skip to Main Content

The New Era of Wire Fraud

Tyler Adams, Published on June 11, 2020


– Hello, everyone, Tom from CertifID. We’re gonna take just a couple of minutes, let everyone join the room. We had over 600 registered for this event today. So, I will be kicking things off in roughly 90 seconds. Thank you. Good morning, everyone. I’m Tom with CertifID. I just wanna give everyone a proper chance to register. We had over 600 registered for today, and we’re just letting them come into the room right now. So, I’m gonna give it another 90 seconds or so, and then we’ll get started. Lots of great content to cover today. So, be right back. Well, good morning, everyone. I’m gonna start. We have people that are still coming in, but in the interest of time, we have a lot of ground to cover, I wanna jump right in.

Today, I really felt compelled just from the experience that I personally have had over the last couple of weeks to take a fresh pass on wire fraud and the impact that it’s having on the industry. My goal today is you walk out with a better appreciation and aperture of the issue. And then, some tools and techniques that we can do to defend against this growing threat in both speed and sophistication. So, roughly 2000 real-estate transactions are taking place per hour. We’re moving, now with refinances, almost $500 million an hour. And I think you’ll leave with a better understanding. These fraud syndicates that are internationally based, in most cases, are diverting funds. And they’re focusing on our industry. I think we have enough evidence to show that they’re not leaving any time soon. The FTC recently reported that wire fraud is the number one reported loss from consumers, and these stats are staggering frankly. For those of you I haven’t had the privilege to meet, I’m Tom Cronkright. I’m actually the co-founder of CertifID. I’m a licensed attorney and a large title agency owner, here based out of Grand Rapids, Michigan.

I come to you in a few different areas, that are maybe personas, in the sense that, as a large title agent, we experience the wire fraud. We’ve been through the full end-to-end, from loss, to recovery, to being called to testify by the Department of Justice to help take down a very large cyber syndicate operating out of North America a couple years ago. But I’m also gonna show you an example of a customer that got duped into wiring funds over Memorial Day weekend. And how, again, while we’re on the tip of the spear of this issue, there’s always more work that can be done, and we’re gonna dissect that. In the interest of full disclosure, the examples I’m gonna provide to you today, none of those had CertifID, the technology, used in them. But know that CertifID could’ve prevented everything that we saw over the last two weeks, as far as fraud prevention.

So, very passionate about the issue and looking forward to bringing this information in. Unfortunately, we had the Secret Service, an officer that I’m getting to know fairly well over the last just few months, could not make it. The reason is we were called in to assist in a recovery that originated out of Texas on a mortgage payoff at 4:30 p.m. yesterday afternoon. We were working alongside the Secret Service and the FBI. And I basically told the special agent: why don’t you go hunt down the money? That’s what the industry needs you to do. And give me the thumbnails of what you would’ve brought to this session today. So, know that, again, that wasn’t a CertifID failure, that was another failure of practice and just the fraudster being ahead of the tools and the techniques that that agent, unfortunately, didn’t have in place. And more than that to come. But let’s get the sound bites from the Secret Service. So, I posed the question: what is really keeping you up at night? And guys, one thing I’ll say in speaking to them, speaking to the FBI, speaking to anyone, the Federal Trade Commission, anyone really involved in the recovery of any type of money transfer, it is nothing short of a tsunami right now. And a lot of that has to do with the state that we’re in with COVID. The top four things I should say, no question, unemployment fraud, with that additional $600 kicker each week. I don’t know how they’re ever gonna get their hand around it. As he underscores, massive, massive fraud in that area. Romance scams where hey, I’m a military member. The fraudster’s impersonating this kind of personal relationship, love affair, if you will, online. All of a sudden their request for money comes out, and they never end up meeting once the transfer takes place.

That relationship, that fake relationship that’s been curated, ends abruptly and somebody loses money. Ransomware. So, again, ransomware is where they will provide you with a link, or an attachment, or somehow get you to interact so that a computer code is infiltrating your email accounts, or somehow your network. They lock you out of maybe your title production software. They lock you out of your accounting or treasury software, and then you have to pay a fee, a ransom, to get a code to unlock that. That’s still a prevalent scam, and becoming more prevalent in our industry. But BEC really is the breakaway. The concern that I have here, which I think is just pitch perfect for our talk today, and I didn’t lead these questions. I just said, “Hey, three or four things “that are keeping you up at night.” And he said, I mean, look at this statement: “from what I’ve seen, “it’s the email attacks from smaller players “in mortgage finance, small companies.” I mean, this is literally an email that came from them at eight o’clock this morning. Those that either don’t have a lot or any IT support, and anything that has connective tissue to the housing market is at risk. And they’re just seeing this rinse-repeat cycle. So, that was the update from our friends at the Secret Service, and I will give props to them for that feedback, I think very timely.

Here’s what I wanna cover today. Size and scope of the problem, all fresh stats. We’re gonna dive deeper than I have ever dove into two wire frauds. We are gonna absolutely unpack from a technological basis, because well, we’ve been in three recoveries now, and I got Brent, my IT manager, in here, in about 10 days. And they’re just simply mind-blowing, and it’s a real concern. And then, we’re gonna talk about how to recover, and the chances of recovery, now that people are working from home. And some of our friends at the federal level are just simply overwhelmed. And then, I’ll spend a few minutes on CertifID. So, size and scope of the problem. I wanna start with a polling question. So, we’re gonna have three polling questions. This is something that we’re gonna introduce into all of our monthly webinars going forward. We really wanna drive interaction. So, I’m gonna have Katie or Brent to pivot to poll question number one. How do frauds start? So, if you could just quickly click on the answer, in your opinion. There’s no right or wrong answer. I just wanna get a feeling of how you think these things begin. They call someone, and then all of a sudden they get scammed over the phone. There’s a phishing email. There’s a hack into a database, or there’s, ultimately, an impersonation that takes place.

