The digital revolution has transformed the real estate world, just as it has most industries.
Unfortunately, this transformation has been accompanied with another trend - the evolution and rise of cybercrime. And this is where real estate is different from most other businesses. The large dollar amounts that are routinely exchanged in most transactions make the real estate sector particularly attractive and lucrative for cybercriminals.
The spike in fraud activity is so explosive that it’s hard to fathom. According to new data provided by the FBI, in 2017 nearly $1 billion was “diverted or attempted to be diverted” from real estate purchase transactions and wired to “criminally controlled” accounts. That figure is up from 2016, when the FBI counted just $19 million in wire transfer fraud affecting homebuyers.
The BEC Scam
The most common type of real estate fraud is based on so-called “phishing” attacks that involve a business email compromise (BEC) scam. In this ploy, criminals gain access to the title company's or escrow agent's email account. They then track upcoming purchases scheduled for settlement.
As the settlement date approaches, the scammers pose as the title or real estate agent whose email they have hijacked. They then instruct the homebuyer or the closing attorney to wire funds to the criminal’s own bank accounts. They withdraw the money and vanish.
Since wire transfers are an immediate form of payment, it is almost always irreversible – even though it’s blatant fraud.
Both the buyers' and sellers' attorneys have escrow accounts and disburse funds from them. The largest disbursement is from the buyer to the seller for the actual purchase, but there are realtors, taxes, title insurance, and so on, that are each paid from these accounts. Fraudsters have the potential to impersonate any of the parties involved in the transaction to get the escrow agent (or attorney) to change wire instructions.
It’s Everyone’s Responsibility
And it’s not just about the money that’s been lost. There remains the matter of the legal liabilities that then come into play. Even though the title company’s or agent’s emails were hacked by the criminals, making them a victim, there have been recent court cases where these agents have been held liable for the fraud.
New laws have been passed and they are clear - potentially, all or any of the participants in a real estate transaction are now vulnerable both in terms of financial loss as well as legal liabilities.
How can you protect yourself and your organization?
For the most part, today’s prevention recommendations tend to focus on the insecure nature of email accounts and on the need to verify wire instructions directly with the receiving party ahead of transferring any funds.
These tactics are cumbersome at best and do not scale when it comes to addressing the issue for a large number of transactions. No amount of education and training can completely eliminate the human factor of susceptibility. And having to verify instructions every time a disbursement is conducted imposes an additional delay – not to mention the inconvenience of having to do it in the first place.
We Need to Flip the Model
Let’s look at the problem a different way. From a high level, it’s clear than any solution must take the following into account:
Email accounts can often be compromised and imposters can assume the identities of any of the parties in a typical real estate transaction.
With the multitude of emails going back and forth, it is possible that last minute changes to wire transfer instructions may go unnoticed.
There is an absolute need to verify the wire transfer instructions with the recipient ahead of disbursement.
So, the key lies in developing a mechanism that allows a legitimate recipient to share the wire transfer instructions in a manner that cannot be compromised. We need to flip the model so the recipient controls the transaction.
When disbursements need to be made, the recipient should generate a “code” to verify the wire transfer instructions. Using a smart phone app, a legitimate recipient can securely provide account information, identification and transfer amounts in the code. The code can then be shared in any manner, including email.
When it comes to making the disbursements, a simple electronic check via a web service tells the person making the payment whether the information is authorized and digitally signed by the correct recipient. This eliminates any possibility of fraudsters impersonating the recipient and modifying the details of where the funds are to be deposited.
The fact that the code is digitally signed via encryption ensures that the transfer instructions have not been modified during the period from when it was generated to when it was used. This significantly enhances the integrity of the transaction.
The fact that the service is implemented via a smartphone app and a cloud-based validation service makes it feasible to be widely adopted and rapidly deployed. This provides the scalability to manage a large number of transactions in a secure manner.
Another benefit of this approach is that it provides strong documentation and accurate controls. From a tracking perspective, the system basically provides a complete audit trail of a transaction and is self-documenting. There is no additional need to maintain copies of every step of the process.
If you are a real estate lawyer, you may be interested in attending this year’s annual meeting of the American College of Real Estate Lawyers (ACREL) to be held in New Orleans, October 18-21. The topic of skyrocketing fraud is expected to be on the agenda.