover.

Without further ado, what are we going to talk about today? We’re going to unpack this concept or this definition of Business Email Compromise because it is used a lot in the industry. It is actually one of the issues, wire fraud, now a specific classification that the FBI is tracking separate from other cyber crimes. You need to know the new ones of when you hear about Business Email Compromise, what is it? We’re going to go over account access and how it compromises the transaction. Then, like every other session, we’re going to get into a live fraud example that actually led us to create the CertifiD platform that was so complicated. Then, we’re going to get into strategies and next steps. Every month you get a takeaway for yourself, and your referral partners to educate them on.

Let’s jump in. As always, we have a ton of content to cover, so I just want to recap. In January, we outlined the fraud roadmap. You could see where the steps to committing fraud started with, like profiling a transaction and then they phish somebody within the transaction to try to get credentials or account access. They gain account access, and then that’s where it really starts to turn sideways for all of us in a transaction, because they’re gaining access to the account details, the texture of the transaction and the parties. Most importantly, they’re obtaining information of when funds are going to move and then typically, what time they’re going to move, right down, precise, precise calculated measurements here. They impersonate somebody, they manipulate the mark to wire funds to a fraudulent account.

When we talk about Business Email Compromise, what’s interesting is it consumes about three-quarters of this entire playbook. That’s the challenge, because it collapses … Once you have account access, everything else moves very quickly with the technology they’re using to identify opportunities to divert wire transfers. What is Business Email Compromise? Business Email Compromise is basically where the fraudster leverages the identity of someone in a trusted relationship or somebody that’s trusted in a transaction, to trick someone else into wiring funds. Business Email Compromise, if you think about it, it is the fraud specifically designed to divert, wire or ACH payment transfers. It’s not just real estate-specific. Every single industry in the U.S. is struggling with Business Email Compromise fraud, and that’s why it has risen to the level of the FBI tracking it as a separate cyber crime.

The techniques for Business Email Compromise typically are three, and then I’m going to get into Account Takeover. How are they deploying their schemes? How are they getting people convinced that they’re dealing with the right party, or a trusted party without wire funds to a fraudulent account? Well, they can do it straight with spoofing. If the spoofing is designed and orchestrated well enough, I could trick maybe someone within the organization thinking they’re talking to me, but they’re actually talking to a persona that I created online that’s made to look like me, and you could get someone to directly wire off of a spoof email.

Spear phishing is where now I know, hey, here’s the owner, but I want to spear phish into the controller, or some other aspect of the organization to gain either account credentials, they could gain transactional details. They could be looking for many different pieces of information that otherwise aren’t public. From that information once they gather it, then they could go ahead and defraud someone else in the transaction.

Then malware. I’m going to show you an example of this in just a few minutes. They actually are writing code scripts now that if you open up a PDF, sometimes even if you hover over an attachment, there could be a packet of information that gets written down onto a server. Then from there, that packet, that script, starts to analyze email, starts to screen scrape key log. It goes on and on. What they’re trying to do is they’re trying to wedge their way into the communication, or the data pathways to learn about things that are not public. Current transactions, wiring information, things, like I say, that they’re going to use, to exploit someone in a deal.

Let’s talk about Account Takeover. Let’s pivot to the most challenging aspects that we’re facing right now, and that’s simply when somebody’s email account has been compromised, and the fraudster has access to it. The reason why this is so important is this idea that with at least six transactional parties in a deal … If you think about it you have buyers, sellers, agents on both sides, maybe a lawyer. It could be a split title company issue. You have two title companies, and then you have a lender. You can get up to 10 in the blink of an eye.

All the fraudster has to do is sit in the middle of this digital distance, we call it, and try to penetrate into one account. If they get access to one account, they gain information about the transaction details. Then they can determine, “Hey, this is setting up for a buyer side fraud where I’m going to try to divert the cash to close to a fraudulent account somewhere in Nigeria. Or it looks like we’re paying off an existing lender, so I’m going to defraud the title escrow officer by putting in fake payoff instructions. Or I’m going to impersonate the attorney who is generating a payoff statement for his commercial client on a commercial deal for the net proceeds.”