So, I’ll give us a few more seconds here. Again, while you’re answering this, I just wanna thank everyone for the overwhelming support of the post that we put on LinkedIn around the wire fraud recovery of Memorial Day. And the fact that over 600 were registered for today’s session. And I only say that because that deserves some applause, that we’re still focusing on this for our customers and our businesses. All right, so closing it out. It was kind of a trick question in the sense that phishing and the impersonation go hand-in-hand. And I drafted that intentionally, ’cause almost 100% of the time that’s exactly how it works. 91% of all frauds now start with a well-crafted, phishing email, or message. So, quickly, you guys have seen this before. For those of you that are new, again, welcome. But they’re running a well-defined playbook, and they’re getting better and better in two specific areas. One, the phishing. So, they’ll profile a transaction because of MLS-indicated data or they’re infiltrating somebody’s email account. They phish somebody to gain account access. Once they gain account access, they’ll sit there, and they’ll kinda sit below the waterline. They’re reading emails, they’re reading communications. And then, they impersonate somebody, typically, on the other end of a transaction, to get someone else to transfer funds.

The two areas of biggest concern right now is the sophistication and the timing of the phish and the speed at which they’re muling money right now, once they received the wire transfer into the fraudulent account. And I’m gonna give you specific examples. A new phishing site launches every 20 seconds in the U.S. right now. And if you look at the disparity between where they’re pointing malware, how much energy is being pointed to malware versus phishing, a lot of this I do believe is COVID related, it’s just shocking. Phishing is just on an absolute tier. Why? Well, malware. I gotta have this program, and it’s gotta go undetected, and it’s gotta write this script, and then it’s gotta shut something down, and then I got this interaction. Phishing, I just have to trick one person. One person to give me user credentials, one person to click, and I might be able to scrape them off their computer. I can mine the information, and then I have more control over what comes next as a fraudster. Since COVID began, so let’s call this early March, a massive step-up in COVID-related security threats in all vectors: hacking, email compromise, business email compromise, and ransomware. But what we know, and this is why I think you absolutely answered the correct question, or the question correctly, is phishing leads to wire fraud. I mean, that’s the point.

So, if we look at it on a macro basis, two billion in losses reported last year in the IC3 report, 35,000 instances, and we know that 85% of them go unreported. I mean, it’s just a massively large issue. The other thing that you have to be aware of as we go through this. If there is a loss and, look, I’m an attorney, so I’m super sensitive about what I’m gonna say here. If there is a loss, you just have to plan on being named in a lawsuit and then being able to defend and respond to those pleadings to get your way out of that without having to write a check, or at least, mitigate what it takes to get out of that conversation. And I can just tell you that what we built at CertifID is specifically designed through the communication, and the templates, and the technology to meet that standard of care. So, just be prepared. This is actually a table. We’re wrapping up a white paper that we’ll be publishing here shortly on all the cases, or at least the seminal cases, around the country that deal with wire fraud in the real estate industry. And you can kind of see the theories of cases. Negligence and Consumer Protection Law. For those of you on the call that are attorneys, you know that’s a sheet of glass wide. You can so easily tag someone to find issues of fact in a negligence or a CPL breach claim. All right, so strap in, let’s go into the two wire frauds that we’re gonna dissect today. I’m gonna put another poll question up. So, Katie, if you can. I’ve got Katie from our CertifID team, many of you interact with her on a day-to-day base if you’re current customers. But the next poll question is gonna launch here.

I just wonder, and this is all anonymous, guys, what’s your experience in fraud? So, hey, I’ve experienced at least one, and money was transferred. I just want you guys to be honest, ’cause it’s gonna frame how much time I spend in certain segments over the next 20 minutes. I’ve had at least one near miss. I’ve seen many attempts, but they were caught early. Thank the Lord, I haven’t had any experience, but yet I’m still here. And I applaud everyone on this spectrum, because if you haven’t had the experience, but yet you’re tuning in, chances are we can help so that that doesn’t happen. You just simply don’t want this to happen. I can’t underscore this enough. But roughly half of you on, this is interesting, haven’t had the experience. But the others, t’s almost evenly dispersed that on the spectrum, two out of 10 on the call, have had it. Four out of 10 a near miss or a direct hit. So, that’s super interesting, thank you. All right, fraud one. Fraud one was a commercial transaction. I’m co-owner of Sun Title, along with my partner, Lawrence Duthler, who’s also an attorney. And we were helping coordinate a commercial transaction on the southwest side of Grand Rapids here. And we were getting near closing, leading up to Memorial Day weekend, just a few weeks ago. And know a couple of things about this, I really wanna make sure you guys understand it as I go into dissecting this fraud. There was no mortgage lender involved, and the buyer was paying cash for the commercial property. We’re not a good fund state, so there was never an intent that the buyer was going to wire funds.

