No
one wants to learn that fraud or misuse of funds or fraudulent transfers
happened once a closing is complete, yet those events can be part of real
estate closing worlds.
Appraisals
can also prove to be undependable, as parties involved can have
less-than-legitimate agendas.
After the Exchange of Funds (regardless of the dollar amount of the loss)
Contact your
bank.
Speak with someone who has authority to
reverse or “recall” the wire. This contact may be in your bank’s fraud
department. Note: A best practice is
to identify this contact and establish a relationship with him or her before a
wire fraud incident occurs.
Make sure the bank understands you have been
the victim of a Business Email Compromise (BEC) scheme.
Request a Wire Recall or SWIFT Recall
Message.
Ask your bank to fully cooperate with law
enforcement.
Contact your
local FBI office (https://www.fbi.gov/contact-us/field-offices). The FBI has a number of protocols aimed at
freezing and retrieving funds. They will activate appropriate protocols based
upon the circumstances of the loss. The American Land Title Association has more information on the FBI’s protocol for reversing
fraudulent international wires.
Complete and
submit a Complaint Referral Form to the FBI’s Internet Crime Complaint Center (IC3). Be prepared to
provide all details related to the transaction including date, amount, the name
of your bank and the beneficiary bank, account numbers, contact information,
etc.
Contact the fraud
department at the beneficiary bank to notify them about the wire-recall request
due to the fraud. Provide details and request that the account be frozen.
Contact the
Alliant National Claims Department by first calling the Claims Manager at (303)
682-9800, ext. 425, and then follow up by emailing applicable information to Claims@alliantnational.com.
When the Money Goes Out, Minutes Count
The 48-hour period following a fraudulent
wire transfer is critical; immediately contacting your bank, the local FBI
office and submitting a complaint to IC3 as described above will increase your
chances of recovering the funds.
Since international wire
fraud has a very low chance of recovery or reversal of the wire, special
precautions are advisable, such as requiring “in-person authorization” from
only those authorized signers on an out-going international wire, and having
such precautionary requirements agreed upon with your bank.
Appraisals and appraisal reports may contain “red flags” indicating
potential fraud. “Red flags” may include, but are not limited to:
Owner of
record listed is inconsistent with other information disclosed in the loan
file.
Occupant is
identified as a tenant on an owner-occupied refinance application.
Owner-occupied
refinance transaction, but the property is vacant.
Occupant of
subject property is listed as “unknown.”
Appraiser uses
public record, exterior inspections, or property seller/builder as sole data
sources.
Illegal zoning
is checked on first page of the appraisal.
“Physical
deficiencies or adverse conditions that affect the livability, soundness, or
structural integrity box” is checked “Yes” on the first page of the appraisal.
Subject
property has increased in value in a stable or declining market.
Land value is
atypically high for the area.
Excessive
adjustments in urban or suburban area where marketing time is under six months.
Timeframe between
sales does not allow enough time for reported renovations made to property.
Loan file
contains a note with a predetermined value.
Ineligible
Condition (C5, C6) or Quality (Q6) ratings.
Blank spaces
on the form (borrower, client, occupant, etc.).
Missing photos
or maps.
Photos do not
match description of property.
House number
in photo does not match property address.
Photos do not
match the floor plan sketch (i.e. location of garage, fireplace, etc.).
Photos of
subject property taken from odd angles or with no depth of field, or have been
cropped or otherwise altered.
Photos reveal
items not disclosed in appraisal (e.g., commercial property next door, railroad
tracks, another structure on premises, etc.).
Weather
conditions in photo of property are not appropriate for the date of the
appraisal (i.e., July photo shows snow on the ground for a property in
Illinois).
“For rent” or
“for sale” sign in photo of subject property on owner-occupant refinance application.
Most recent
sale(s) and/or listing information on subject property and/or comparable
properties are missing.
Use of
unverified comparable sales (i.e., not verified through traditional data
sources such as MLS, sales office, Closing Disclosure, real estate agent,
etc.).
Use of
inappropriate comparable properties (e.g., that are not similar to the subject
property when comparable properties are present).
Excessive
distance between comparable properties and subject property.
All comparable
properties are from different town(s) than the subject property.
Lack of
bracketing with comparable sales used (e.g., all sales are significantly larger
in living area than the subject).
Appraisal is
ordered and/or prepared prior to date of sales contract or loan application.
Appraiser is located
outside of the county in which the property is located.
Sales contract “Red flags” indicating potential fraud may include, but
are not limited to:
Multiple sales
contracts exist.
Sales contract
is dated after the appraisal date.
Sales contract
is subject to an existing lease on an owner-occupied transaction.
Sales contract
includes personal property or prohibited sales concessions.
Sales price is
significantly above or below market value.
Purchase
contract addenda adjusts the sales price.