What I’m saying is when they penetrate that, the fraud might not be clearly in view, but on average, they’re in somebody’s system 180 days before they even act. They have plenty of time, especially if they’re in one of these referral partner relationships where they can monitor the communication of an attorney or an escrow officer or lender and then wait just for the right transaction profile to show up, depending on what type of fraud they’re interested in deploying.

I want to go through right now and unpack an actual fraud example. This is an example, frankly, that was on one of our brands. It was on Sun Title, that’s a title agency that we own in Michigan. It was the fraud that actually led to the creation of the CertifiD platform because it was simply … Well, you’ll see. It was just simply next level. The setup of this fraud … This is the first buyer-side fraud that we had ever seen. It came in at a time when nobody was even concerned about buyers being defrauded when they’re making their cash-to-close payment, because this took place all the way back on Tuesday, October 17 of 2016.

I want to frame that, because if you think about … You’ll see the complexity of this, and the timing of this fraud, but if you think about it, that’s like two and a half years ago, and they have gotten a lot better right now in the texture, in the timing, and even the types of things that they’re including in the communication to make it even more believable to buyers as they’re receiving wire instructions.

The setup is buyer has an agent, we have an escrow officer that is coordinating the transaction, and the buyer, this Tuesday, the 17th, needs to go to the credit union, and he needs to wire his cash to close because we’re closing the next day, Wednesday morning at 9:00 A.M., and we’re a table funded state, so we need good funds sitting in the account. The first communication starts at 9:02 in the morning. Let me back up, because what actually happened was that the realtor received a phishing scam email back in July 2016, replied to it, put in her user name and credentials, put in her credentials using the password for her email account, and it didn’t go anywhere. She remembers that nothing happened after that, so I didn’t think anything of it.

What actually happened is the fraudster gains access to her email, puts a program on her computer, and starts monitoring the traffic for over two, and a half months in real time. Until the fraudster identifies, “Oh, looks like Tim the buyer is going to wire in funds for an upcoming closing.” When you see this kind of split line with the fraudster standing behind, what we’re indicating here is that the fraudster took over the account of the agent. These communications are coming from her actual email account. This is what makes this fraud profile so difficult to not only identify but also to defend against.

The first email comes out at 9:02 A.M. why is that significant? Most frauds, if you look at them, don’t start until after 9:00 A.M. local time in the zone or the area in which they’re deploying the fraud. Why? Well, between the banks and the title companies and the real estate, they’ve learned that people, communications really start to fire up, especially if they’re critical communications after 9:00. Everybody gets coffee, they’re settled in, into the morning meetings. Okay, let’s get to work.

For example, if you saw an email … Let’s say you’re a title provider, and you saw an email from an agent at 4:30 in the morning. That might … And, you should. A bell should go off and say, “Boy, have they ever communicated with me at 4:30 in the morning? Usually, I don’t hear from whatever, Sally or Tim until after whatever the time zone is, the timing is.”

An email comes from Sara’s account directly to my employee, Melissa and says, “Hey, could you send Tim your wiring instructions because he needs to go down to the credit union later today and wire in the cash to close for tomorrow’s closing.” In that email from the agent’s account, but under the control of the fraudster, we didn’t receive the buyer’s actual email, which is the one on the top. We received the one on the bottom, where they put in the number one after his actual email address. Rather than tsmith@gmail, we get tsmith1@gmail.

We send a message to tsmith1@gmail. Oh, I’m sorry. I meant just a few minutes later, before we have a chance to send the wiring instructions, from the tsmith1@gmail, the fraudster, and this is really smart, sends an email from that email address to the same escrow officer saying, “Hey, can you send me wiring instructions?” It confirms in her mind, “Okay, I’m dealing with the right email account.”