So, CertifID, which we use at Sun Title, was never used, right. So, I wanna create the proper framework of how this happened. So, basically, we’re coordinating with a commercial real estate broker, our commercial team. We’re getting close to final numbers in closing. And the commercial broker was going to, ultimately, sit down with them, go over the numbers. And then, they were gonna go get a cashier’s check, bring that to closing. This happens every day, right, a lot of times a day. So, that’s kinda the setup of this. So, the parties involved that I’m gonna highlight is the commercial real estate broker, our commercial escrow officer, and then, ultimately, the fraudster. Can you remove the poll screen there, Brent? Ultimately, the fraudster that ends up impersonating one of our employees at Sun Title, the spoofed escrow officer, okay. But again, I wanna dive deep into the weeds. So, rather than reading this email string from bottom up, I’m gonna read it kinda from top down in chronological order, okay. And I had to mask some things, obviously, for privacy, but I am disclosing what I can that relates to our employees and our persona. So, on Friday, again, this is a fresh fraud. We’re leading up a week before Memorial Day. There’s a communication between the real estate broker and my escrow officer saying,”Hey, we’re in title clearance, “here’s the resolution.” My escrow officer says, “Yeah, looks really good.” And then, okay, can they bring it to close? How does next week Friday look for a closing? Thank you.

All real communications, okay. Next, on Monday, so we’re on a nice path, the 29th works for me. So, this would’ve been after the Memorial holiday. And then, all of a sudden after that, on that Tuesday, the 19th, the fraudster copied this entire email string that they were having and starts a new dialogue with the commercial broker spoofing my commercial escrow officer, okay. So, this is where I’m showing, okay, it looks like it’s coming from our employee, Renee. It says, “Good morning, kindly advice on the chosen time “for closing on the 29th, “so we can schedule this closing for you.” Couple of interesting things just on that email, I said it over and over again, the use of the word kindly has to be a red alarm flag in your operations, period. No exceptions. If you use the word kindly, stop, grab a thesaurus, use another word. You gotta get rid of it, right. So, this should have been flagged so early on. This email went to the commercial broker, okay. Ironically, and this is just one of those frustrating things, and I’ll speak really from the heart as an industry participant, this gentleman has been to our CE, he has attended our fraud briefings. And he admitted all of this. I was read into this issue, and there were so many alarms that should’ve went off, but for some reason they were overwritten, okay. So, anyway, what’s interesting here though is that, again, we can pick this email apart. The fraudster did not mention in the first email anything about transferring money by way of wire transfer. And we’re seeing this over and over again: that they’re being more patient, they’re being more intentional.

They’re willing to build credibility through a couple of warm-up emails, and then they’ll insert this concept of the wire transfer. Again, because, in our minds, as the title company, the buyer was never going to send a wire. We caution them. You can see the fraudster even copied, look, CertifID’s all over this thing. Don’t trust anything, blah, blah, blah. And I’ll get to how the fraud actually happened. But think about this: the fraudster was the first one to bring up the concept of a wire to the commercial broker, right. And it was through this next email, the next day on the 20th, attached you’ll a final HUD for your approval, and our wiring instructions. The email’s horrible. I mean, this was really horrible. We don’t use HUDs anymore. You never use the final HUD for a commercial deal anyway. I could pick this thing apart. But anyway, kindly advise the buyer to make the payment, send a receipt, so we can get it arranged for a quick closing. Please review and let me know if you have any changes, thank you. And then, thank you, again. Like I say, I gotta admit, this was really bad. But the wiring instructions were good. So, they know the Federal Reserve is blind. This is exactly what was attached to that email, headed to Chase Bank in Newark, New Jersey. The account name of Sun Title was lifted. It did go to Chase but to a completely different account and even the address of our main corporate office was included on the wiring instructions, okay. So, from a credibility standpoint, it looks like, okay, these must be a legitimate. And then if I follow these, then it looks like it’s gonna arrive in the title company’s account. So, again, fraudster, this is now on the 22nd, the day before the holiday where the Federal Reserve is closed on Monday. Kindly advise me, it’s hard for me to even say this, kindly advise me when we would be receiving the wires, since we don’t have the buyer’s contact. Again, this is fraudster to the commercial broker. So, we don’t even know this is going on, right. How would we? We’re being spoofed. I believe you advised them to make the wire to our firm’s escrow account. We can get all the documents organized, it’s spelled wrong, and have a quick closing on the 29th. Thank you, best regards, okay. So, then this again, hey, just make sure you get that wire out, make sure you get that message out to the buyer. The broker, again, not knowing what’s going on or waving the hand yet.

