Dig­i­tal De­cep­tion

Post-cri­sis mea­sures made it harder for rogue bor­row­ers and em­ploy­ees to com­mit fraud. Now, a new threat has emerged: Scam­mers pos­ing as ti­tle agents, real es­tate pro­fes­sion­als and more

National Mortgage News - - Contents - BY BRAD FINKEL­STEIN

Post-cri­sis mea­sures made it harder for rogue bor­row­ers and em­ploy­ees to com­mit fraud. Now, a new threat has emerged: Scam­mers pos­ing as ti­tle agents, real es­tate pro­fes­sion­als and more

In Grand Haven, a small re­sort town nes­tled on the eastern shore of Lake Michi­gan, a home­buyer walked into his credit union. It was an un­sea­son­ably warm, but pleas­ant, Oc­to­ber af­ter­noon in 2016, with a slight breeze com­ing off the lake.

The home­buyer brought with him an email he’d printed out, con­tain­ing in­struc­tions for wiring about $50,000 in clos­ing costs to Sun Ti­tle, the set­tle­ment com­pany that was co­or­di­nat­ing his pur­chase of a home the next morn­ing.

At first glance, the email ap­peared per­fectly nor­mal, down to the use of Sun Ti­tle’s logo in the email sig­na­ture. The con­tents of the mes­sage were seem­ingly in­nocu­ous, as the home­buyer had been ex­pect­ing the wire in­struc­tions and was look­ing for­ward to fi­nal­iz­ing the trans­ac­tion.

But the re­al­ity was far more sin­is­ter and the po­ten­tial out­come even more dis­as­trous, had it not been for an ea­gle-eyed man­ager at the credit union.

Some­thing was off about the email, the man­ager no­ticed. While the sender’s name matched the Sun Ti­tle em­ployee who had been work­ing with the home­buyer, the mes­sage came from an ac­count

with an “i” where the “l” should have been. @sun­ti­tie.com,

So the credit union man­ager and home­buyer called Sun Ti­tle to con­firm the de­tails. They quickly dis­cov­ered the wire in­struc­tions hadn’t ac­tu­ally come from Sun Ti­tle, but rather from a fraud­ster at­tempt­ing an elab­o­rate con known as a busi­ness email com­pro­mise scheme.

“It never should have been caught,” said Sun Ti­tle CEO Tom Cronkright. “We should have been hit re­ally hard for that one.”

Dig­i­tal pro­cesses have rev­o­lu­tion­ized the en­tire home buying ex­pe­ri­ence by mak­ing it faster, cheaper and more trans­par­ent. But it’s also opened the door to new types of fraud that ex­ploit the in­creas­ingly vir­tual na­ture of these trans­ac­tions.

The in­dus­try has worked tire­lessly to stamp out fraud com­mit­ted by ne­far­i­ous bor­row­ers and rogue em­ploy­ees. Un­der­writ­ing tools that rely on in­de­pen­dent data have re­placed pa­per-based ver­i­fi­ca­tions, mak­ing it harder for mis­rep­re­sen­ta­tions to slip past lenders.

But busi­ness email com­pro­mise and sim­i­lar schemes stand apart from more tra­di­tional forms of mort­gage fraud be­cause the per­pe­tra­tors don’t typ­i­cally have a con­nec­tion to the sub­ject prop­erty or par­ties in­volved in a trans­ac­tion. It’s a dis­tinc­tion that’s largely caught the in­dus­try off guard, even among pro­fes­sion­als ac­tively on the look­out for it.

All told, the thwarted in­ci­dent in­volved less than an hour of real-time com­mu­ni­ca­tion be­tween the fraud­ster and the trans­ac­tion’s le­git­i­mate par­ties, but the scheme had been put in mo­tion months be­fore the sit­u­a­tion came to a head in the lobby of the credit union.

It be­gan with a suc­cess­ful phish­ing scam tar­geted at the real es­tate agent who would go on to rep­re­sent the Grand Haven home­buyer. That let the fraud­ster tap into the agent’s email ac­count and mon­i­tor com­mu­ni­ca­tions with clients.

