Posts Tagged ‘Escrow Security’

Partners in Wire-Fraud Protection: The Escrow Account Holder and the Bank

Wire fraud is a HUGE problem that only keeps getting bigger and bigger.

In fact, U.S. Representative Randy Hultgren (R-III) wrote a letter to Fed Chairman Jerome Powell on June 29th urging the Fed to be more proactive in regard to wire fraud and real estate transactions. The letter referenced the United Kingdom’s system of matching payees’ names as a possible solution to the problem of wire fraud.

However, we don’t have to wait until a federal law is passed that orders banks to match the payee name on the wire transfer payment to name on the payee’s destination bank account (“Beneficiary Bank”).

As title and escrow agents, we can be proactive and in partnership with the banks with which we do business.

So, what can we do right now?

First, we can know what our Agreement with our Escrow Account Bank says.

Does your Bank Agreement say that your bank will check the payee’s name with the name on the destination account when a wire fund transfer is initiated?

Or, does it say your bank need only rely upon the account number it was provided in the wiring instructions order? The answers to these questions might lead to an opportunity to have a discussion with your partnering Receiving Bank.

We can also send the wire instructions on the payment order, with explicit directions that acceptance be restricted to match the designated payee’s name on the Beneficiary Bank account. If it doesn’t match, then do not send the funds.

Lastly, if something does go wrong despite our best efforts and precautions, then notify both the Beneficiary Bank and the Receiving Bank as soon as possible. Typically, banks require notification of an unauthorized transfer or error within a defined time period such as, for example, thirty or sixty days.

Aside from any contractual or legal requirement for early notification, the sooner the problem is communicated, the greater the odds of the bank being able to halt or pull back the wire funds transfer.

For a great explanation of how a wire fund transfer works behind the scenes, view “Funds Transfer Law and Unauthorized Payment Liability.”

Think Email Fraud is the Only Hack Tactic? Think Again.

Criminals today have broadened their tools and tactics in their quest to divert escrow funds by tricking us and others in the real estate transaction into accepting falsified wiring instructions.

Remember when wire fraud was just about bogus emails?

Email is no longer their only weapon. We’re hearing about two non-email tactics fraudsters are using.

Fax Scams

Many view faxing as more secure than email because “you can’t hack a fax.” (Actually, hackers have apparently figured out how to compromise networks using the fax machine as an entry point ). But criminals don’t need to hack a fax line or a fax machine to interject themselves into the communications chain.

So, how do they do it?

Some businesses use third-party services that allow faxes to be sent and received from an email account. Just like email, these services have login credentials that must be protected. If criminals can obtain the account credentials, then they can monitor, intercept and alter fax transmissions that may contain wiring instructions.

Of course, criminals don’t even need account credentials to send you a bogus fax. They only need the tools and time to create a convincing looking document (as Dwight from NBC’s The Office found when Jim, his arch nemesis, started sending him faxes from himself … from the future ).

There’s nothing magical about thwarting fax scams. We simply need to apply the good information-security principles that we apply to other communications channels.

Just like an email account, a third-party fax account should have a strong password. Of course, it’s harder for the criminals to figure out account passwords if they’re changed regularly and if the same password isn’t used for multiple accounts.

As with emails, it’s best to look over faxes with a critical eye just to make sure everything appears as it should. If a fax has wiring instructions, the safest course is to follow up by telephone using a known number — not a number that appears on the fax.

Phone Scams

Relatedly, scammers are figuring out that our industry has become very good at using the telephone to verify wiring instructions, and they have added telephone scamming to their repertoire of fraud tactics.

The phone is definitely a potential attack vector; we know of one instance where a criminal called a title agent and faked a consumer’s accent in an attempt to divert a wire.

Some simple technologies even allow fraudsters to spoof phone numbers. So a criminal could call you, but make it look like the call was coming from someone legitimately involved in the transaction. The American Land Title Association (ALTA) and Thomas Cronkright, chief executive officer of CertifID, discussed this technology and its potential implications in a recent ALTA blog post .

As with the fax, it’s important to remember that the phone is not always a safe communication channel. Anyone can call a title agent pretending to be someone else; and if that scammer happens to have already compromised an email account — for instance, the consumer’s account — they may have sufficient transactional and personal information to spin a very believable tale.

But just like with fax scams, policies and procedures can be a big help to thwart potential phone scams. A best practice is to establish challenge questions or PIN numbers with consumers up front, and let consumers know you’ll be using these and other methods to verify the identities of those involved in the transaction when speaking by phone.

Of course, PIN numbers and challenge question answers should never be sent via email.

The threat from fraudsters is great, and no one policy or technology solution will ensure the safety of escrow funds in all cases. Alliant National has produced a white paper on escrow fraud as part of our ongoing effort to inform agents about the threats we all face.

We’ve also produced a number of infographics with escrow security tips that you can share with your staff, consumers and others.

Click here to view the report.

Easy step to help prevent wire fraud

Matching the payee name on wire transfer with name on payee’s destination bank account can help prevent wire fraud

Wire fraud is a HUGE problem that only keeps getting bigger and bigger. In fact, U.S. Representative Randy Hultgren (R-III) wrote a letter to Fed Chairman Jerome Powell on June 29th urging the Fed to be more proactive in regard to wire fraud and real estate transactions. The letter referenced the United Kingdom’s system of matching payees’ names as a possible solution to the problem of wire fraud.

