What is Phishing and How Does It Affect Title Agencies?

Fishing is the act of using bait to catch fish. Ironically this is identical to the phonetic cousin word, phishing, in which scammers lure victims in with some type of bait only to capture their private details in the process.

Phishing is the process where wire fraud cases can begin, and why scammers can be as successful as they are. This is particularly potent for title agencies, who through some social engineering and phishing, scammers can gain access to entire networks of mortgage and wire transfer data.

What is phishing?

Wikipedia defines phishing as "a cybercrime in which a target or targets are contacted by email, telephone or text message by someone posing as a legitimate institution to lure individuals into providing sensitive data such as personally identifiable information, banking, and credit card details, and passwords.”

It’s important to dispel the myth that you are being scammed by a calculating person, rather a sophisticated machine learning algorithm that sends out hundreds of contacts a second to thousands of real estate firms. It's not personal, but simply a business for these ‘hackers’.

Essentially it can be anything from pretending to be a fellow employee, to a possible real estate customer to even distant family. They encourage you to provide either usernames, passwords or trivial information that put together will give them access to commit wire fraud.

Because so many people use the same passwords for both their work and personal accounts, it can be a simple task to trick them into revealing one to access the other.

How does wire transfer phishing work?

It starts with a scammer pretending to be an official service provider, such as a bank, a wire transfer client or friend and asking for your login credentials. It could be an email directed at a low-level employee or a partner with limited access.

They will grab your attention with an email or call that asks you, via a link or attachment (reminder that viruses can hide in any attachment, including zip files and PDF’s) to take action to resolve a problem, such as pay an urgent fake invoice before its due (fear motivation), accept a large wire transfer payment (reward motivation), or even see how a mortgage customer-rated you and your real estate firm (social proof motivation). This is no means a complete list, with many other motivations possible.

Before you can take action on the email’s subject, you will be asked to provide login details on a fake page. This pretend login page can look very official, asking for your username and password, with an official sounding URL (we will show you how to identify this in a later section of this article), official logo and some sophisticated phishing attempts can even somewhat replicate the backend of your prefered wire transfer service when you ‘log in’ (some direct you to the real page with a ‘try again’ prompt).

This can be replicated to represent any bank, email service, social media and more. Sometimes a wire transfer service or a client already has had their account compromised (and thus already in your trusted network) and will forward a scammers email unwillingly.

When they contact you, they may already have some of your details to appear more legitimate, such as your name, a business partners name (again possible that the scammer has already accessed a trusted client or partner) or even your wire transfer details (Just need to know the last security questions to authorize their own wire transfer fraud).  

What are common ways that phishing occurs?

First of all, this is not an endorsement of the practice and only an article on how best to avoid phishing emails. And the best way to avoid it is to be aware of the practice and treat it with some common sense.

The most common items to look at are:

• URL – The URL, The address of the login page up the top of your browser will appear to be legitimate but might be very slightly different from the real thing. This can either be a different spelling of the URL or having a different top-level domain. Scamwatch.gov lists this example:  “If the legitimate site is 'www.realbank.com', the scammer may use an address like 'www.reaIbank.com'. The only difference is that the L in Real is a capitalised ‘i’ in the scammers URL. It may also have a different top-level domain if the real site is again 'www.realbank.com', a fake site might be www.realbank.tv or www.realbank.webhost.com.au”
• Lack of web encryption – Real log in websites will be most likely (and 99% of cases will be) encrypted to protect your information. This can be identified in the URL as an httpS, as opposed to an unencrypted http. This may also be reflected by a padlock or a lack of padlock on the bottom bar of your web browser.
• Spelling and grammar mistakes – Believe it or not, but despite replicating a website, many times simple mistakes are made by the scammers in grammar and spelling. A proper wire transfer service, such as CertifID would never have a mistake like this.
• Name address is generic – If a mortgage client or wire transfer provider contacts you, they will most likely call you by your full name or registered nickname, not a generic “dear customer”. This is made famous by Paypal phishing emails that say: “Hello sir/madam”, whilst real emails from Paypal will know your name and your sex.

You can check if it’s a common scam by copying the email and pasting it into google. Someone has always gotten that same scam phishing message before and you will easily find it being discussed online.

Remember, that an official wire transfer or mortgage provider would never ask for your login details by email or phone or instant message. They would never need to access your wire transfer statements, and even if they did, they already control the servers that host your details and could simply work around your login.

If they call you, simply ask for a case number or their name in the organization, then Google  their website to call them back officially (do not call the number or details they provide you).

We close with the following advice whenever you get a wire transfer request:

• Validate. Verify the instructions if received by email, even if they come from someone you know personally.
• Confirm. Pick up the phone and confirm with them over the line.
• Contact. Speak with the client to confirm that any transfers are expected.
• Review. Examine all payments before they are sent and keep copies of all correspondence.

Keep in mind that if it's too good to be true, it probably is.

Protect your title agency from phishing

If you want to protect yourself from this type of phishing wire transfer fraud, then consider CertifID, the only wire transfer service that offers $1M in direct, first-party insurance against money wiring fraud and uses state of the art technology to keep you and your clients safe. Request a demo to see how we can protect your transactions from fraud.

‍