We do, we send the wiring information over to basically the compromised identity of the buyer, and then we copy in the agent. What they did is their script that they put on the agent’s computer automatically deleted and removed from history any type of emails coming from our email address. Why did they do that? Because the agent had access in real time to the same accounts on her mobile device. While this was taking place, right in the heat of the morning, they wanted to make sure that she was not apprised or not made aware of these communications.
Then they spoof us. This is the concern, and I’ll speak now to the lenders, and the title providers that are on the session here. We don’t know when we’re being spoofed, and this is our challenge. If somebody’s account is compromised, and I’ve seen compromised accounts from agents, real estate agents, from attorneys, from the title provider, from the lender, everyone is susceptible to this, and then someone else gets spoofed. That someone else is someone that’s trusted in the relationship.

What they did is they actually created a spoofed identity of an escrow officer that looked like they worked for Sun Title. If you look at this, it looks like the identity is exactly the same in the email, but if you open it up in a different browser, what they did is they swapped out the L in title for an I. You actually can’t distinguish this on a mobile device or even if you print it out based on the way that search engines or emails print out. You have to open it up in Notepad, for example, to see the discrepancy.

Now I have, the title company has a real escrow officer and then a spoofed escrow officer. From the spoofed escrow officer email account, the first communication of the day to the buyer is fraudulent wiring information, and this was smart. The fraudster copies in the agent, which ostensibly they’re copying themselves, and then that is automatically deleted, so the agent didn’t see it. In the buyer’s mind, the buyer’s thinking, “Oh, okay. I just received the wiring information. My agent told me I was going to, and I’m going to print this off and head down to the bank.”

Then they do two really smart things here to close the loop, and this is what kind of cast this into next-level social engineering in our minds. From the spoofed buyer to the actual escrow officer is a confirmation that he received the 9:15 wired instructions, the actual wiring instructions. That puts the escrow officer’s mind at ease, that, “Hey, I sent it to the right address, and the buyer confirmed that they’re going to follow the instructions that I sent,” completely disarming the escrow officer.

Then one more to disarm the buyer, where from the agent’s account just a few minutes later, now directly to Tim, the buyer, “Hey, did you see the 9:39 wiring instructions?” The fraudulent ones, but he doesn’t know that. “Make sure you head down to your financial institution before 3:00 so that the wire can post, and we don’t have a delay in the closing tomorrow morning at 9:00.”

This closes the loop now from the buyer, who is comfortable that his agent is saying, “Look, stamp of approval,” and it’s from her account. Again, the escrow officer is just waiting for the wire to post. He prints off the wiring information, and he heads down to, happened to be a credit union on the shores of Lake Michigan, west side of the state. He presents to the branch manager what he thinks are wiring instructions that came from Sun Title.

Through nothing short of just a miracle, something went off in the gut, if you will, of this branch manager, and she looked at the buyer and said, “You know, I can’t point to something, but just something doesn’t seem right in the way that this was provided to you. Here’s an email address. Do you mind sending someone an email, because I know who’s working on this, and just making sure that this is legitimate?” He does that. While he’s in the branch, an email from his actual email to now the correct email account of the escrow officer, directly to the escrow officer, and then he copies the agent because he doesn’t know what’s going on, is a request to say, “Can you confirm the wiring information that you had sent,” so basically re-forwarded what was sent to him back at 9:15.

This is what our buyers, frankly, are up against, and this is the challenge with Account Takeover, because if you have access to somebody’s account, and you have transaction-level details, the concern is, okay, this was three and a half months of setup and 41 minutes of real time velocity that kept the buyer completely exposed, unbeknownst to him in this case. The title company didn’t know they were being spoofed and, frankly, the agent didn’t know they were taken over. The fraudster is 100% in control of what’s happening that Tuesday morning.

Like I say, with this level of execution, how do we really defend and protect the buyers from this type of threat? Again, two and a half years ago, guys. This is after they’ve already raked in about three additional billion dollars. Business Email Compromise is going to be reported by the FBI to be right around a billion and a half dollars last year, when they put out their IC3 report. We’ve taken 500% increases year over year on this issue, and that’s what’s reported. If you read deeper, that’s like 10% to 15% of what’s actually happening.