However, we don’t have to wait until a federal law is passed that orders banks to match the payee name on the wire transfer payment to name on the payee’s destination bank account (“Beneficiary Bank”). As title and escrow agents, we can be proactive and in partnership with the banks with which we do business.

So what can we do right now? We can know what our Bank Agreement says with our escrow account bank (the “Receiving Bank”).

Does the Bank Agreement say that the Receiving Bank will check the payee’s name with the name on the destination account when a wire fund transfer is initiated?

Or, does it say that the Receiving Bank need only rely upon the account number it was provided in the wiring instructions order? The answers to these questions might lead to an opportunity to have a discussion with your partnering Receiving Bank.

We can send the wire instructions on the payment order, with explicit directions that acceptance be restricted to match the designated payee’s name on the Beneficiary Bank account. If it doesn’t match, then do not send the funds.

Lastly, if something does go wrong despite our best efforts and precautions, then notify both the Beneficiary Bank and the Receiving Bank as soon as possible. Typically, banks require notification of an unauthorized transfer or error within a defined time period such as, for example, 30 or 60 days.

Aside from any contractual or legal requirement for early notification, the sooner the problem is communicated, the greater the odds of the bank being able to halt or pull back the wire funds transfer.

For a great explanation of how a wire fund transfer works behind the scenes, view “Funds Transfer Law and Unauthorized Payment Liability.”

Embracing What If

By now, you’ve probably heard the well-worn cybersecurity platitude, “it’s not if you get hacked, it’s when.” Kind of a downer.

Really, that statement is about getting us to seriously consider the “what if.” For instance, “what if I suffered a data breach;” or, “what if, despite my best efforts, a criminal somehow managed to divert a wire to a fraudulent account?”

Thinking about the “what if” is uncomfortable, particularly when it comes to wire fraud. We spend most of our time and effort figuring out how to avoid the “what if” scenario.

The thing is, when it comes to attempted wire fraud, experience tells us that title agents who’ve spent time planning for “what if” are the ones who tend to get the money back.

Don’t even hover your cursor over unknown or unverified links to stay safe from wire fraud

The title and settlement industry is blessed with great people, and that makes sense because our industry is built on being helpful.

We all want a smooth, efficient transaction for everyone involved. Unfortunately, our desire to be helpful and to keep things moving makes us a prime target for wire fraud.

So, how careful do we need to be when verifying the legitimacy of an email or even an incoming phone call?

Very careful.

Fraudsters know about us. They know how busy we can be, and they know how to prey on our traits to overcome our data and escrow security training.

They aren’t just looking to trick us. They aren’t practical jokers. They are truly insidious “social engineers.”

They use every scrap of information they can find, every pretext they can imagine and all the dark arts of the hacker to whittle down our firewalls — electronic and human. For the overseas criminal, wire fraud is a low-risk, high-reward strategy. Until that changes, the threat will persist.

We need good policies and procedures to address the threat, but even this isn’t enough. Anyone who’s been hit with a wire fraud loss will tell you that fraudsters can find ways to keep people from following the best policies and procedures.

Addressing this kind of threat requires something additional — a healthy dose of skepticism for one. But more than this, each member of the team needs to feel a sense of empowerment.

Each one of us has the ability to hand over the “keys to the kingdom” when it comes to data and escrow security, so each one must also feel empowered to pause the process when any suspicion of fraud arises.

Here are a few steps you and your team can take when an email or other communication just doesn’t feel right:

  • Go with your gut: Don’t hesitate to pause the process if you suspect fraud.
  • Do not give in to pressure: If you feel threatened or pressured by any communication, treat this as a red flag and immediately escalate the situation to management.
  • Don’t trust — verify: Verify via telephone the legitimacy of any wire instruction, or any suspect communication. Encourage all parties to the transaction to do the same.
  • Don’t click: Do not open or hover your cursor over unknown or unverified hyperlinks.
  • We’ve developed an infographic outlining these tips, and we encourage you to share it with your team and post it in your office. We hope that by discussing these simple steps, each person in our office will feel a sense of empowerment when it comes to protecting sensitive data and escrow funds.

    Alliant National recently produced a white paper on escrow fraud as part of our ongoing effort to inform agents about the threats we all face. The paper provides information on how we can work with all parties to the transaction to reduce the risk of escrow fraud. Along those lines, I’ll be back next week with a post exploring how working with your bank in advance can be a real life saver if a wire is ever diverted.

This blog contains general information only, not intended to be relied upon as, nor a substitute for, specific professional advice. We accept no responsibility for loss occasioned to any purpose acting on or refraining from action as a result of any material on this blog.

ABOUT US

We have a staff of nearly 80 dedicated professionals now, with diverse skill sets and backgrounds, who share a desire to help people and their businesses thrive.
OUR COMPANY

OUR MISSION

Protect the dreams of property owners with secure title insurance provided through the finest independent agents in a trusted partnership.

CONTACT US

For more information about Alliant National or to get in touch with one of our representatives, please drop us a line.
Contact Us

  • EBOOK

    SHIFT HAPPENS Mitigating Threats to
    your Independent Title Agency

    Download Your Free EBOOK