Applicant is
not shown as purchaser.
No real estate
professional involved.
Real estate
agent(s) used, but not paid a fee; or no real estate agent(s) involved at all.
Seller is a
corporation or LLC and the subject property is not new construction.
Seller is an
affiliated real estate agent, trust, relative or employer.
The parties to
the transaction are related by family or commercial enterprise.
The contract
is not dated.
Names are
deleted from or added to the purchase contract.
The contract
is an “option contract.”
The contract
was assigned or is assignable.
Earnest-money
deposit is an unusually high amount, consists of the entire down payment, or is
an odd amount.
Contract has a
very short inspection period and upon satisfactory inspection, the buyer is to
notify the settlement agent who is then supposed to transfer a large portion or
all of the deposit to the seller (scam is that 10 business days later, it is discovered
that the cashiers’ check is counterfeit after the money has been sent, and the
escrow account suffers a shortage).
Recommendation is to contact the bank or
entity issuing the cashier’s check to confirm that the cashier’s check number
and amount is valid prior to depositing the item in the account. Most banks
will confirm this by telephone. Due to the increasing occurrences of
counterfeit cashier’s checks, most banks have instituted mandatory holds on
cashier’s checks. It is not uncommon for a hold to last up to 10 days (check
with your bank to confirm their policy).
Name and
address on earnest-money deposit check is different from that of the buyer.
Earnest-money
deposit checks have inconsistent dates, for example:
Check #111 dated November 1
Check #113 dated September 1
Check #114 dated October 1
Earnest-money
check is not cashed or is not reflected on the Closing Disclosure.
(It’s a lot to say – SupercaliFRAUDulisticexpialidocious)
Email can be sinister. It can encourage changes (not
authorized, not legitimate), it can “warn” recipients of dire
circumstances if instructions are not followed, it can be shaped and branded to
look like an institution all parties are familiar with, and it can assist in
fraud that involves any number of untoward outcomes – like clients’ and
institutions’ funds being pilfered.
The U.S. Government has a
phrase for such criminal action: Business Email Compromise/Email Account
Compromise (BEC/EAC). That wordy title speaks to two crimes.
BEC scams are carried out by compromising legitimate business email accounts. The EAC component of the scam refers to the targeting of consumers and the lenders, real estate professionals, attorneys and others who serve them.
It can be daunting to try
to wrap one’s brain around every single possibility and scenario that could
trip someone up – and trick someone into giving away information that affords a
thief the opportunity to steal funds.
Below is a list that,
while not necessarily “completely memorizable” – even if studied, can
serve as a red flag for knowing when something is awry.
It can serve as warning to
be wary of the many and various paths that crooks can take to defraud
legitimate people conducting real estate transactions.
Exercise extreme caution when weighing any
request to change wire instructions. Encourage all parties to do the same.
Be wary of any email, phone call or other
communication that involves threats, high pressure language (e.g. markings,
assertions, or language designating the transaction request as “Urgent,”
“Secret,” or “Confidential,”) or warns of “dire consequences” if immediate
action isn’t taken.
Be wary of emails with missing or unusual
subject lines.
Be wary of any request to change wiring
instructions, especially any last-minute requests.
Be wary of emails that include poor spelling or
grammar, are overly formal or that are written in a style uncharacteristic of
the purported sender. Also, beware of emails that misuse industry terminology,
for instance, references to the “HUD” instead of the “Closing Disclosure”.
Be wary of any unexpected emails or requests,
including internal requests purportedly from executives or others.
Be wary of emails sent at odd hours.
Be wary of any communication seeking to confirm
information the purported sender should already have.
Beware of sudden changes in business practices.
For example, if a current business contact suddenly asks to be contacted via a
personal email address, it’s best to verify the legitimacy of the request via
other channels.
Review monthly escrow statements from the
Receiving Bank (the one holding the agent’s escrow account) as soon as
available to verify that all expected funds have actually been received.
Have a written agreement in place with the
Receiving Bank (the agent’s bank which holds the escrow account and receives
the agent’s payment order) that the Receiving Bank will match all names,
addresses, account numbers, routing number and beneficiary bank name on the
payment order with where and to whom the funds are actually sent. Or put
instructions on the payment order for the Receiving Bank to verify
authorization by matching all of this information.
Emailed transaction instructions directing wire
transfers to a foreign bank account that has been documented in customer
complaints as the destination of fraudulent transactions.
Emailed transaction instructions directing
payment to a beneficiary with which the customer has no payment history or
documented business relationship, and the payment is in an amount similar to or
in excess of payments sent to beneficiaries whom the customer has historically
paid.
Emailed transaction instructions delivered in a
way that would give the financial institution limited time or opportunity to
confirm the authenticity of the requested transaction.