Us­ing in­for­ma­tion gleaned from the email sur­veil­lance, the fraud­ster set about cre­at­ing fake email ac­counts for both the home­buyer and Sun Ti­tle.

The fraud­ster laid low un­til the morn­ing of Oct. 17, when a mes­sage was sent us­ing the real es­tate agent’s email ac­count to Sun Ti­tle’s escrow of­fi­cer, Cronkright said. It asked that Sun Ti­tle send wire in­struc­tions to the home­buyer for the next day’s clos­ing.

How­ever, the fraud­ster pro­vided a fake email for the buyer; after the in­for­ma­tion was sent, the fraud­ster sent a con­fir­ma­tion that it was re­ceived, which gave Sun Ti­tle com­fort it was deal­ing with the right party, he said. Mean­while, the scam­mers sent their own in­struc­tions to the buyer us­ing the “Sun­ti­tie.com” email ad­dress.

Thank­fully, no funds were lost to the fraud­u­lent scheme and the buyer still fi­nal­ized his pur­chase, us­ing a cashier’s check to pay the clos­ing costs. But just a year ear­lier, Cronkright and his Grand Rapids, Mich.-based com­pany were not so lucky when they were the tar­gets of a less so­phis­ti­cated scheme.

In the spring of 2015, Cronkright’s part­ner, Lawrence Duth­ler, re­ceived what looked like a nor­mal busi­ness email con­tain­ing wiring in­struc­tions for the earnest money de­posit on a com­mer­cial prop­erty sale.

As part of the scam, the buyer gave Sun Ti­tle a cashier’s check for $185,000 to de­posit into the set­tle­ment agency’s escrow ac­count. A clause in the sales con­tract called for the seller to re­ceive the earnest money be­fore the clos­ing, after the buyer had com­pleted a due dili­gence re­view on the prop­erty.

The pro­vi­sion was un­com­mon, as funds are nor­mally held un­til clos­ing. But it wasn’t rad­i­cally un­usual and since it was con­tained in the sales con­tract, Sun Ti­tle obliged with the re­quest.

The check was de­posited in Sun Ti­tle’s escrow ac­count, and the ini­tial in­di­ca­tion was that it had cleared. Sun Ti­tle moved for­ward with the wire trans­fer to the prop­erty seller.

A few days later, Cronkright and Duth­ler dis­cov­ered the check, is­sued by an out of state fi­nan­cial in­sti­tu­tion, had bounced and Sun Ti­tle had lost $180,000.

“After the fraud took place, we learned the buyer’s iden­tity had been stolen and the per­pe­tra­tors were us­ing that to de­fraud us,” said Cronkright.

A sub­se­quent in­ves­ti­ga­tion re­vealed a sim­i­lar scam us­ing the same stolen iden­tity in five other states. Cronkright now suspects the seller — who le­git­i­mately owned the prop­erty, but had bor­rowed heav­ily against it — was in ca­hoots with the buyer on the fraud­u­lent scheme. “They did a re­ally good job — even back in 2015 — to con­vince us we were deal­ing with the right peo­ple all along,” Cronkright said.

The prop­erty has since been seized by au­thor­i­ties, Cronkright said. The part­ners con­trib­uted $90,000 each to re­place the stolen funds. It took them two years of ef­fort to track down the miss­ing funds, start­ing with the email trail.

“Through lit­i­ga­tion or fi­nesse, any data point or name we could get out of any­one that had vis­i­bil­ity to where the funds went, we went after them,” Cronkright said.

The search spanned six coun­tries, but its re­cov­ery ef­forts were based in the U. S. The bulk of the money re­cov­ered “was vol­un­tar­ily sent back with [the scam­mers’] con­sent through the banks,” al­though the rest was re­cap­tured through civil lit­i­ga­tion, Cronkright said.

The mort­gage in­dus­try is a ripe target for busi­ness email com­pro­mise schemes be­cause of the in­creased pres­ence of pub­licly avail­able data about real es­tate list­ings and sales.

