Business E-mail Compromise Scams are on the Rise, and We’re All Being Targeted

A sales transaction had just closed at an office where Shannon McNair, compliance officer for Long & Foster Settlement Services, was working one day, when a staff member answered the telephone. On the other end was a man claiming to be their customer, the one who just left with a check.

“He said he changed his mind, he wanted them to wire the money to an account instead of having a check,” McNair said. Of course the office staff wouldn’t handle such a sudden change over the phone. When they called the client back using the phone number on file, he confirmed what they suspected: the client hadn’t made that request.

If you’re in the real estate or title industry, you have a bigger target on your back than most when it comes to what the FBI calls Business Email Compromise (BEC) or Email Account Com­promise (EAC) fraud.

In most cases, the perpetrators break into email systems and monitor correspondence about transactions. Then, posing as one of the parties, the bad guys use information they’ve stolen to make changes to account numbers or payment methods to divert the money. Once the funds slip away, real estate and settlement professionals say, it can be difficult or impossible to get it back.

How likely is it to happen to you? According to the FBI, it’s increasingly so. The agency’s complaint center for internet crimes saw a 480 percent rise in complaints about this type of crime from title companies in 2016, and for 2017 the trend seems to be continuing. From October 2013 to December 2016, these scams resulted in losses worldwide of $5.3 billion in 40,203 reported incidents.

The onslaught of occurrences prompted the American Land Title Association recently to urge the federal Consumer Financial Protection Bureau to warn consumers about wire fraud schemes during real estate closings.

“Despite efforts by the title industry and others to educate consumers about the risk, homebuyers continue to be targeted,” Michelle Korsmo, ALTA’s chief executive officer, said in a news alert to her members in April.

Long & Foster’s family of settlement companies adheres to ALTA’s best practices, which stipulate that members have programs and procedures in place to protect non-public personal information, as the law requires.

RGS Title, for example, gives clients very specific instructions about closing and assures them that the company will never make a last-minute change, or any change, without securely verifying identities and accounts, said Don Tomlinson, RGS regional vice president.

Verifying identities and account numbers more than once at every step is now the standard at RGS, he said.

While the industry works to raise awareness about the prevalence of online predators, there are measures everyone can take to increase secu­rity. First, make sure to work with a title company that has safeguards in place to verify clients’ iden­tities and accounts multiple times before pushing transactions through. Ask what measures they are taking to keep transactions safe and whether they follow industry best practices.

Second, companies and individuals can take steps to keep their personal information out of bad guys’ hands, especially when it comes to email security. Using secure networks and strong passwords are two simple security measures that help thwart thieves, said Jim Carroll, director of technology at The Long & Foster Companies.

People who intend to do harm often break in by getting you to open an email that looks like it’s from someone you know. Delete those and never click any link you’re not sure about. When in doubt, Carroll said, ask the Help Desk.

Keep from Becoming a Victim

The FBI issued an announcement recently cautioning those who use wire transfer payments to watch out for scams in which online thieves break into e-mail, steal personal data and attempt to divert money into their own accounts.

Here are some of the suggestions the FBI offers for protecting yourself:

  • Avoid using free web-based e-mail accounts (Gmail, Yahoo, etc.) to do business.
  • Be suspicious of requests for secrecy or pressure to take action quickly.
  • Consider additional IT and financial security procedures, including use of a two-step verification process. For example, establish other communication channels, such as telephone calls, to verify significant transactions, and do it outside of e-mail so hackers won’t know.
  • Immediately report and delete unsolicited e-mail (spam) from unknown parties. Do not open spam e-mail, click on links in the e-mail or open attachments. These often contain malware that will give subjects access to your computer system.
  • Do not use the “Reply” option to respond to any business e-mails. Instead, use the “Forward” option and either type in the correct e-mail address or select it from the e-mail address book to ensure the intended recipient’s correct e-mail address is used.

A complete list of self-protection strategies is available on the United States Department of Justice website in the publication titled “Best Practices for Victim Response and Reporting of Cyber Incidents.” Source: