In the previous posts in this series, we spoke about why real estate is an easy target for wire fraud. We also discussed the different methods fraudsters utilize. In this post, we’ll use that information to explain how you can stop your company from becoming an easy target for wire fraud.
Preventing wire fraud essentially comes down to three things:
- Educating transaction participants about the threat of fraud and what to watch out for;
- Preventing fraudsters from accessing email and other communication-based accounts to obtain critical information about a transaction; and
- Ensuring we have accurate, uncompromised wiring information and contact details for the person or entity that will be receiving funds via wire transfer.
A commitment to education and the adoption of preventative measures will lower your risk profile and protect yourself and your customers from fraud.
Here are some steps to consider to prevent fraud:
Recap: How Wire Fraud Works
While no two scams are the same, there are common patterns that cybercriminals follow when running wire fraud schemes. Fraud prevention begins with an awareness of how scams start. Here’s a dissection of the most common fraud elements:
- Fraudsters find publicly available information of anyone involved in the transaction via social media, company websites, and online resources. This could target buyers, sellers, real estate agents, lenders, settlement providers, attorneys—you name it.
- Cybercriminals target those participants with spear phishing emails designed to gather email account details.
- Armed with account access, fraudsters wait patiently and obtain intimate details about a transaction and the participants involved. This exposes all other parties involved in the deal as they may be individually targeted or spoofed by the fraudster.
- Once the fraudster identifies that funds are to be transferred for a closing, the fraud begins. Using the compromised email address or a spoofed address, the scammer will send emails containing fake wiring instructions to the victim. This will typically be a buyer wiring cash to close to the title company. Or it could be the title company wiring funds to a broker, seller and/or current mortgage holder in connection with the disbursement process.
- Once the money lands in the fraudsters account, it is quickly wired to other bank accounts or withdrawn in cash, through an elaborate network of money mules that await instructions in real-time.
Stop Fraudsters From Accessing Sensitive Information
An important step in wire fraud prevention is to stop fraudsters from gaining access to transaction-level information required to run a scam. Here are some strategies to consider.
Limit Publicly Available Information
Running a business requires that certain information be shared about your company. However, there are things you can do to protect some of the more sensitive data about your organization and employees including:
- Review the information that is displayed on your social media accounts. If you can see sensitive company or customer information, be sure to delete it or update your privacy settings so that the data is no longer public.
- Don’t share your email on any social media accounts.
- Google yourself or your employees to see what information you can find and possibly have removed.
Start to train your employees and yourself to think like a hacker and minimize the ammunition you give them.
Use Strong Spam Filters
Preventing phishing emails being seen is the best way to stop employees from falling for them. A strong email filter is one of the best ways to do this. Products like MimeCast and SpamBully provide solutions that block and filter phishing emails.
If criminals can’t get their emails in front of your employees, then it will be far harder for them to steal account details and, ultimately, hit someone in your organization with wire fraud.
Have Someone Try To Hack Your Employees
Spam filters aren’t always enough. This is why many forward-thinking businesses are hiring third-party companies to perform phishing testing on their employees.
They simply create a phishing email, send it to your staff, and then see who falls for it and what credentials are given. This provides a starting point for training and awareness and gives them the education needed to avoid making the same mistake in the future.
It is possible to use software platforms to perform your own tests. Products like CoFense and Sophos imitate real phishing attacks and provide advanced analytics and reporting so you can see where your organization’s weaknesses are.
There are also free solutions you can try out. We recommend taking advantage of Google‘s phishing test. It provides a great set of emails meant to educate you and your employees on how to identify phishing versus legitimate emails.
Real-Time System Monitoring
Perimeter security helps keep your organization’s entire network threat-free. It utilizes features such as a firewall, web-content filtering, malware protection, and geolocation blocking to keep your network safe in real time.
By monitoring all web activity that enters and exits the network, perimeter security is able to identify unusual patterns or abnormal behavior on your network that could be a sign you are under attack and take action to stop it.
Secure Your Accounts with Strong Passwords and Two-Factor Authentication
Another step you can take is to secure accounts with two-factor authentication (2FA). Accounts that use 2FA require an extra piece of information on top of a username and password to log in.
This additional bit of information is something that only the account owner has access to and it usually has a physical element. For example, it could be a code, sent to an app on the user’s phone, virtual private networks that are tethered to each company device, or a physical key like Yubi Keys. It could even be an SMS message or an actual key.
Essentially, it means that even if a hacker knows an account’s username and password, they will be unable to log into the account without also having access to the third authentication detail.
Most social networks and email providers already make it easy for you to turn on 2FA. Here is a look at what some of the most popular services offer:
- Google Account: Google gives you the option of using SMS or call verification, a security key, or a Google prompt. Turning it on will enable 2FA across all Google services. You can find out more at Google’s guide to turning on 2FA here.
- Facebook: Facebook allows you to use SMS or a third party authentication app for 2FA. Once you have activated one of these two methods, you can set up 2FA using recovery codes, a Universal 2nd Factor compatible security key, or the ability to approve logins from devices Facebook recognizes. Here is Facebook’s official guide.
