Cyber criminals are busier than ever. Staying safe requires fraud awareness and the right business insurance coverages. Jerome Magana of SSIS Securance and Tom Weyant, Alliant National’s Risk Management & Data Privacy Officer, sit down to discuss the latest fraud trends and tips for making sure your businesses is positioned to recover in the event of a cyber fraud attack.
Posts Tagged ‘cybersecurity’
In a November report to Congress on business email compromise (BEC) and real estate wire fraud (REWF), the FBI announced enhanced efforts to put the brakes on what has become one of the most financially damaging crimes in the United States.
According to the FBI report, BEC has been the largest dollar loss by victim crime typology reported to IC3 in the past several years, with over $2.4 billion of losses in 2021.
“For comparison, the second highest dollar loss category reported to IC3 was investment fraud, with losses of approximately $1.45 billion,” the FBI reported. “In other words, dollar losses associated with BEC were over 65% more than dollar losses associated with investment fraud.”
The FBI noted in its report that criminals have been refining their exploitation of technology, especially the internet, to carry out financial crimes, logging substantial increases in internet-enabled financial frauds such as bank account takeovers, synthetic identity related frauds, money laundering through virtual currency, and BEC.
“The FBI has pivoted its approach to address this issue through gathering intelligence, utilizing advanced investigative techniques in conjunction with traditional financial crimes investigative techniques, using proactive public and private partnerships, and education and awareness campaigns,” the agency noted in the report.
Real estate wire fraud in the crosshairs
REWF is a sub-category of BEC, in which criminal actors target individuals or companies executing large wires related to real estate transactions. As our agents are aware, the criminals pose as parties to the transaction and directly communicate with the other parties to steal funds intended to pay for the real estate.
According to IC3 complaint data, victims participating at all levels of a real estate transaction have reported such activity, including title companies, law firms, real estate agents, buyers, and sellers. The FBI has specifically focused on addressing REWF due to its prevalence in the U. S. and the effect it can have on the individual victims of the REWF schemes, who may be home buyers wiring their life savings.
These schemes and the preventative measures that title agents can take have been detailed in Alliant National’s 2022 Escrow Fraud/Social Engineering White Paper.
In its report to Congress, the FBI updated its preventative measures to include the following recommendations:
- Use secondary channels or two-factor authentication to verify requests for changes in account information.
- Ensure the URL in emails is associated with the business/individual it claims to be from.
- Be alert to hyperlinks that may contain misspellings of the actual domain name.
- Refrain from supplying login credentials or PII of any sort via email.
- Verify the email address used to send emails, especially when using a mobile or handheld device, by ensuring the sender’s address appears to match who it is coming from.
- Ensure the settings in employees’ computers are enabled to allow full email extensions to be viewed.
First published in 2017 and fully updated by Alliant National’s Compliance, Risk and Education teams, the paper provides information, tips and suggestions to help you better understand the current threat environment and create a comprehensive plan that addresses the realities we face in our industry.
Filling in the Gaps
The FBI has had considerable success in reclaiming lost funds through the IC3’s Recovery Asset Team (RAT) program, since its inception in 2018.
The RAT is designed to assist FBI field offices with the rapid recovery of funds for victims who made transfers to domestic accounts. In 2021, the RAT reported just over 1,700 incidents, with losses approaching $445 million. According to the FBI, the RAT was able to recover more than $328 million of the $445 million.
But there is more work to be done and the FBI has identified vulnerabilities which, if addressed, would bolster the ability of U.S. law enforcement to effectively address a wide range of threats, including BEC.
The first is getting access to beneficial ownership information to track funds that end up in accounts controlled by shell companies.
“The Corporate Transparency Act (CTA) provides for the creation of a national, non-public database of underlying beneficial ownership information for U.S.-registered businesses that meet specific criteria,” the FBI noted. “The data collected will be made available to U.S. law enforcement, subject to certain guardrails, offering a critical resource for identifying participants in a BEC scheme.”
On Sept. 29, the Financial Crimes Enforcement Network (FinCEN) issued the first of three rulemakings to implement the CTA, governing who must report and what information they must report to FinCEN. The final rule will take effect on January 1, 2024.
The effectiveness of this reporting requirement is as yet unknown, and there is some concern that the CTA exempts from its reporting requirements various types of entities, including trusts, which may affect efforts to identify the beneficial owners of trusts or other entities engaged in REWF.
The FBI is also recommending that UCC 4A-207 be redrafted to require banks to properly identify the name and number of the beneficiary and to determine they are in fact the same individual or entity. Currently, a bank may simply rely on the number as the identifier, without requiring a check to see if it is actually connected to the named beneficiary.
Cyber security #1 priority in 2023
As the threat from cyber criminals continues to escalate, it is imperative that our agents review their procedures for protecting client funds.