I reviewed and gave the letter and furnished it with the wiring instructions. I think she’ll wire it before noon on Tuesday. I told her to call me as soon as it was sent out, and I’ll let you know. So, here’s the kicker of the whole thing. He ended up printing out these wiring instructions, sitting down with them on the Friday before Memorial Day, working through the final numbers and presenting the wiring instructions in person to them, right. It’s just, really? So, that’s why we didn’t have an email string of him just forwarding it. It was even worse. I mean, think how credible that is. And, oh, by the way, here are the wiring instructions that you need to follow. And this is why he made this statement, that by the end of the day he had already met with them and transmitted this information. Fraudster says, “Okay, hey, thanks.” So, this is end of day. Have a nice weekend. Enjoy your family, I’ll be keeping in touch. Really nice kind of send-off to a holiday weekend, right. Monday comes around, things start to heat up. Good morning, again, fraudster to the broker. Happy Memorial Day, we’re closing on another property. This is where I think they got off-track, and they could’ve been much more successful, but they were probably a little bit antsy. They give some wild-eyed idea of why you need to transfer the money right now, and we need to get confirmation. Again, kindly confirm you are in receipt and update of the payment and information tomorrow. What I think what they found out is that the borrower was wiring money from two separate accounts. So, they had already presented the Chase instructions, right. But then, at the end of the day, they said, “Hey, we’re gonna get a second wire. “We’d like to divert that “to a completely different bank, Wells Fargo.” Great strategy by the way. So, they’re presenting this excuse and say, “Hey, because we have this other closing, “could you transmit the wire to a different location, “to Wells Fargo?” So, then the commercial broker, at 2:36 p.m., I’ll tell them. I don’t think they wired the money yet. They have their money in two banks, they’ll probably wire from here and here. Again, enjoy the day. So, he’s not suspecting anything just yet. But then, he did. Thankfully, after he got that email, I don’t mean to make you dizzy, he gets this email around nine o’clock on Monday, wires instructions, sends an email out. This should’ve been 9:36 a.m., the time zones are a little wanky, because the fraudster was reeling through a series of proxies. And then, he actually calls our escrow officer and says, “Hey, I just wanna clarify this last email “on the wiring instructions, “’cause I already got some on Friday.” And this is the email that I received, and this was not what I was planning on doing Memorial Day, but this is what I did Memorial Day, starting at about 10:30 a.m., is we started on the wire fraud recovery. So, the fraud email, what I wanted to show you here is Don was forwarding that entire string that he received from Renee to the real Renee, okay. And that’s typically how they’re uncovered. Look what I received, if you’re saying you didn’t send this, then who did? The fraudster, not knowing this, still communicates. So, at 10 o’clock, thanks for the update. So, he’s responding to the commercial broker’s email from 9:30 a.m., and then the result was there was 54,000 wired on Friday that landed in the fraudulent account, okay.

That’s what happened on Friday, even though the broker thought they weren’t gonna transmit until Tuesday. How did they do it? So, this I’m gonna slow walk to really unpack. I don’t expect that you actually understand how to do any of this, what I’m gonna show you, to unpack how they do these frauds, or even the technological basis for them. I thought it important, especially on this one, ’cause it has so much texture to it, to understand the level of sophistication that they are bringing in to grab 50 grand, to grab 300 grand. I mean, a lot of times, they don’t necessarily know the amount that’s gonna be wired when they start to hone in on a fraud. And I would argue that this is why as an industry we have to step up with technology, we have to step up to do a better job to combat what I’m gonna show you right now. Okay, all bad things happen in Nigeria. If you’re from Nigeria, I apologize. But there’s just a lot of bad energy going on there. The broker’s email account was compromised from Nigeria. Here’s a screenshot showing that the email application was accessed from the country of Nigeria in his Yahoo account. There’s no question, okay. But then, it takes an interesting twist, and we found that the fraudsters had taken over a salon, I’m not making this up, a salon and day spa just outside southwest Toronto, so that they could ping in real emails out of their email server looking like they’re coming from, in this case, Sun Title. And I think they did that to avoid detection, and certainly, avoid the fact that these were originating from a server in Nigeria, okay. So, they actually took over this company’s server. So, if you look at the email string that was given, if you take any email and you wanna do a quick spot check on whether it can be trusted, literally within Outlook, you go to File, Properties, and then in the Properties, is Internet Headers.

The internet header really unlocks a bunch of texture, as to what’s going on, if you know what to do with it. So, we simply just cut and pasted that. I’m gonna show you exactly what we did. You cut and paste this, you go to a source like MX Toolbox. It’s free. You click on Analyze Header. You literally do a Control+V, you paste it in there. And you’re gonna learn some really interesting things, okay. So, what was going on with that email? And I wanna unpack this a little bit. One, it looked like it was going to the Yahoo account, but the return path went to, what does that mean? Well, the header in the email showed Sun Title, and my escrow officer. So, that’s how they make it seem like it’s coming from the title company, but then when they hit reply, the header is gonna show it’s going back to so and so @SunTitle. But the actual return path of that email is going somewhere completely different. Really hard to detect, okay. The domain was not a Permitted Sender domain. So, this is a really big red flag. We have an IP address. The From was codified right here with my escrow officer. The Sender was actually the day spa and salon. The Replied To looked like it was going back to the title company, but the pathway was programmed differently and that’s the trick, right. Here’s the other interesting thing we found. They had a forwarding rule set on that broker’s account. So that if there was a reply to his email account, let’s say that my escrow officer was actually emailing him directly, they had a forwarding rule that reverted all of his emails at Yahoo to this

So, they even had access to what he was seeing in his email account so they could filter out and kinda get a jump on any intel that they needed to perpetrate this fraud. So, they were just all over this email sequence. So, let’s take the IP address and let’s look at that a second. So, again, this was the email string, if we look at where the IP address originated, you can quickly pop that into another service and it’s spooled from the Canada server just outside of Wichita, okay. And then, back up to Grand Rapids. So, just this simple email string had three countries involved with a bunch of different nodes. We’re starting out of Nigeria, we’re wheeling through a server to avoid this level of detection in Nigeria. We’re then wheeling it again through a server in Wichita, and then it switches back up to Grand Rapids in an email from them going to the real estate broker, okay. So, I just wanna emphasize, and we’re gonna get into some of the tools, but being able to have email monitoring and being aware that guys this is what’s coming at our customers on a day-to-day basis, and you just may not know what’s happening until you get that terrifying email, like I did on Monday, that hey, we had a buyer that got scammed after the broker was compromised. And then, ultimately, the money did not land in the proper account, okay. All right, if you have questions, I should’ve said this before, start to put them in the Questions panel. So, I wanna be able to have enough time at the end here that I can walk through this.