- LinkedIn: LinkedIn allows you to use SMS for 2FA. You can find out how to do it here.
- Instagram: On Instagram, you can use SMS messages or codes from a third-party app. Check out Instagram’s guide here.
One final thing you can do regarding 2FA is to educate your customers and referral partners about the benefits of turning it on.
Last year, a Google engineer revealed that, at the time, over 90 percent of active Gmail accounts didn’t use two-factor authentication. We’ve mentioned before, it only takes one weak link to give fraudsters a window into a transaction that could allow them to commit wire fraud.
If everyone involved has 2FA turned on, the chances of a hacker being able to access an account is drastically reduced.
Always Verify The Person You’re Doing Business With
Wire fraud is a symptom of the lack of proper identity verification at critical points in a transaction.
The success rate of wire fraud scams is due to the exploitation of a trusted relationship between two parties. If identities are confirmed properly, that trust is never breached.
By contrast, when a party is tricked into believing they’re communicating with a trusted person and follows fraudulent instructions, the absence of identity verification guarantees fraud losses.
Here are some practical ways you can confirm identity and educate your employees, referral partners, and customers about the need to stay diligent and alert. Don’t allow fraudsters to infiltrate the communication stream and make someone a victim.
Gather and Share Contact Information Early In The Transaction Cycle
Title companies, escrow providers, lenders, attorneys and real estate agents need to work together to securely gather and share identity information of transaction participants. The earlier this takes place in the transaction process, the better-protected buyers and sellers will be in the end.
For example, when a real estate agent sits down to sign a listing agreement, it would be important to get the full names, current address, email, and cell phone numbers of the sellers. The agent can then give that information to the title company, escrow provider or attorney to assist them with the closing process.
The same is true for buyers. When signing a buyer representation agreement, the selling agent should gather the contact information of the buyers and share it with the lender, title company, and escrow provider that would be working with the buyer to close the transaction.
This allows the agents to securely store the proper contact information and start educating the buyers on the risk of wire fraud.
The earlier in the process that this information is gathered and shared with others in the transaction, the more trusted the information becomes. Gathering data early also gives extra time to create trusted communication pathways well before the date of closing.
The transaction participants that are hired to protect buyers and sellers are aware of the risks facing buyers and sellers. They have a duty to properly inform and educate them so they don’t become victims.
Have a Process For Sending and Receiving Wire Transfers
A well-defined, documented and measured process for receiving incoming wires and sending funds by way of wire transfer during the disbursement process provides consistency within an organization. This allows its employees to spot anomalous behavior that could be fraud.
As a group, consumers are unaware of the intricacies of sending funds by way of wire transfer. In most cases, a real estate transaction is the only time that they will be requested to wire funds. Fraudsters know this and prey on their lack of understanding.
Educate your customers on the portion of your wire transfer procedure that directly affects them.
Special notices should be sent to them outlining how you will share your instructions for incoming wires. Emphasize that they will never change and you will not deviate from the process. Early education and alignment could save the life savings of buyers and sellers.
Additionally, ensure the customer knows who is authorized to give out wiring details. Fraudsters are now able to use vishing (voice phishing) techniques over the phone to trick customers into wiring money to the wrong account.
However, if they know who in your organization is authorized to give out wiring details, they will be less likely to fall for a scam.
Educate Customers and Staff About What a Scam Looks Like
It’s proven that wire fraud scams are convincing. However, that doesn’t mean there aren’t signs you can watch for. Ensure that everyone in your organization (and your customers) know the telltale signs of cybercrime and what to do if they think they are being targeted.
Here are some quick examples:
- The use of the word kindly. “Kindly send through your bank details.” In the USA, we don’t normally use this word.
- Lowercase ‘i’. Used when describing myself, ‘i’m’ or ‘i want’ it’s sloppy and only a mistake a non-native English speaker would make.
- Asking “what time will you be sending the wire transfer?” or “Can you confirm the wire is sent immediately after it’s been initiated?“ Trusted lenders and title agencies will not ask you to confirm the release of a wire transfer the minute it takes place.
- They ask to CHANGE the wire details. Another red flag, so pause, think and confirm. It’s possible a third confirmation will have to take place before funds are transferred.
People who know the techniques fraudsters use are more aware of what to look for and less likely to be tricked.
Authenticate Wiring Details and Identity
Whether you validate your transfers over the phone, in person, or using software like CertifID, it is important that you have a proven way to authenticate wiring details before making a transaction. Not only that, but you also need to verify the identity of the person the details belong to.
If you do this, it doesn’t matter if a fraudster has been successful in the scam up to the point of transfer. When it comes to wiring money, the scam will still be stopped.
Real Estate Wire Fraud is Preventable
By taking the steps above, your organization will make it far more difficult for fraudsters to run a scam. This is essential for protecting both your business and customers.
Having said that, cybercrime happens. In our next article, we will explore the steps you must take if you do fall victim to wire fraud.