Emailed transaction instructions originating
from a customer’s employee who is a newly authorized person on the account or
is an authorized person who has not previously sent wire transfer instructions.
A customer’s employee or representative emailing
financial institution transaction instructions on behalf of the customer that
are based exclusively on email communications originating from executives,
attorneys, or their designees when the customer’s employee or representative
indicates he/she has been unable to verify the transactions with such
executives, attorneys, or designees.
A customer emailing transaction requests for
additional payments immediately following a successful payment to an account
not previously used by the customer to pay its suppliers/vendors. Such behavior
may be consistent with a criminal attempting to issue additional unauthorized
payments upon learning that a fraudulent payment was successful.
Review and revisit this list of tips when
handling suspicious wire requests, before the exchange of funds takes place.
Verify all wire instructions with an alternate
method of communication.
Check emails to ensure the sender’s address has
not been altered. Fraudsters typically use email addresses that closely
resemble a seller’s (or any party’s) actual email address.
Do not open unknown or unverified hyperlinks or
downloads. Tip: Hovering your mouse over the sender’s email address may reveal
a different email address. Caution: Do not hover over unknown links within the
body of a suspect email. Security experts formerly recommended hovering as a
way to determine the validity of such links. However, newer strains of malware
may infect a computer when the user merely hovers over the link.
Delete unsolicited emails from unknown sources.
In the case of an invoice, verify any changes
in vendor payment location and confirm requests for transfer of funds.
Every year the U.S. government comes out with a growing
list of warnings on cyber fraud, real estate fraud, email fraud – the list goes
on.
Some warnings are common sense: delete suspicious-looking
emails, don’t give away banking information or social security numbers, never
wire anyone money without triple checking – and then checking again.
We’re committed to ensuring that all independent agents
have every new (and standard) information source available, even as the rules
and the threats multiply and expand almost every month.
In this first installment of a multi-part series on Flagging
Fraud, we take a look at some of the red flags involving parties to a real
estate transaction.
Red
Flags
Learn or at least become familiar with red flags that could
well indicate something is awry in any real estate transaction.
Some title fraud may be detected by agents before the
transaction closes.
Rather than memorize, regularly reviewing this list will
help you and all those involved in your transactions be aware of potential
fraudulent components:
Releases
of prior mortgages recorded before or independently of the closing of a new
loan with no source of payoff funds.
Many
recent transactions and/or re-recordings.
Recent
change in title, especially one without concurrent financing.
Releases
recorded out of sequence.
Sale
of property subsequent to or concurrent with a divorce.
Quitclaim
deeds with no consideration.
“Intra-family”
deeds.
Parties
to the transaction are affiliated.
Document
not prepared by an attorney or title company.
Document looks non-standard.
Power of attorney with Grantee signing as
Attorney-in-Fact.
Prior signatures indicate failing health or
physical deterioration followed by a healthy, strong signature.
Bargain purchases—policy amount much higher
than purchase price.
New mortgage amount much higher than purchase
price.
Property seller is an LLC/entity/corporation.
Appraisal looks questionable (e.g. indicates
recent sale/listing activity at significantly lower price; comparable sales are
previously flipped properties).
Threats are constantly evolving and your training and testing must also evolve to counter these threats and keep your defense robust.
A cyberattack is a malicious and deliberate attempt by and
individual or an organization to breach the information system of another
individual or company, seeking benefit from the disruption, ransom, or theft of
data.
This electronic threat is increasing in frequency and
complexity and has become very expensive to remediate or to recover from.
Here’s the surprise – almost 90 percent of cyberattacks are
caused or allowed by human error from the internal staff of the entity attacked.
This includes failure to follow security rules and
protocols, sharing passwords, using weak or default settings, and falling
victim to social engineering.
Even the large events such as the hacking at Equifax and
Target, were caused by failure to follow the rules regarding administrative
password settings, human error.
So whether your business is large or small, you need ongoing,
strong training and testing to counter the threats.
Recent survey results of a survey of title insurance
professionals by the American Land Title Association show a surprisingly small
amount of agents are conducting ongoing staff training, and most do it once
when they hire an employee.
This is a recipe for eventually becoming a victim of
electronic fraud.
There are simple yet effective steps to take to counter the
increasing threats by taking a strong defense, and it starts with regular
training and testing to remove or reduce the human error element.
Here is what to do to put a training and test plan into
action:
Ensure new hires are introduced to and educated on information and data security policies and procedures as well as how to protect nonpublic personal information (NPI) and sensitive information. Emphasize to them the “why” so they fully understand the shared responsibility nature. This should be a core part of their orientation and on-boarding.
Set and schedule ongoing training for all employees at every level commensurate with the size of the staff and complexity of your business. This should be monthly, quarterly or semiannually.