The takeaways from this are a few folds, one, account takeover exposes, you can see everyone. The level of detail that they have in the transaction, again, just continues to grow, and they’re just being more patient, and they know that the more patient, the more curated this persona is, once it enters the communication stream, the spoofed one, the more believable and the higher the hit rate they’ll have in diverting funds. Then, the level of precision and how they’re convincing people. Like I say, if we look back at this … I’m going to go off script a little bit. [Brian 00:20:42], do me a favor. Can you queue up my iPad a second. I want to draw something out.

We’ve been speaking nationally on this issue of education, what is the best line of defense, if we back up here and say, “Okay, what could have been done?” If we think about it, we have three main parties that are participating in a transaction. You’ve got lenders, you have the real estate agents, the realtors, and call it title and settlements, all communicating at different times for different reasons.

We need to take a step back, I would argue, because I would just say this is indefensible if the buyer doesn’t know it’s coming. If you look at what’s happening in the courts, basically, decisions and pleadings and that, it’s this question of, what did you do to defend or educate or prepare someone for this loss? We’re going to get into this a little bit more when we talk through basically some of the strategies, and those are more corporate strategies. Yes, if you don’t mind, I’m going to draw something out here as I think about it.

Just watch your screen, you should be seeing this now. If you think about this, we could lay this out, or you could say, okay, there’s time on the bottom and there’s risk over here on the left. Let’s say we chunk a transaction into basically 10-day increments, and let’s say we’re shooting for, because we’re all awesome on the phone, the 30-day magical close. Great. First off, let’s say we have a lender involved, so for you lenders on the phone, you get involved typically really early at pre-qual. You have a pre-qualification letter.

Then the next step, or the next communication, is a house is found and then, obviously, the address is inserted and now the disclosure requirements start to kick in. Now, you have an actual loan app that’s signed. Okay? Then you’re carrying along with everyone else, to closing. But then somewhere along, let’s say it’s day 25, somewhere right here, you have a clear to close.

As I see it, at the loan application phase and at least the clear-to-close phase, there’s an opportunity where you’re communicating with the buyer already. What if we use that time, that opportunity, to educate them here and here on the issue of wire fraud, and the fact that it faces them uniquely. Bring in the real estate agent. Let’s say the real estate agent comes in at day 10, and this is buyer agency, so we have a buyer agency agreement signed. Then, right about half a second, it’s like an echo. Once you get clear to close, the closing scheduled is five seconds later.

Clear to close, let’s say that lines up with closing scheduled, and then they’re also with us all through the close date. At least two instances in that relationship where you could say, “Look. When I’m sitting down at the kitchen table, or I’m meeting in the office, and we’re talking about buying a house, could we have a conversation that there’s this issue out here in the industry? I didn’t create it. Power company didn’t create it. The lender didn’t create it. But it’s out there, and you need to be aware of it.” Then you refresh that again at closing scheduled. Then the last participant typically is somebody on the closing escrow side, the title escrow side.

In this case, let’s say they come in a couple days after the purchase agreement signs, so this is file opening. Then again, closing scheduled. Two opportunities, right? We don’t have a lot of interaction with buyers, but two opportunities there at file opening and closing scheduled. You can see on the screen there, that we’re having a specific conversation with the buyers about this risk profile. Why? Reality is this.

This timeframe between closing scheduled and closing is called the Kill Zone. The risk profile looks like this. We cannot wait any longer to educate buyers until closing scheduled, from the time closing the scheduled until the closing takes place to first have the conversation with buyers that there is a threat out there that is sitting at their feet that they don’t know of.

Putting my legal hat on, if you look at the cases, and you dissect the essence of the theories of the case that Plaintiffs’ Lawyers are now suing all of us in a transaction, it comes down to a simple reality. We all know that this is out there, NAR bulletins and webinars, MBA bulletins and webinars, ALTA webinars and bulletins. We’re all aware of this issue, but nobody thought to raise their hand and say, “Look. You have a right to know this, and you have a right to know some strategies, and some things to watch out for.”

