Editor’s Note: This is part two in a three-part series from the August edition of National Mortgage News magazine about the growing prevalence of business email compromise fraud. Read part one and part three here.
The mortgage industry is a ripe target for business email compromise schemes because of the increased presence of publicly available data about real estate listings and sales.
Within 48 hours of a home going up for sale, the listing is syndicated across myriad multiple listing services and real estate websites. After it goes under contract, the property’s status is changed to pending sale. That helps outsiders — including people not in the United States — perfectly time when they weasel into transactions.
Meanwhile, digital communication has removed much of the personal connection between the players in a real estate deal. Participants might rarely, if ever, meet face-to-face, increasing the fraud risk because they do not know each other.
A small measure of success was seen in June when federal enforcement agencies made 74 arrests and were able to seize $2.4 million of ill-gotten gains and disrupt or recover an additional $14 million from BEC. Among the victims were title companies and real estate attorneys.
Showing the global nature of BEC crime, 29 of those people arrested were in Nigeria with one each in Canada, Mauritius and Poland. There were reported losses of $3.8 billion from 44,007 victims of BEC and a related fraud called email account compromise since 2013, when the Federal Bureau of Investigation’s Internet Crime Complaint Center — known as IC3 — started tracking these schemes. In the first quarter of 2018, there were 4,081 victims with reported losses of $685.2 million.
For the first five months of this year, adjusted losses from real estate-related BEC were $46.1 million, nearly equaling the amount for all of 2016 and is on pace to match the $111.2 million for 2017, the FBI said. Adjusted losses for all BEC fraud last year was $675 million.
“The good news in those numbers is that it also reflects a growing awareness and recognition. Now you just have to turn to prevention,” said Ann Fulmer, president of Paladin Advisory Services.
The June arrests included some of the scammers that preyed on Sun Title in 2015. But even before those arrests, Sun Title CEO Tom Cronkright and his business partner Lawrence Duthler, through a lot of detective work, were able to track down and recover $140,000 of the $180,000 Sun Title lost in the scam.
“Through litigation or finesse, any data point or name we could get out of anyone that had visibility to where the funds went, we went after them,” Cronkright said.
The search spanned six countries, but its recovery efforts were based in the U.S. The bulk of the money recovered “was voluntarily sent back with [the scammers’] consent through the banks,” although the rest was recaptured through civil litigation, Cronkright said.
And Cronkright found himself in a new line of business, founding a firm called CertifID to prevent others from being victims of BEC.
But at least Cronkright and Duthler got their money back. For many victims of BEC fraud the money is gone forever.
And that creates an added risk for lenders, namely being sued by consumers affected by the fraud.
“All of us in the transaction have a duty to protect the consumers,” said Cronkright.
However, there are some attorneys who are looking to create a legal obligation on the theory the victim lost money and someone has to pay, he added.
“The good news in those numbers is that it also reflects a growing awareness and recognition.”
— Ann Fulmer, president of Paladin Advisory Services
In one case, James and Candace Butcher sued Envoy Mortgage, Wells Fargo (where their bank account was), Land Title Guarantee and Kentwood Real Estate after becoming victims of a BEC scam involving nearly $273,000, according to media reports.
The case was filed in the Denver District Court in June 2017; a public records search said it was closed on March 12, with no other disposition listed. Envoy and the Butchers’ attorney did not respond to requests for comment.
BEC fraud is also on rise with new home sales. “We’re seeing them get much smarter and more brazen on the new construction. We had two frauds in west Michigan this year alone where a builder’s identity was spoofed,” Cronkright said.
The buyers thought they were responding to an email from their builder and ended up wiring out $150,000 to the fraudster.
In another attempted fraud, the scammers tried to get between the lender and a homebuilder.
“So lenders have to be careful to protect their customers from, or at least let them know that, this threat is out there and this is exactly how the wiring process is going to work and this is exactly how the information is going to be shared and it won’t change,” Cronkright said.
Earlier this year, the New York law firm of Abrams Garfinkel Margolis Bergson, which handles real estate closings, got a phone call from a lender that wanted to confirm its wire instructions.
“Someone had tried to assume our identity and sent some wire instructions to the lender and it had nothing to do with us,” said attorney Neil Garfinkel.
“Had they not called to confirm we sent this over, they would have funded this other account and they could have been out the money,” he added.
But not everyone has gotten the word that changes in the wiring instructions need to be verified.
Half of one AGMB employee’s job function is verifying the wire before it is sent. “One wire could devastate a company, it could devastate a firm,” added Michael Barone, another AGMB attorney. “These aren’t small wires, these aren’t $5,000 wires; these are hundreds of thousands of dollars, if not millions of dollars.”
AGBM now puts a notice on the bottom of all its emails warning recipients of cyber fraud and wire theft and telling people to be wary of any changes to the wire instructions, do not accept email wire instructions without verification and to call on a number known to be true and accurate. And it is in a thick, bold font, Garfinkel said.
“The overriding point is that you just can’t rely on everyone being vigilant. You need to have policies about how to deal with these things because not having a very systematic routine, there’s just too much room for error,” he said.
Making the verification call on a trusted number is important. “Scammers are now deploying phone ‘porting’ technology, to intrude into that safeguarding process, masquerading as a trusted party,” warns a bulletin about BEC published earlier this year by the New Jersey Department of Banking and Insurance.
Up next: The best defense against mortgage fraud is a good offense