So, we have one right now, so let me take it on the fly. These fraud schemes look like they could’ve been caught if the broker was more diligent, are you at all concerned about how hard these are track and prevent AI and machine-learning tools to improve? 100%, 100% I’m concerned. The other concern I have over this is that the level of training that this gentleman had received around the issue. I mean, we just pile drive into our customers that look, if you’re gonna wire funds, it only comes through CertifID. There’s just no other pathway. And when I talked to him, I said, “Look, man, what broke down? “I mean, be candid with me.” He said, “You know, with everything COVID-related “and the holiday,” he just said, “everything else has changed, I thought, well, “if it looks like it’s coming from Renee “that it can be trusted.” And that’s the crack in the wall that they’re exploiting right now, right, is that this doesn’t change, right. These are absolute truths about how we protect our consumers. And yes, I am concerned about AI and machine learning and the level of just social listening, that they’re able to impersonate us and do this on a more timely basis. So, all right, why is the word kindly a warning? Look, fact check me on this, call your FBI field office, call the Secret Service, call the U.S. Department of Treasury, call your underwriter. I know we’ve got several of them on the phone right now. They will concur what they’re doing is, again, this was originating out of Nigeria. So, they’re using these translation programs to try to craft these sentences that will make sense to us that don’t throw up all these red flags. And you can see, they’re not overwriting it. Random letters are capitalized and words are thank you, thank you, and thank you, best regards, the stuff just doesn’t make sense. It would be a waste of time as we email it. Kindly is one of those words.

I don’t know what word they’re using in their native language, but in almost all cases, it translates to the word kindly in ours. When was the last time we saw a fraud that didn’t have the word kindly, and I’m telling you it’s one of those you have to flag, right. The other that I mention is the use of lowercase i if I’m describing myself, right. So, i have attached, or so that i can get, if it’s a lowercase i that’s another thing that they’re not picking up in an auto-correct on these emails. But that’s why. How do you know they got into the commercial broker’s email? That was a screenshot of his email log history from Yahoo. So, there’s no doubt that his email was accessed through Nigeria. He doesn’t know what he clicked on that led to the actual fraud. Is that fair, Brent? Brent did the forensics with the Secret Service that week after the holiday. So, there was no doubt he was exposed. All right, fraud two: mortgage payoff fraud. This is technically a mortgage payoff fraud, but it was a private lender. So, you could use this one similar to a seller disbursement wire fraud. Because it was dealing with an individual. Not that that made it any less sinister or complicated, but private money lenders, I think, we have better access to confirm information, certainly through the CertifID platform. This thing would’ve been sniffed out in about three milliseconds. But know that the private lender, again, another commercial transaction. This one originating in a state to the South. We have an escrow officer, and then we have a private lender that appears to have been compromised. And again, spoofing the escrow officer into a payoff transfer. I don’t have a lot of details on this one, because we weren’t involved. We got involved when we were asked to assist in the recovery. And I’ll get into that in a minute. We have developed a very specific skillset at CertifID, and we’re offering the wire fraud protection and mitigation to our buyer customers. We just, frankly, did a favor. We did a favor to one of the large insurance companies to help them on this. So, CertifID wasn’t involved, our title company wasn’t involved, but here’s what happened.

Emails compromised and fraudster monitors traffic, right. Okay, we talked about that. Ultimately, fraudulent payoff gets sent to the closer from the private investor, the hard money investor. And the closer calls to verify and unfortunately, uses the number that was provided on the actual instructions, okay. So, here was the payoff. And I had to mask this for privacy reasons. You can see right before the holiday weekend, to whom it concerns, the letter. Here’s the notice. The payoff’s valid through just after the holiday weekend. Go into BOA, here’s the checking and routing number. Please prepare the cancellation of deed, and you can charge the fees. So, it’s interesting they kinda pepper in some information about the transaction. They’re getting better at that. But this is what the closer relied on, okay. So, what happened was a little over 130,000 was actually wired off with that payoff. Again, on the Friday before the holiday.

The story of this one really deals with the speed at which they muled the money, right. And what I mean by that is wires are instantaneous. When I wire to Brent’s account here in the room, when that wire lands, he can immediately, there’s no seasoning, there’s no holding pattern, immediately transfer those funds, convert those to cashier’s checks, pay off credit cards, buy Amazon gift cards, pay cellphone bills. These are all things that have been done. Go buy a car, lease a car. These are live examples of where money has gone in real-estate transactions immediately, okay. And they’re learning that more and more that when we used to say, “Hey, “you might have 72, maybe 96, hours to respond to a fraud.” I’m standing here today saying from what I’ve seen the last 15 days, we’re down to hours, minutes matter. Literally, minutes matter to get the wheel in motion. So, what happened on this one, and this is coming from, again, the Secret Service that we interacted with, and their debrief of what they saw. The account name on the wiring instructions wasn’t even close. They mention that because BOA is one of those banks that historically does a good job of trying to do a little bit of matching between the wiring instructions and what’s coming in, and the account name. And then, where that account is landing. And this one was like apples and the moon, there’s no comparison. So, then on 5/22 the money’s transferred, 1/3 of the funds are remained in the account, which is a miss on their part but good for recovery. 2/3 were transferred into wire transfers to U.S. Bank, okay. So, they left a tranche in. Typically, to avoid a huge flag or detection of the sweeping of big funds. ‘Cause again, this was north of 130,000. 2/3 of that was a wire that that day went out to U.S. Bank. And then, they immediately drew down two cashier’s checks, and then one of them was converted to cash and the other was presented on a third-party bank that were the federal authorities are in the process of kind of ceasing and freezing, if you will. The other thing that’s interesting, and I agree with this action, ’cause we had to do it, which is why these are so expensive and complex, the title agency’s spooling up a court order to claw back this cashier’s check that is now daisy-chained into a third bank through now the morphing between a wire and a negotiable instrument like a cashier’s check.

