Think Email Fraud is the Only Hack Tactic? Think Again.
Criminals today have broadened their tools and tactics in their quest to divert escrow funds by tricking us and others in the real estate transaction into accepting falsified wiring instructions.
Remember when wire fraud was just about bogus emails?
Email is no longer their only weapon. We’re hearing about two non-email tactics fraudsters are using.
Many view faxing as more secure than email because “you can’t hack a fax.” (Actually, hackers have apparently figured out how to compromise networks using the fax machine as an entry point ). But criminals don’t need to hack a fax line or a fax machine to interject themselves into the communications chain.
So, how do they do it?
Some businesses use third-party services that allow faxes to be sent and received from an email account. Just like email, these services have login credentials that must be protected. If criminals can obtain the account credentials, then they can monitor, intercept and alter fax transmissions that may contain wiring instructions.
Of course, criminals don’t even need account credentials to send you a bogus fax. They only need the tools and time to create a convincing looking document (as Dwight from NBC’s The Office found when Jim, his arch nemesis, started sending him faxes from himself … from the future ).
There’s nothing magical about thwarting fax scams. We simply need to apply the good information-security principles that we apply to other communications channels.
Just like an email account, a third-party fax account should have a strong password. Of course, it’s harder for the criminals to figure out account passwords if they’re changed regularly and if the same password isn’t used for multiple accounts.
As with emails, it’s best to look over faxes with a critical eye just to make sure everything appears as it should. If a fax has wiring instructions, the safest course is to follow up by telephone using a known number — not a number that appears on the fax.
Relatedly, scammers are figuring out that our industry has become very good at using the telephone to verify wiring instructions, and they have added telephone scamming to their repertoire of fraud tactics.
The phone is definitely a potential attack vector; we know of one instance where a criminal called a title agent and faked a consumer’s accent in an attempt to divert a wire.
Some simple technologies even allow fraudsters to spoof phone numbers. So a criminal could call you, but make it look like the call was coming from someone legitimately involved in the transaction. The American Land Title Association (ALTA) and Thomas Cronkright, chief executive officer of CertifID, discussed this technology and its potential implications in a recent ALTA blog post .
As with the fax, it’s important to remember that the phone is not always a safe communication channel. Anyone can call a title agent pretending to be someone else; and if that scammer happens to have already compromised an email account — for instance, the consumer’s account — they may have sufficient transactional and personal information to spin a very believable tale.
But just like with fax scams, policies and procedures can be a big help to thwart potential phone scams. A best practice is to establish challenge questions or PIN numbers with consumers up front, and let consumers know you’ll be using these and other methods to verify the identities of those involved in the transaction when speaking by phone.
Of course, PIN numbers and challenge question answers should never be sent via email.
The threat from fraudsters is great, and no one policy or technology solution will ensure the safety of escrow funds in all cases. Alliant National has produced a white paper on escrow fraud as part of our ongoing effort to inform agents about the threats we all face.
We’ve also produced a number of infographics with escrow security tips that you can share with your staff, consumers and others.
Click here to view the report.