Within 48 hours of a home go­ing up for sale, the list­ing is syn­di­cated across myr­iad mul­ti­ple list­ing ser­vices and real es­tate web­sites. After it goes un­der con­tract, the prop­erty’s sta­tus is changed to pend­ing sale. That helps out­siders — in­clud­ing peo­ple not in the United States — per­fectly time when they weasel into trans­ac­tions.

Mean­while, dig­i­tal com­mu­ni­ca­tion has re­moved much of the per­sonal con­nec­tion be­tween the play­ers in a real es­tate deal. Par­tic­i­pants might rarely, if ever, meet face-to-face, in­creas­ing the fraud risk be­cause they do not know each other. “Mort­gage fraud is al­ways there. There is a sig­nif­i­cant po­ten­tial for fraud in a real es­tate trans­ac­tion be­cause that’s where the money is,” said Re­becca Walzak, pres­i­dent of rjbWalzak Con­sult­ing. But the “per­cent­age of those com­mit­ting fraud is shift­ing to­wards out­siders. Out­siders are in­ter­ested in the money more than the prop­erty.” Mort­gage lenders fo­cused on the tra­di­tional fraud scams in orig­i­na­tions, said Ann Ful­mer, pres­i­dent of Pal­adin Ad­vi­sory Ser­vices. Peo­ple still mis­rep­re­sent their in­tent to oc­cupy and their source of funds. But the in­dus­try wasn’t pre­pared to deal with out­siders di­vert­ing money with busi­ness email com­pro­mise schemes.

A small mea­sure of suc­cess was seen in June when fed­eral en­force­ment agen­cies made 74 ar­rests and were able to seize $2.4 mil­lion of ill-got­ten gains and dis­rupt or re­cover an ad­di­tional $14 mil­lion from BEC. Among the vic­tims were ti­tle com­pa­nies and real es­tate at­tor­neys.

“They did a re­ally good job — even back in 2015 — to con­vince us we were deal­ing with the right peo­ple all along.” — Tom Cronkright, CEO Sun Ti­tle

Show­ing the global na­ture of BEC crime, 29 of those peo­ple ar­rested were in Nige­ria with one each in Canada, Mau­ri­tius and Poland. There were re­ported losses of $ 3.8 bil­lion from 44,007 vic­tims of BEC and a re­lated fraud called email ac­count com­pro­mise since 2013, when the Fed­eral Bu­reau of In­ves­ti­ga­tion’s In­ter­net Crime Com­plaint Cen­ter — known as IC3 — started track­ing these schemes. In the first quar­ter of 2018, there were 4,081 vic­tims with re­ported losses of $685.2 mil­lion.

For the first five months of this year, ad­justed losses from real es­tate-re­lated BEC were $ 46.1 mil­lion, nearly equal­ing the amount for all of 2016 and is on pace to match the $111.2 mil­lion for 2017, the FBI said. Ad­justed losses for all BEC fraud last year was $675 mil­lion.

“The good news in those num­bers is that it also re­flects a grow­ing aware­ness and recog­ni­tion. Now you just have to turn to preven­tion,” Ful­mer added.

Be­sides the money lost to the scam­mers, lenders face the added risk of be­ing sued by con­sumers af­fected by the fraud.

“All of us in the trans­ac­tion have a duty to pro­tect the con­sumers,” said Cronkright.

How­ever, there are some at­tor­neys who are look­ing to cre­ate a le­gal obli­ga­tion on the the­ory the vic­tim lost money and some­one has to pay, he added.

In one case, James and Can­dace Butcher sued En­voy Mort­gage, Wells Fargo (where their bank ac­count was), Land Ti­tle Guar­an­tee and Kent­wood Real Es­tate after be­com­ing vic­tims of a BEC scam in­volv­ing nearly $273,000, ac­cord­ing to me­dia re­ports.

The case was filed in the Den­ver District Court in June 2017; a pub­lic records search said it was closed on March 12, with no other dis­po­si­tion listed. En­voy and the Butch­ers’ at­tor­ney did not re­spond to re­quests for com­ment.

