Technology has been a driving force behind many great advances in the Title Industry and now more than ever, proficiency in the latest tools is critical. Even before the COVID pandemic, lenders and title professionals were testing options for E-closings and remote online notarization, responding to consumer demand. Now with more and more of the process and communication regarding transactions online, focus on the accompanying risk is paramount. Scams have, with increasing frequency and sophistication, taken a toll on everyone from whole businesses to homebuyers. Since the onset of COVID-19 related work at home changes to business models, cyber fraud has increased over 500%.
July 29, 2020 (Updated from article originally published October 5, 2017)
Cybersecurity in the Title Industry
By Matthew Cohen
The surge of automation within the title industry and lending community has paved the way for faster communication, fewer human errors through technological collaboration, and rapid movement towards paperless closings, all with the intent of delivering a greater customer experience. While it is imperative to implement the technologies that enable us to meet these higher expectations, it comes with a unique set of risks. The extensive amount of NPI (non-public information) collected for each transaction continues to move from traditional file cabinets to digital space shared by cyber criminals. Online transparency, a benefit to legitimate real estate transactions, is also an invitation for cybercrime. Protecting customer information has always been a top priority at Two Rivers Title. In fact, all financial institutions are mandated to protect NPI.
Federal and state guidelines have existed for decades.
The Gramm-Leach-Bliley Act of 1999 mandated how financial institutions must handle Nonpublic Personal Information (NPI) to protect consumers.
In an October 2017 publication, the CFPB reiterated its desire to protect consumers:
“For some time, a range of companies—many of them “fintech” companies—have been accessing consumer account data with consumers’ authorization and providing services to consumers using data from the consumers’ various financial accounts…. There are many significant consumer protection challenges to be considered—particularly with respect to data privacy and security—as these technologies and practices continue to develop.”
Recognizing cyber threats and associated risks is the first step in reducing vulnerability and an ongoing responsibility for title professionals.
Phishing Scams are the most common way hackers obtain information. Phishing is an electronic attempt to acquire NPI by pretending to be a familiar or trustworthy source. We see these every day. Staff members receive emails requesting NPI. Sometimes simply opening the email allows cybercriminals to infiltrate the system causing a data breach, or implant software which locks down the system followed by a ransom demand. This is particularly threatening in a business that handles commercial and residential transactions. Information such as social security numbers, bank routing numbers, passwords, and credit card details are all examples of information typically entrusted to the settlement agent. Identifying scams and taking measures to stop them has become part of our daily routine.
Wire Transfer Fraud continues to be the most potentially devastating phishing scam affecting the title and real estate industries. In the case of wire fraud, the hacker obtains enough NPI and company information to pose as someone they trust who is involved in a closing. The client, usually the buyer, is contacted electronically and told there “has been a change in their wiring instructions” or “please send the following amount by wire ahead of the closing”. The wire transfer information is fraudulent and, if sent, the money is lost. Despite our industry’s attention to this, using bold Wire Fraud warnings as part of our regular email signatures, hackers are still having a lot of success.
According to NAR in 2018, one of the fastest growing cybercrimes in the U.S. is wire fraud in real estate. About 11,300 people were victims of wire fraud in the real estate and rental sector in 2018, with losses of more than $150 million, according to FBI data.
Cited by FORBES, a Washington, D.C. couple lost $1.5 million in a phishing scam that compromised their title company’s email server. A year before, a Colorado man lost a $56,000 down payment. And just this Spring, a local attorney lost $100,000.
The tales of financial heartbreak go on.
We all know that a wire fraud attempt can potentially be catastrophic. An email sent to a client impersonates your company email. The email address is right, it looks like a legitimate party to the transaction and the correct date/time for the upcoming closing is listed….and a wire is requested to be sent ahead. Hackers have become more proficient with fewer red flags for us to catch, so we must zealously and consistently communicate this scenario to our customers, our partners, and our staff, affording us the greatest protection.
Preventing Cyber Scams
Education, communication and a written policy are key.
Since 2013, ALTA Best Practices Compliance, Pillar 3, called for a comprehensive analysis, written policy, and security risk management program.
A complete risk management program includes determining digital assets such as NPI on clients, analyzing the threats represented by each, developing an appropriate cybersecurity program for each threat within the company size and ability, monitoring and reporting.
Implementing and enforcing a comprehensive risk management program takes a considerable amount of time and resources. Therefore, to reduce your vulnerability immediately, consider taking these measures:
1. Teach staff how to spot fraudulent emails
BEFORE OPENING AN EMAIL:
- Double check the email address to see if it is a valid email
- Sometimes the email address can be off by just one letter making it seem to appear to be a valid e-mail address (For example instead of @tworiverstitle.com, it may show as @tworivertitle.com)
- In addition, there are often when it may have been delivered from the actual person’s e-mail
- Check the “To” address line – if suspicious, call the sender to verify
- Be careful when opening emails on your phone.
- Also consider who else may have been in an email conversation. Just one non-secure email address can give hackers details of a transaction and pave the way for fraudulent emails redirecting wired funds.
BEFORE OPENING & DOWNLOADING FILES:
- Never open an attachment, within an email, unless you are expecting it.
- If you receive an email asking you to open a file that you were not expecting, use caution.
- Call the sender to verify that they sent it.
- Remind your teams to avoid downloading any software/programs to their computers that you did not authorize
2. Instruct all parties of a transaction to call before sending any wires, and to verbally confirm any email requesting NPI
3. Communicate potential risks to clients
4. Change passwords regularly
- Use strong passwords! Do not use the same password for every account that requires one. Use song lyrics or sentences describing yourself.
- Choose 2-step verification everywhere it can be incorporated
Protecting Yourself if You are a Victim
Unfortunately, there are times that prevention fails and you find yourself a victim. Insuring yourself and your company against potential losses can mean the difference between staying in business or being forced to close your doors. Many insurance companies offer Cyber Insurance policies to help defray costs associated with data breach, data restoration, cyber extortion, crisis management, and cost recovery and mitigation. As more cases emerge, the Federal Courts are divided as to whether the typical fidelity crime insurance policies provide coverage for cybercrimes. While researching coverage it is important to understand your particular risks and to be insured against those risks. Some companies offer a complimentary assessment of your current vulnerabilities and will work with you as you continue to implement new systems.
It is crucial to buyers and sellers and all the professionals involved in a real estate transaction that a settlement agent take its role as guardian of confidential information as seriously as its role in safeguarding the funds being transferred.
During these unsettled times, our reliance on web conferencing for staff meetings, socializing with clients via zoom and new technologies to complete closings themselves in 2020, we must keep the conversation going. As an industry, we are the protectors of property rights and the champions of our customers and our partners. Together, we safeguard against cybercrime.
Matthew Cohen, Esq., CEO
Two Rivers Title Company LLC