You can begin today to assess your systems and educate your staff to make sure every possible precaution has been put into place. We hope our Escrow Fraud/Social Engineering White Paper will be helpful in this work. Alliant National is committed to updating our agents to help you understand and respond to the current threat environment. Feel free to reach out to your agency representative, or any member of the Alliant National team if you have any concerns.
The Federal Bureau of Investigation (FBI) has labeled business email compromise (BEC)/email account compromise (EAC) as “one of the most financially damaging online crimes” as it is “the top cyber threat.” BEC/EAC is a scam in which fraudsters trick an unsuspecting party, typically by using a variety of social engineering and phishing tactics, into making payments to fraudulent accounts.
Since 2016, over $43 billion has been lost through BEC/EAC attacks. In 2021, U.S. losses attributed to BEC/EAC cybercrimes were reported to be almost $2.4 Billion. This is more than one-third of the total cost of all cybercrimes reported to the IC3 in 2021. In a recent article from Security Magazine, the author noted that email cyberattacks have increased by 48% in just the first half of 2022. It is no surprise that the title insurance industry has been the target of fraud schemes for many years, especially with wire transfers being utilized more often.
Some common schemes we continue to see include:
- Seller Spoof – fraudsters impersonate the seller (using an email address that may only be slightly different from the original, or using the actual seller’s email), and provide alternate bank account information for the seller proceeds.
- Lender Spoof – in a transaction involving the payoff of a prior lender, fraudsters impersonate the prior lender. They often modify the original payoff provided by the prior lender (or create one) with wiring instructions for a fraudulent account.
- Buyer Beware – fraudsters pose as the settlement or real estate agent using a similar email address, and instruct the buyer to wire their down payment funds to a fraudulent bank account.
There are many ways to protect a person or a business from becoming a victim of these costly schemes. A few tips include:
- Meticulously examine the email address, URL, and spelling used in any correspondence. Fraudsters use only slight differences hoping you do not critically analyze the spelling.
- Be suspicious about opening any email attachments from someone you don’t know and be wary of email attachments forwarded to you as they may include malware or other malicious software.
- View all changes to wire instruction with extreme caution.
- Always independently verify with the company any payments or wires being sent to a third-party by contacting them at a legitimate number, and be leery of any last-minute changes to account numbers or payment procedures.
- Confirm with the intended recipient that the wire was received.
- Be extremely suspicious if the requestor is pressuring you to act quickly.
If you do become a victim, do not wait to take the next steps since time is critical in this process. Have a plan in place and be prepared to:
- Notify your office management.
- Notify your financial institution and the recipient’s financial institution.
- Contact local law enforcement.
- Contact your local FBI field office.
- Contact your cyber-insurance, escrow security bond, and error and omissions provider.
- File a complaint with Internet Crime Complaint Center (IC3).
- Contact your title underwriter.
With our increased dependency on technology and the pace of our industry, we cannot let down our guard – we must stay vigilant! Heed the warning that fraudsters are not slowing down or giving up on these fraudulent schemes. If you are presented with any of these situations, the key is to be able to recognize the scam and then shut it down before it can infiltrate your transaction and create a web of issues.
You can learn more about identifying and preventing fraud by downloading Alliant National’s white paper – Escrow Fraud/Social Engineering: Recent Schemes and Prevention Tips.
Escrow Fraud/Social Engineering: Recent Schemes and Prevention Tips, Alliant National Title Insurance Company
Email cyberattacks increased 48% in first half of 2022, Security Magazine: https://www.securitymagazine.com/articles/98145-email-cyberattacks-increased-48-in-first-half-of-2022
FBI – Business Email Compromise: https://www.fbi.gov/how-we-can-help-you/safety-resources/scams-and-safety/common-scams-and-crimes/business-email-compromise
FBI – Internet Crime Complaint Center (IC3): https://www.ic3.gov/
October evokes many things: skeletons, ghosts, pumpkins and, of course, Halloween. Yet for anyone wanting their workplace to operate efficiently and safely, October should be known for something else:
This 31-day period is a perfect reminder for businesses to review and, if needed, revise their cybersecurity strategy for the year ahead. Let’s learn more about this awareness month and how you can seize the moment to fortify your company’s cyber approach.
Where it All Began
Cybersecurity Awareness Month started in 2004 when the U.S. Congress gave October that official designation. Today, the Cybersecurity and Infrastructure Security Agency (CISA) and the National Cybersecurity Alliance (NCA) lead a collaborative, public-private effort to raise cybersecurity awareness nationally and internationally.
Each year, Cybersecurity Awareness Month initiatives are organized under a different theme, with 2022’s being “See Yourself in Cyber” – an urgently important message. It advocates for people to stop seeing cybersecurity as an inaccessible topic for the select few and instead view it as something in which everyone can play a role.