At a minimum, cover controls over access (passwords; pass phrases; multi-factor authentication), network and data distribution (including never using non-secured networks for conducting business such as those in cafes/hotels/airports), phishing and spear-phishing, and never use a general email service like Yahoo or Gmail when sending NPI or sensitive information; social media and social engineering.
Require security measures for smart devices (smart phones, and in particular Androids, account for a large percentage of data breaches).
Explain the implications of data loss, which includes reputational hits and potential fines and penalties and law suits.
Focus on all media forms – hardcopy as well as electronic – and include proper handling and protection from receipt through handling to secured destruction.
Training may be done with internal documents or you may use a third party to conduct the training (i.e. Data Shield; KnowBe4).
After the training, use a quiz to gauge how well your employees understood the material.
Develop or use a third party to conduct ongoing, regular internal testing such as phishing or spear phishing testing (i.e. KnowBe4 is one vendor who can provide you this tool). Depending on the results, you may then make appropriate changes and re-focus your training to deal with any weak or weaker topics or areas.
Provide a single point of contact the employee may turn to with questions or to report any suspected suspicious attempts to obtain information or data (electronic or by phone).
Keep records of the training and attendees and testing results. This will be needed to demonstrate good faith, to meet many state requirements – and it’s a best practice.
Last, keep up-to-date on emerging threats and vulnerabilities
and provide updated training to employees to be sure they understand new risks
or new controls and why they are important; employees must know how to
recognize and report threats to stay vigilant.
This will keep your training and testing current and fresh
and serve as a continual reminder to your staff.
Remember, this is a
marathon, not a sprint. Threats are constantly evolving and your training and
testing must also evolve to counter these threats and keep your defense robust.
Despite the
rising threat, recent survey results show a surprisingly small number of agents
are prepared, as most do not have a written cyber security and response plan.
A
cyberattack is a malicious and deliberate attempt by and individual or an
organization to breach the information system of another individual or company,
seeking benefit from the disruption, ransom, or theft of data – and such
attacks are increasing in numbers and complexity.
Despite the
rising threat, recent survey results show a surprisingly small number of agents
are prepared, as most do not have a written cyber security and response plan.
A written
cyber security and response plan is essential to be prepared, organized and to
execute appropriate and prompt actions when an attack occurs.
The plan
does not need to be complex. To be effective, it should be simple and clear and
present key information. It should also be built commensurate with the size of
the organization.
Key
elements of the plan must include:
Perform a risk analysis to mitigate all risks, covering administrative, technical, and physical controls. Simply put, this is what could be vulnerable, what could go wrong and what is or should be done to try to avoid or contain the threat(s).
The cybersecurity program must protect the security and confidentiality of nonpublic information, protect against threats or hazards to the security or integrity of information, and protect against unauthorized access.
Define a schedule for the retention of data and a mechanism for its secure destruction when data is no longer required.
Designate an individual, third party, or affiliate who is responsible for the information security program.
Be sure existing controls in place – access controls, authentication controls, and physical controls to prevent access to nonpublic information. Encryption (or an alternative, equivalent measure) should be in place to secure data stored on portable electronic devices and for data transmitted over an external network.
Identify and manage devices that connect to the network – a simple inventory.
Adopt secure development practices for in-house applications if applicable. Alternatively, obtain this assurance from your service provider that performs the development for you.
Use multi-factor authentication to prevent unauthorized accessing of nonpublic information.
Regularly test and monitor systems for actual and attempted attacks, maintain audit trails, and implement measures to prevent the unauthorized destruction or loss of nonpublic information.
Keep up-to-date on emerging threats and vulnerabilities and provide ongoing training to employees to be sure they understand existing controls and why they are important; employees must know how to recognize and report threats.
The
response plan must include the following elements to be effective:
Date of the cybersecurity event.
A description of how the information
was exposed, lost, stolen, or breached,
including the specific roles and responsibilities of third-party service
providers, if any.
How the cybersecurity event was
discovered.
Whether any lost, stolen, or breached
information has been recovered and if so, how this was done.
The identity of the source of the
cybersecurity event.
Whether you filed a police report or
notified any regulatory, governmental or law enforcement agency and, if so,
when such notification was provided and by whom.
A description of the specific types
of information acquired without authorization, which means particular data
elements including, for example, types of financial information, or types of
information allowing identification of the consumer.
Time period during which the
information system was compromised by the cybersecurity event.
The number of total consumers
affected by the cybersecurity event, or a best estimate.
The results of any internal review
identifying a lapse in either automated controls or internal procedures, or
confirming that all automated controls or internal procedures were followed.
A description of efforts being
undertaken to remediate the situation which permitted the cybersecurity event
to occur.
Don’t wait until an event occurs. It’s a chaotic time full of financial
and emotional high stress. Do it now and provide yourself the peace of knowing
you are prepared.
