First American Title recently sued a California real estate broker for $513,000 alleging that the broker’s failure to secure his email account led to a fraudulent wire transfer.  (First American Title v. Tanashi Zapata, et. al.)  Unless you’ve been living under a rock, you’ve heard of the horrible wire fraud scams targeting the real estate industry.  It’s happening in Denver and all over the country.  However, there’s been little discussion about the details of these fraud schemes and why real estate brokers need to start paying closer attention to the issue.

Here’s how a typical scam works:  The fraudster pretends to be the buyer, seller, title company, or lender, and emails one of the other parties requesting that someone send funds by wire transfer.  The fraudster may pose as the title company and ask the buyer to wire the down payment, or the fraudster may pose as the seller and ask the title company to send seller proceeds by wire.   The fraudster gives wire transfer instructions to the fraudster’s bank account and as soon as the funds hit the account the fraudster extracts the funds.

These fraudsters are clever.  They know exactly when the closing is going to take place and they time their requests accordingly.  For example, a day before the closing the buyer gets a fraudster email pretending to be the title company asking the buyer to wire funds.  Similarly, the day of closing the fraudster may pose as the seller, or seller’s broker, and send the title company wire instructions for seller proceeds.

How are the fraudsters doing this?   When it comes to cyber fraud, most people envision hackers cracking some firewall to get into a company’s servers to obtain sensitive information.  Or, they might think the hackers are intercepting email content between the sender and recipient to discover sensitive information.  While those methods are out there, the typical fraudster finds it much easier to simply target the real estate broker’s email account.

In the case of First American Title v. Tanashi Zapata, et. al., the fraudster accessed the email account of the seller’s real estate broker (Mark), and sent an email from Mark’s account to the title company with imposter wire instructions.

Over the past several years regulators have forced title companies and lenders to implement encrypted email and other security measures to protect customer information.   At the same time, there’s been little, if any, regulatory focus to require real estate brokers to implement similar security measures.  The industry is full of real estate brokers who have failed to implement even the simplest email security precautions.  This makes the real estate brokers easy targets for the fraudsters.  It also exposes brokers to tremendous liability if they fail take precautionary measures.

How can real estate brokers protect their clients?  There’s a laundry list of precautions real estate brokers can take to protect clients, but let’s focus on the big three:

  1. Secure Your Email Account. Most hackers gain access to accounts by cracking the password and then signing into the email account on the internet – like gmail.   There are three simple ways to protect against email access.   First, change your email password to at least a 14 character password (way harder to crack).  Second, change your password at least monthly.  Third, and most important, implement “two-factor” or “dual” authentication.  With this type of authentication in place, when you sign on to your email account via the internet, your mail provider will text a code to your cell phone and require that you enter the code before you’re allowed access to the email.  The hacker may be able to crack your password, but he will be denied access to your account unless he also has your cell phone.  If he’s got your cell phone you have bigger problems…
  2. Don’t Open Spam. Most hackers gain access to email accounts with phishing emails.  These are the emails with executable zip files attached, or emails asking you for login information.  The email typically used to target real estate brokers is the email claiming to have invoices or documents attached and requiring you to enter your credentials to access the documents.  Don’t do it.
  3. Handle Wire Instructions at Closing. There’s really no reason to email wire instructions to the title company in advance of closing.  Just bring them to closing.  Most title companies, like us, require the seller sign a verification of printed wire instructions at closing.

There are other precautions you can take, like firewall protection, encrypted email, etc.  However, the three precautions above can be accomplished in less than 10 minutes.  If you want more ideas on protecting against wire fraud you can read on here:  https://www.crowdreviews.com/blog/protect-clients-real-estate-wire-transfer-fraud/

Greg Parham, Attorney and Operations Manager for First Alliance Title