The vic­tims of most BEC frauds never see their money again. Sun Ti­tle was lucky; through a lot of de­tec­tive work done by Cronkright and his busi­ness part­ner over a two-year pe­riod, Sun Ti­tle was able to re­cover $140,000. The June ar­rests in­cluded some of the per­pe­tra­tors.

And Cronkright found him­self in a new line of busi­ness, found­ing a firm called Cer­tifID to pre­vent oth­ers from be­ing vic­tims of BEC.

BEC fraud is also on rise with new home sales. “We’re see­ing them get much smarter and more brazen on the new con­struc­tion. We had two frauds in west Michi­gan this year alone where a builder’s iden­tity was spoofed,” Cronkright said.

The buy­ers thought they were re­spond­ing to an email from their builder and ended up wiring out $150,000 to the fraud­ster.

In an­other at­tempted fraud, the scam­mers tried to get be­tween the lender and a home­builder.

“So lenders have to be care­ful to pro­tect their cus­tomers from, or at least let them know that, this threat is out there and this is ex­actly how the wiring process is go­ing to work and this is ex­actly how the in­for­ma­tion is go­ing to be shared and it won’t change,” Cronkright said.

Ear­lier this year, the New York law firm of Abrams Garfinkel Mar­go­lis Berg­son, which han­dles real es­tate clos­ings, got a phone call from a lender that wanted to con­firm its wire in­struc­tions.

“Some­one had tried to as­sume our iden­tity and sent some wire in­struc­tions to the lender and it had noth­ing to do with us,” said at­tor­ney Neil Garfinkel.

“Had they not called to con­firm we sent this over, they would have funded this other ac­count and they could have been out the money,” he added.

But not every­one has got­ten the word that changes in the wiring in­struc­tions need to be ver­i­fied.

Half of one AGMB em­ployee’s job func­tion is ver­i­fy­ing the wire be­fore it is sent. “One wire could dev­as­tate a com­pany, it could dev­as­tate a firm,” added Michael Barone, an­other AGMB at­tor­ney. “These aren’t small wires, these aren’t $5,000 wires; these are hun­dreds of thou­sands of dol­lars, if not mil­lions of dol­lars.”

AGBM now puts a no­tice on the bot­tom of all its emails warn­ing re­cip­i­ents of cy­ber fraud and wire theft and telling peo­ple to be wary of any changes to the wire in­struc­tions, do not ac­cept email wire in­struc­tions with­out ver­i­fi­ca­tion and to call on a num­ber known to be true and ac­cu­rate. And it is in a thick, bold font, Garfinkel said.

“The over­rid­ing point is that you just can’t rely on every­one be­ing vig­i­lant. You need to have poli­cies about how to deal with these things be­cause not hav­ing a very sys­tem­atic rou­tine, there’s just too much room for er­ror,” he said.

Mak­ing the ver­i­fi­ca­tion call on a trusted num­ber is im­por­tant. “Scam­mers are now de­ploy­ing phone ‘port­ing’ tech­nol­ogy, to in­trude into that safe­guard­ing process, mas­querad­ing as a trusted party,” warns a bulletin about BEC pub­lished ear­lier this year by the New Jersey De­part­ment of Bank­ing and Insurance.

Be­cause the fraud­sters are mon­i­tor­ing trans­ac­tions, it is im­por­tant that set­tle­ment agents and lenders have their own in­for­ma­tion tech­nol­ogy con­trols in place, like two-fac­tor au­then­ti­ca­tion, said Mike Steer, pres­i­dent of Mort­gage Qual­ity Man­age­ment & Re­search.

Plus, they need to train their em­ploy­ees on how to spot and deal with email phish­ing scam at­tempts.

“It is the small things like that then end up sav­ing po­ten­tial losses,” he said. “The more that [em­ploy­ees] are trained to be aware of cer­tain scams that are out there and items to look for ... [and] to stop and think be­fore they act and get them­selves into trou­ble, the more cau­tious they’re go­ing to be and the more aware they’re go­ing to be.”