What the courts are doing, this will be the subject of our webinar a couple of months from now. The courts are saying, “Okay, guys, all of you involved, what did you do, you do, and you do or not to protect and educate the buyer specifically that could have prevented this loss?” They’re parsing everyone into silos, and they’re looking at it and having individual conversations about what led to it and what could have been preventable. I think, we have to have a more clinical view right now of how this information is being conducted and communicated, so not only are we taking advantage, depending on what tranche we’re in here, who we’re representing, but also looking bilaterally and saying, “Okay, what are my other partners doing? Are they taking advantage of those same milestones for communication?” Sorry to go off script a little bit, but that’s the challenge that we’re having right now in the industry. Brian, could you flip me over to the deck?

To build upon that, I want to go through some strategies that as an organization you can deploy to basically lower this risk profile yourselves. We talked about the takeaways, and now I want to go through strategies to prevent account takeover. They’re simple on their face, but you just have to live them out in practice, because this is all just lowering that profile. First, strong user names and passwords that are reset regularly. That’s a key. We talked last week, or last month, about two-factor authentication, using those one-time codes and that tokenization to harden email platforms and social media sites and those other communication portals that you’re in and out of on a regular basis. Just because they don’t have access to your email doesn’t mean they don’t have access to some other platform where they can mine data.

Training around phishing scams and how to identify and detect fake emails. Train, train, train, I just can’t say this enough because it’s a landscape that continues to evolve. Use the time with your teams, with your company meetings to show actual examples of what came into the organization that would have gotten through or was detected because of best practices so that everyone is aware, and they would have known to spot it as well.

Install programs. The technology is nice for email monitoring and reporting now. You can install programs that if you receive a “from” let’s say from ACME Title, and you go to reply to it, and the “reply-to” is ACME Title 1, an alert will come up, where the “from” doesn’t match the “reply-to” when you’re responding to an email. It’s a mismatch, and that’s just a nice programmatic way to alert yourself that there’s an issue.

Highlighting emails that come from external sources. I know many of you that have installed email monitoring and kind of security software. If there’s an external email, it’ll show up right before the body of the email this is coming from an external source. That just creates a beacon, if you will, or a cautionary light in the user’s mind to make sure, to go in and make sure it’s coming from a trusted source.

Time can be our friend if we use it effectively. I realize it’s Tuesday and it’s 4:00, and I just got the numbers or things changed, and I’m still waiting for invoices, this and that. I get it. We’re all busy, and then the craziness of Thursdays and Fridays, especially with Montent. But, like we talked about last month, Tuesdays, and Thursdays are the highest instance days of attacks by fraudsters, because they know the industry that well. Then if you can, implement technology, again, technology is very inexpensive relative to the benefits that you get, and you can automate a lot of the things that you’re doing manually to put in layers of security and protect your people and ultimately the folks that you’re hired to represent.

Let’s go through an action item of the month, and then I’ll pivot over to some questions that are coming in. The action item of the month is Password Management. How do we manage all the different platforms that we have access to and all the variations and mutations of the dog’s name or our anniversary dates or our favorite vacation or whatever uses a keyword in our mind to navigate all the requirements of these different sets. Things that we’ve done in many other large companies is the idea of password managers.

Two of the leading ones, there’s 1Pass, there’s LastPass. Here’s the theme or the philosophy behind it. If you can think of an incredibly difficult password, you set up an account with, let’s say, LastPass. Now, you have to remember user name and a crazy, ridiculous, complicated password, and you log in to this. For every other site that you log in to, American Airlines or Amazon or whoever it is, your banking institution, it could even be your Gmail or whatever, all the sites. You can use your password manager to create unique and really complicated websites on a platform by platform basis.

Your Amazon password, you don’t need to know your Amazon password anymore because you go to LastPass, and you log in through there, and they know what that password is, and you’re not going to be able to remember it. It’s crazy. You can even set the tolerances of what that looks like. You can set how many characters, special characters, you can go out to 100 characters if you want. It’s crazy. Why this is important is fraudsters work off of what are called rainbow tables. If they’re trying to hack into a website, they have rainbow tables that take the most common passwords, they throw them into a hash program, and that just starts to rework the configuration to a point where they hack, or they unlock the password.