Four Main Pillars
According to CISA, beginning to “See Yourself in Cyber” involves acting on four key priorities, some of which we’ve already discussed on this blog:
- Adopting best practices like multi-factor authentication
- Use strong passwords
- Detect and stop phishing
- Keep programs updated
By taking these basic steps to protect your information and privacy, everyone can gain more ownership over their online life and prevent costly incidents.
Become a Cybersecurity Paragon
The silver lining when talking about cybercrime is that more attention is being paid to cybersecurity these days. A trickledown benefit of this enhanced awareness is that more resources are now available that can help even those unfamiliar with cybersecurity improve their firm’s digital defenses.
One such example are the efforts of the CISA. Each year during Cybersecurity Awareness Month, CISA invites interested parties to join them as “cybersecurity partners.” Those that do receive a toolkit with everything they need to audit their own security posture and raise awareness within their company and industry. Elements of the toolkit include cybersecurity 101 presentations, tip sheets, content assets and much more.
Visit CISA’s website for more information and to sign up as a cybersecurity partner.
You Can Prevent Cybercrime
Do you remember seeing those U.S. Forest Service ads where the iconic Smokey the Bear would proclaim, “Only you can prevent forest fires”? You don’t have to be a marketing whiz to see the beauty of that campaign. Simple, direct and powerful, it outlines the essential role we all play in preventing a widespread problem that can carry a terrible cost if it goes unchecked.
The same message holds true for cybercrime. A ubiquitous problem that can lay waste to individuals, businesses and even entire communities, cybercrime is nothing to joke about. If you’re a small business owner, for example, one bad attack can threaten your longevity as an enterprise.
But instead of becoming intimidated and reactive, events like Cybersecurity Awareness Month can inspire us to become empowered and proactive. We can all choose to “See Ourselves in Cyber” and take action to create a safer digital community.
Employ best practices to keep your systems running smoothly.
As someone who has been in the IT game for a while now, trust me when I tell you that “updates” is a word that comes up a lot. From business networks to cybersecurity, technology never stays the same for long.
Software programs frequently require updating to the latest version. Businesses need to have a plan for keeping software current and staff apprised of workflow changes.
A quick note on software updates
I’m willing to bet that you have some experience keeping your devices current. But what really goes on during a software update?
A software update can be viewed as a sort of “patch” for the current iteration of a program. Updates typically include a set of changes designed to fix or improve upon pre-existing software, including:
- Removing bugs from code
- Fortifying security
- Providing new tools or features
- Improving effectiveness
As you can see, updating consistently is important to maximizing your software’s value. But perhaps nowhere are updates more essential than for cybersecurity. When an update comes out designed to address security vulnerabilities, time is of the essence for implementing it. If you don’t, the software may become vulnerable to malicious actors, which can jeopardize the overall effectiveness of your business.
Putting it into practice
With so much riding on keeping systems and programs current, what exactly is the best approach for ensuring that each new update is promptly installed?
There are several strategies that can keep you and your team moving forward without creating a lot more work for yourself in the process.
- Automatic updates: Whenever possible, enable automatic updates. These will keep your systems running efficiently and safeguard your business from security breaches.
- Create an inventory: While it may require some heavy lifting up-front, establishing an inventory of all programs and systems can be incredibly helpful for staying on-top of security updates and software patches.
- Stay apprised of update schedules: To avoid surprises, it never hurts to have familiarity with when certain vendors push out updates. Microsoft, for example, consistently puts out updates on the second Tuesday of each month. Adobe follows a similar pattern.
- Create a personal schedule: When you are running a small agency, it may be difficult to find time to take care of necessary updates while overseeing everything else that goes into a successful enterprise. One strategy to overcome this is to set aside designated time each week for carrying out this work. Be sure to make it consistent week-to-week, month-to-month, and year-to-year, and don’t waver once it is established.
- Communicate clearly: No one is an island in business, and changes to your systems and programs will impact the workflows of others. Clear and consistent information delivered before, during and after an update is critical when performing an update. Employees need to know what types of updates are going on, how long they might take and how it will ultimately impact their day-to-day activities.
- A solution for your solutions: There is an old saying that the best laid plans of mice and men often go awry, and that holds true for something like software updates. If that sounds familiar to you, it may be worth considering adopting a technological solution for your software solutions.There are many tools that can make tracking and managing your critical software updates easier. Check out this article for more on getting started.
- Hiring help: It is never a bad idea to seek out help from a professional for your IT-related needs, even if you have a small shop and minimal technology requirements. Of course, this can pose challenges for the small business owner, in that you must assess whether to bring on a full-time worker or outsource your needs to a third party like a managed service provider (MSP). Luckily, you don’t need to make this decision alone! Check out Alliant National’s blog about this topic, which you can read here.
Enjoy a secure system
The work of IT never ends, and this poses real challenges when it comes to software updates. Yet like anything else, solutions exist. Carefully planning your updates, staying hip to the latest changes and getting assistance when needed can help you strengthen the IT systems on which your business success relies.