So, this one had me stand up and realize: okay, whoever was on the backend of this fraud understands how blind the Federal Reserve is, how quickly you can move cash, and then, ultimately, if you do that, you’re gonna have a much higher degree of success. So, really they went hot to 26, moving money when they could, right, the Tuesday when the Federal Reserve opened, and by the 28th, this stuff was everywhere. So, that’s really fast movement. All right, so let’s get into recovery. So, let’s pivot into okay, what would we do if we learn of a wire fraud and just some blocking and tackling here. Last poll question that I wanna ask. If you guys can spool this up a second, hold on I think it’s coming up right now. How are we approaching fraud protection? So, hey, my people and their diligence are my first line of defense. We’ve got workflow, development, and enhancement. We’re using technology enablement. We do little, but I think we should do more. Again, there’s no wrong answer, I’m just trying to get a sense of kind of the pulse here.

So, looks like we’re gonna come in fairly, evenly dispersed, which I’m not surprised by, right. Because how the money comes in, what we do for buyers is probably very different than what we do for a seller. And our proceeds, that’s different again from a mortgage payoff. But happy to see a couple of things. We’ve taken on workflow, which means we’ve codified how we protect ourselves and the integration of technology, I think, has a big role to play. All right, quickly, I’m not gonna spend a ton of time on this. If you wanna go to our white paper, and maybe Katie or Brent, if you could put in the When Minutes Matter white paper in the comments. If you don’t have this guide, you simply need to get your hands on it. It is step-by-step, in even more detail of what to do should you learn that your customer or one of your wires landed in a fraudulent account. Brent, can you close the poll? All right, so hour one, you have to notify the bank, and you have to initiate a SWIFT recall, if it’s international. You won’t know that at the time or just make sure that they have a fraud alert tagged on that transfer from your account to, it always goes to one account, right. You know where the money landed, and then you have to get an alert to that receiving bank that that transfer was fraudulent. The next thing you’d have to do, I’m talking immediately after, is you’d have to file an IC3 complaint. You go to IC3, and you fill out, if you’ve never seen one, I wanna show what it looks like. I can’t make this stuff up, at 4:30 p.m. yesterday afternoon, I got a phone call about another truly wire transfer payoff fraud that took place in another Southern state and was working last night with the Secret Service and the FBI to try to recover those funds. Blanked out, but I wanna show you just how quickly you need to get these things filed if you have a chance of recovery. This happens to be the report from that complaint. You can see the amount. The transaction date was just two days ago. So, guys, this stuff is just happening over and over. I wanted to highlight this for this. It was going to Wells Fargo to payoff to Freedom Mortgage, to whose lender, right, to payoff Freedom Mortgage. And what’s interesting is if you put in the routing number of this sequence that they gave, it’s actually going into Wells Fargo. So, they opened up a fraudulent, money muling account at Wells Fargo knowing that Freedom probably takes payoffs through Wells Fargo. And that it avoids that level of detection. So, anyway, the transaction type, the name on the account, you need all this information to properly start a recovery process. It’s very complicated.

This was fax swapout that came in on an updated payoff. That was the description of the incident, information about who victimized you from what you know, email wasn’t involved. If there was, you’d have to attach the email header and string, so that they can analyze that. And then, you sign, saying hey, I’m saying that this is true. I’m not trying to scam somebody, I’m trying to get my money back. That has to happen as quickly as possible. Then, proactively reaching out to the FBI, the Secret Service, if you have contacts. Here’s the challenge on this, and I hate to say it, but it’s just the truth. We had a decent chance of recovery in 2019, was a decent chance, right, where within 72 hours there was typically somebody that could jump on it, and we could claw some of that back. Now that people at banks are still working from home, our partners at the feds, regardless of the branch, are simply overwhelmed. The chance of recovery from what I’m seeing, unfortunately, is being strained. It’s going down, because the bandwidth is being exhausted. And that’s why this is hard stuff, it’s harder than it’s ever been right now. So, then contacting council if you need to. Again, looping back through the banks. You gotta be your advocate. Notifying your carriers. So those of you, I know I have some insurance underwriters and carriers that are probably wanting to mute me at this point, but I’m not. You have to notify your carrier if there’s an incident so that they can either help with recovery or take it over. And then, lastly, and I only say this because it’s really a federal issue, but you should have a police report from either a county or a local authority that takes the information down. And then, the postmortem, and again, this is hour five, this isn’t like day five, is making sure you weren’t compromised, okay. So, what’s the direct impact. This is what we’re learning is that regardless of how it happens, if it’s your fault.