You can see here that as you go down in just the character length, there’s an exponential effect of how hard it is for them to penetrate a site based on the complexity of the password. A password manager gets you down into right now two centuries with super computing, that’s going to go down substantially soon, but at the end of the day right now, fraudsters are lazy. They’re people, and they’re working online on a fraud job jar. They say, “Hey, it’s easy for me to get in here. I got in here. Let’s expose this account.” When we talk about Account Takeover, yes, we need two-factor authentication, but you have the ability to arm yourself with a program like this.

The other thing that a program manager will do, and both these platforms do it, is they give you a help score for security. If they can see that you have sites that you haven’t utilized LastPass yet, it will tell you that, “Hey, you’ve got a low security score in your Gmail account or your Facebook account or your Instagram account or whatever it happens to be.” Then it provides you prompt that say, “Hey, could we come alongside and could we help you really create and harden this account through the LastPass password that we’ll generate?”

The other thing that it does, think about it one step deeper with the ability to prevent phishing. If a fraudster spear phishes me and knows with a really convincing email and asks me to put in user credentials for a standup Google site, for example, but I use a password manager, so I actually don’t know what my password is, it will recognize the fact that you’re being asked to put in, in what looks like a Google site, but it’ll see that it’s not a Google site at all. It’s a standup site, it’s a spoofed site.

It even could prevent phishing in the instance where LastPass or another password manager says, “Yeah, this just isn’t that site. We can’t automate the password in here because it’s been spoofed.” Another significant layer of security. Guys, this is cheap. Again, really inexpensive technology. You’re talking about passwords for 70 or 80 different sites that, if you think about it, you’re probably managing on a fairly regular basis.

All right, what’s coming next? I hope you guys found this helpful. What’s coming next? I was excited about this month. I’ve been excited about every month, but next month, in particular, we are going to get into the whole international money laundering network, if you will, how complicated? How quickly money moves? We’re going to layer in cryptocurrency, and some of the other new ones that they’re using to convert wires into different forms of assets. I’m going to get into our fraud experience and how this just seemingly innocuous fraud in Grand Rapids back in 2015, that hit our organization, spanned across seven different countries around the world from a network and a coordination perspective.

The other half of that session, we’re going to talk about Wire Fraud Recovery. We’re going to talk about the steps that it takes in real time, a minute-by-minute dissection of what needs to happen when your organization and hopefully, it never happens, or you learn of a customer or somebody in a transaction that may have wired funds to an account that’s in the control of a fraudster or, frankly, just someone that they just wired off by mistake. We’ll show you the steps that need to be performed to recall those wires.

By that time, now we’re looking into May, should have the IC3 report. We’re going to unpack what happened last year in typically over a year, and a half to two-year period how things are trending and examples of where things are heating up as far as wire fraud and payment losses. When we get into June, I’ve got some homework to do. I got to finish a national analysis of all court decisions and pleadings that have taken place over the last 12 to 14 months. I’m going to unpack where things are standing as far as standards of care and things to watch out for and maybe even ask your insurance carrier on whether or not your current insurance policy, and that’ll be July intentionally, cover the things that are taking place and evolving in the court system right now.

Then later on, we’ll get into data security best practices, you can see that, but we’re open to other suggestions. If you have, you say, “Hey, I want you to go through just 25 fraud examples, everything from broker commissions to payoff frauds again or buyer side, what title company frauds. We have examples of everything.” Just send us a quick message in the question field here or send me an email directly, and we’ll do our best to accommodate.

All right. I want to answer some questions that are coming up. In the meantime, if you don’t have a question, I will say that we should be connected on LinkedIn. You can email me directly at the email address here. We’re constantly putting out either new blog posts or quick videos that you can use to unpack and go a little bit deeper into some of these areas around identification of wire fraud, strategies or tactics that are coming in and how to keep folks safe.

First question, I’ll say, can you repeat why Tuesdays and Thursdays are the most dangerous days? Yes, I can go deeper into that. It’s trade Tuesday, they know that they prey on this idea that there’s more distraction. As stress heats up more distraction filters into the daily work to unpack it even further. It’s actually the afternoons on Tuesdays, and the afternoons on Thursdays when we’re closed, one of the things are really heating up to send documents out and get things buttoned down. Why Tuesdays? Is typically on Tuesdays, that’s where you’re starting to see when the final CD has been generated.