In their at­tempt to escape de­tec­tion, the per­pe­tra­tors use mul­ti­ple bank ac­counts and/or use mul­ti­ple names on the same bank ac­count. Some of these ac­counts may lay dor­mant for a while, said Ike Suri, CEO of Fund­ing­shield, a firm whose ser­vices in­clude ac­count ver­i­fi­ca­tions.

— Steven Harpe, CIO Gate­way Mort­gage Group

“We see some ac­tors re­quest­ing the same wires to the same ac­counts us­ing dif­fer­ent names over and over again. It doesn’t mean that it’s for fraud,” said Suri. “The fraud­u­lent ac­counts usu­ally don’t get too far. The peo­ple that are per­pe­trat­ing these frauds rarely ever keep these ac­counts open for more than six months be­cause their scam is al­ways go­ing to be found out.”

But just be­cause an ac­count might not be used for a pe­riod of time, doesn’t mean it won’t be pressed back into ser­vice.

“It’s easy to fake a name on a wire ac­count, any­body can do it. I’m sure a lot of the vic­tims may have even ver­i­fied names on wire ac­counts,” he added.

“But what we do, is we ver­ify the peo­ple who are be­hind that, along with the age of the wire ac­count; match the cor­po­rate en­tity that is sup­pos­edly listed there along with their ad­dresses, so that they all match up, so we know ex­actly who we’re deal­ing with and not just other third par­ties,” Suri said.

Fraud­sters have taken ad­van­tage of lax rules in some states to file “do­ing busi­ness as” names that are sim­i­lar to le­git­i­mate com­pa­nies. Then, they open a bank ac­count un­der that name and mas­quer­ade as the real com­pany. With­out a back­ground check on the bank ac­count, Suri said, prob­lems can arise when fraud vic­tims don’t know whether they’re deal­ing with the real com­pany or the im­pos­tor.

After fraud­sters made a num­ber of un­suc­cess­ful at­tempts at wire fraud against Gate­way Mort­gage Group, the lender spent much of its 2017 in­for­ma­tion tech­nol­ogy bud­get putting up de­fenses to thwart these types of scams, said Chief In­for­ma­tion Of­fi­cer Steven Harpe.

It built a lay­ered in­for­ma­tion se­cu­rity plat­form “that has re­ally helped us get eyes on this,” he said. “We have soft­ware in front of our com­mu­ni­ca­tions sys­tem that is look­ing specif­i­cally for things like im­per­son­ation at­tempts or emails that are com­ing from ge­o­graphic re­gions that we don’t do busi­ness in.”

Gate­way part­nered with a com­pany that gave it the abil­ity to write its own pro­gram­ming, Harpe said, ad­ding the first eight months of the roll out was spe­cific to cus­tomiz­ing ev­ery­thing to meet its needs.

“If there is one thing that keeps you up at night, it is try­ing to stay ahead of this,” he said. “The in­dus­try is be­hind the curve. The crim­i­nals have the ad­van­tage be­cause there’s a lot more of them and it’s al­most a fric­tion­less process for them. And it makes peo­ples’ jobs like mine and oth­ers in lender in­for­ma­tion se­cu­rity harder.”

The in­crease in spam at­tacks is an­other worry for Harpe. “They de­feat you first by just over­whelm­ing you with spam and then get­ting your cre­den­tials. Then there go­ing to sit and watch your be­hav­ior, watch who you’re talk­ing to and then they’re go­ing to im­per­son­ate some­one.”

He cited Oak­land A’s ex­ec­u­tive Billy Beane of “Money­ball” fame. “His story is spot on here. You can’t win this fight do­ing things the old way, think­ing with old thoughts. You’ve got to win this fight by hir­ing peo­ple with tal­ent, peo­ple that know math­e­mat­ics, peo­ple that can help you find the prob­lems be­fore they get to you.

“No one’s im­mune to it, and if you don’t have the right peo­ple and the right tools, you’re go­ing to lose,” Harpe said.

“The in­dus­try is be­hind the curve. The crim­i­nals have the ad­van­tage be­cause there’s a lot more of them and it’s al­most a fric­tion­less process for them.”

Tom Cronkright

Newspapers in English

Newspapers from USA

© PressReader. All rights reserved.