I say fault but if it came out of your escrow account, or unbeknownst to you, like us, the buyer was duped into doing something, and we don’t know about it, there’s simply an out-of-pocket cost, either through opportunity cost or trying to defend your way out of a lawsuit because you have somebody that lost their life-savings in a transaction. Or now, underwriters are seeing marketable title claims, and first-lien letter and CPO claims are on wire fraud. The reputational risk, and now it’s becoming a sustainability issue. So, the title industry is incredibly fragmented. Some of you are smaller in nature, some of you are larger in nature, and that will put you somewhere on the continuum of how big of an impact, how big of a hit, you could take and still be operational after you make good on the loss. And then, just the increasing threat and sophistication of what we’re seeing. I, personally, in my professional career, I haven’t seen anything like this, unfortunately. Not that I’m surprised because of COVID. But for those of you on the phone that are CertifID customers. Again, I wanna applaud the effort. We’re actually guaranteeing over $2 billion a month with your help, of not only your funds, or buyer funds. If you’re not, I wanna spend just a couple of minutes and walk through why we developed what we developed. It’s specifically designed to take this kind of chaos and make clarity out of it that we know the funds are protected from our consumers into the escrow account and those that go out. So, what we’re seeing right now, and I hope you agree with me after this talk, is that while we’re trying to point different processes and technologies to combat against this, it’s not working at scale, right. It’s not working each and every time. And as they have adopted tools, and technology, and strategies, that’s what we did at CertifID with new insights and a fresh look, technologically, at what’s really going on. And what CertifID does, for those of you who don’t know, is it verifies identity in real time and then allows the secure transfer of wiring instructions between two parties. From you to a buyer so their life-savings ends up in your escrow account safely. Or, ultimately, from a seller back to you so the disbursement or the mortgage payoff company takes place with a level of confidence.

So, what most companies experience, and again, I really invite you to be one of those that does experience this. If you’re not, the protection of the employees, the risk met. I mean, we’ve got special programs. We need no carriers right now that we’ve love to talk to you about. Meeting the standard of care. So, I can tell you, without giving specifics, that people have been tricked, CertifID was used, and they pivot off of that conversation from council coming in, wanting to extract a pound of flesh through payment. And they said, “No, this really was a failure “at the consumer level, “I can’t write a check every time somebody gets duped “at the last minute.” And then, we do provide $1 million guarantee on all transactions. One thing new, the current customers, you realize this, but we’ve actually issued this year the country’s first ever money transfer protection program, where we have the ability now to empower the buyer to make the choice on whether or not they wanna spend a few additional dollars, make sure that that money transferred to you is a guaranteed secure transfer. And if it’s not, we provide direct reimbursement, or recovery assistance, if the money somehow, they didn’t file the instructions and somehow ends up in a fraudulent account. That’s why we built the rails to assist in fraud recovery, because we’re helping consumers that maybe have questions or need help. And we’ve been called to do that since the beginning of the year. I got a call from a buyer yesterday. She received the information, she purchased the fraud protection plan. She called me and said, “Hey, I took the call on our hotline.” And she said, “I just don’t have the number “of what to transfer.” And I said, “Look, you’re not closing for a week, ’cause I asked her, that number will come, but I wanna reiterate that the information you receive through CertifID is the only way that you can get your money by way of wire transfer to the title company. You can’t trust anything else, to underscore that. So, just from a consumer perspective. I love this quote from Kalynn, we have others. But it “makes everyone in the transaction feel more secure.” And that’s the point, right? And I think it also gives you a leg-up in your market between competitors. So, I normally don’t do this. But again, it’s just been one of those crazy, wild couple weeks.

I wanna invite you to, if you’re not using the platform, I want to invite you to use it free to the end of the month. This is kind of a no-joke state we’re in in the industry. I know we’re all trying to roll back from shelter in place, and the proclamations, and the executive orders, but I’m just standing here today saying we’re here to help, and if you’ll let us do that we could have you onboarded in less than an hour. We’ve had an amazing run this year with new companies that are kinda taking this challenge head-on. And I just wanna make sure that we’re on the right side of history with you, right. That we work together, we defend against this, you thrive in this environment versus having to have something that takes place, that maybe you just simply can’t come back from. And I hope that never happens, I’m just saying I just don’t see it going away. So, all right, I wanna answer some questions. The other thing, before I forget, connect with me on LinkedIn. Connect with the CertifID brand on LinkedIn. We’re constantly putting up infographics. I’ll do spot videos when I learn of a recovery, or a fraud vector, or some interesting article. We have over 10,000 people that are tuned in to my LinkedIn page on a daily basis. And please interact, right. We’re trying to develop a community around this issue. Yes, we happen to be offering a solve through technology, but we also are really fighting this fight alongside of you, because I am in the industry. All right, how would you best direct your closers to confirm wiring instructions? Well, first of all, there’s a playbook, Ulta has it, on how to confirm you’re a underwriter, but I’ll speak from my experience. If you’re not using CertifID, we will be able to verify the identity of the individual, and they will be able to within 60 seconds of a digital interaction that provide insights that you can’t have on a phone call to confirm, and then you’re guaranteed before you send the wire, okay. So, that’s my pivot point. It’s exactly why we created it. Short of that then you have to do what I call the triangulation of the information.