They want access to that final closing disclosure and settlement statement. Why do they want that? Because, there and the next day or so going to convince a buyer or convince a title provider or convince a lender, to give up information or wire funds to a fraudulent account. They want the access to what’s going on for that Friday closing. Why Thursdays? Thursdays are important because by Thursday for Friday closings, we typically know how money is going to move.

The challenging thing that I showed you on the buyer’s side, and I think you guys can relate to this, we don’t know when the buyer is going to wire in funds, so we could identify them on day 10 as a title provider. So, okay, it’s Mr and Mrs. Smith, but we have no idea because one we’re doing our 40 year, and we’re preparing the commandments. We’re starting cure too, but we might not be until day 25 in the transaction that we’re starting to see numbers form and disclosure starting to be set.

Then it could be two days before, it could be the morning of that the buyer raises their hands and says, “Oh, I got to get you that money. I’m going to wire it in. My financial advisor is going to wire it to you or I’m actually closing on another property you’re not aware of. and the other title companies going to send it to you and that’s going to be my cash to close.” That’s the challenge, and that’s what the fraudsters know is that by Thursday typically we have a sense of what we’re watching out for. “Oh, bring in a certified cheque? Great. It’s a wire, who’s the wire coming from? I’ll watch out for it.” Those are why the two days.

Is it safe to have your browser story or LastPass Master Password? Can you save your Master Password and outlook or do bad guys look through your contacts too? No, do not save your Master Password and automate that because they can screen scrape and they can do things if they have malware on your platform where they can do some key logging and reverse engineering of potentially what that looks like.

Whenever that pop up comes up on my computer for anything, would you like me to save? I always decline that. You want to login every single instance just in case somebody has a little deeper into your network. That’s a great question. Even if you would … Another question, if you encrypt emails with wiring instructions, it would not be helpful because the title agency sees the wiring instructions to fraudsters fake email address of the buyer, is that correct? If that is correct, would you still recommend encrypted emails?

I’m not a technologist by nature, but this is what I understand about encrypted emails. There’s point A and point B and in transit that email is encrypted, meaning that it doesn’t make any sense. If somebody were to pull into that stream of transfer and try to pull it down, it wouldn’t make any sense. The challenge is if I send it from point A and it arrives at point B, it decrypts it’s called encryption in transit or encryption at rest and once it rests, once it lands in that account, it decrypts.

The other challenge with secure emails is this idea that, “Hey, my banker sends me a security email cause he has a message, right? One, I’m immediately annoyed, I open up outlook, and I say, “Hey, are you trying to send me something?” But, let’s say I go through the pathway. The challenge with that, and I’m not saying it’s not a good practice here, me here, but if you think about the flow, it says click here, and I get to select the password. If I get to select the password and my emails taken over, then basically the fraudster can lock out the intended party of an account because they would be responding directly through the encrypted platform of the secured platform because the actual account holder wasn’t able to select the password.

That’s why I would say by and large, the secure emails, especially the banks led this path, they’re not widely adopted. There’s no instance right now where it is slowing down fraud, there just isn’t. If you look at all the statistics, we’re still very much being rocked by the velocity that it’s taking place right now. That’s a really good question.

How do I educate my staff to better identify bad email? This is another one, and I’ll end with this one I promise I always end at quarter to, if you have other questions, please send them off. Again, it’s just having your IT even if you have an outsourced IT department, or you’re using a service to monitor email traffic and flag suspicious emails like a Mimecast or another platform. You need to grab examples of what’s coming in that you can educate on this, especially if they made it through those filters and there were presented to your employees both personally and professionally. I think, that’s the number one is just everyone learns by seeing, so lay out some examples.

All right guys, we hit the quarter to mark. I want to thank you again for the time we had several hundred of you log in today, the group continues to grow. Again, if you have any suggestions, if you want to talk to us about what we’re doing to securely send and receive and confirm wiring information after identities have been verified, that’s what we’re here for. Until next month, let’s make it a safe and secure month end and take care.


Tom Cronkright

CEO and Co-Founder @ CertifID

Back To Top