You gotta look this person up. Do I have a trusted number? Could I get a third party now to vouch for that number that I do trust? So, could I go to the real-estate agent and confirm the seller’s number? I call it the goat rodeo. So, you just enter the goat rodeo, you do everything you can. It’s gonna take you about 20 minutes, but it’s gonna keep your wire safe, potentially, if you do it right. And that’s assuming that somebody hasn’t been fully compromised with phone numbers and all this stuff being redirected. But we can help consolidate that to a 60-second experience. But again, you have to be your own kind of Colombo as you approach this in the sense that you have to absolutely skeptical of everything you’re receiving now through email or even through fax. And I know it’s really challenging but I’m speaking to myself as I say that. What are best practices for confirming mortgage payoffs? Know that we’re developing a mortgage payoff solution, and we will be launching that some time late summer, early fall. Likely, early fall. In the interim, I would just say give your people the bandwidth to spend the time, again, looking up that, we use, which is a tool that you can go in and see who the most recent servicer is. They typically have a phone number. But man, the wait times right now are incredible. And they’re even more skeptical as to why you’re calling. So, if you don’t have a borrower authorization that includes all the typical PII and loan information, you’re not getting through that gatekeeper. But again, I would be super suspect. Any hard money, mortgage payoff, we can help you with. You have to validate any new or updated fact. This is why document management in your software platform is so important that you’re tracking versions. Wouldn’t you agree, Brent? Look, if I got a payoff last week and that was from the curative of the closing department, and I’m the disbursement officer, and I see another one pop in today, that’s a hard stop. I mean, you just gotta slam the brakes. Guys, who cares about per diem costs right now? Believe me, that’s not the issue. The issue is we had a failure, and now we have to try to get that money back. Much more challenging. Was an encrypted email used in the email exchanges with the commercial broker? So, here’s the interesting about encrypted email. We have a policy that when we’re sharing PII, closing statements, blah, blah, blah. Sure, that would go encrypted. That wasn’t the problem. The problem is when they spoof you, the broker thinks that they’re communicating with you, encrypted or non-encrypted. The fraudster could use encrypted email to make that even look more credible, to go through an encrypted service. And guess what, guys? If you’re sending an email to a broker’s email that’s compromised, all that the fraudster has to do is say, “Send me a reset password.” Goes in, resets the password, and then displays your encrypted email. Am I getting that right, Brent?

– [Brent] Of course.

– He’s giving me a thumbs up. Now, I’ll tell you this: you have to use encrypted email, ’cause judges are crazy-eyed about technology that they don’t understand. And if you look at the court cases, if you didn’t use encrypted email, even though I’m showing you the vulnerabilities, you’re gonna get smoked in court. So, use encrypted email but understand the vulnerabilities with spoofing. And with totally compromised accounts, right. All right, did the fraudster open an account in the name of Sun Title? No, they didn’t. We were not compromised. We do full forensic scans every time we have an issue. What happened was, all they did is they went into that salon’s email, and they created a rule that said even though I’m wheeling this email out of the salon’s email server. It was coming out of Le Vita Spa and Day Spa. They made a rule that just said make it look like it’s coming from somewhere else. And that’s what they can do programmatically in the email header and even in the reply. But where the actual return was was back to a different account. How can they open a U.S. Bank account from Nigeria with providing IDs? So, this is a whole nother session, guys, on money muling, which I would love to do again, and I don’t mind it. They didn’t open a U.S. Bank account from Nigeria. What was shown from our friends at the Secret Service is the whole network of money muling and money laundering. And what likely happened was they’re running these scams from overseas. And they had stateside people, a lot of people that aren’t even in on the fraud, that are taking money in and sending money out under a totally different pretext, You could’ve had somebody walk into U.S. Bank thinking they were helping a charity, right, in the Boston area, which is where this last one from yesterday, where it was originating to, that they’re just moving money. And I’m moving money for a good cause. And what they don’t realize is that they’ve been duped into just unintentionally participating in a money laundering exercise internationally. The money muling network is crazy. And I learned that through our fraud.

Who would’ve been ultimately held responsible in this situation, fraud one? Okay, thank you for clarifying. The broker would’ve been, I think, just completely smoked in this thing. You received the training, you got the notices, there was a never a conversation around wire transfer, you never verified before you physically presented and represented the truth of that information. But that said, anyone with a laser printer and 200 bucks can add you to a complaint. So, the question is: what else could you have done, should you have done? And each one of these cases, we take on learnings ourselves. And we try to report that back into CertifID. ‘Cause when you become a customer, you get email templates, you get the notices. I mean, you go loud and proud on this idea that this is how this is gonna work. How often do people sue for their loss? I’ll give you the legal answer: I think that depends. It’s very typical. If they don’t sue, there’s a demand. So, it’s interesting, I’m glad you guys are staying on. There’s a whole underbelly of what we’re not aware of that’s taking place behind the curtain.

So, when I show you the pleadings, those are those that publicly saying, “Hey, I demand payment, and I was wronged.” But what about those instances where the insurance company clearly has either a phishing, or a social engineering, or a cyber crime, they got some exposure. And they’re gonna mitigate that, and we’ll never see the light of day of what really happened. So, I think, the question is probably better framed when there is a loss, how many times did checks get written? Frequently, I would say very frequently. What we’re trying to do is make sure that you and your carrier aren’t one those that are writing that. I think, in this case, the broker did not have cyber insurance, didn’t have social engineering. I mean, he admitted to the Secret Service and to us that if I gotta bring this money to close, I’m gonna bring it to close, and then hopefully we get the money back. Not too many people are in that position. All right, we’re flooded with questions, and we’re out of time. I’m gonna take the time, because I feel so passionate about this issue, and we will get answers to every single question that came in. I mean, we had a huge audience. I wanna thank everybody that hung out, even a few minutes later. If you do have a question after, you wanna sidebar me and dive deep into this, I’m available., tcronkright@certifid, that is my direct aisle. Lee’s my assistant, she’ll hunt me down. If there’s any way, seriously, that we can help and come alongside of you to make sure that, like I say, you’re gonna be on the right side of history here. We’re gonna be in that together. So, until next month, tell your friends, we’ll have as impactful information, I promise you. But seriously, stay safe, stay skeptical, and I hope to see you next month on the briefing.

Take care.


Tyler Adams

Co-Founder. Product Manager. Design Enthusiast. Amazing Racer.

Back To Top