With the growing fear of higher inflation rates, a softening economy and continually rising interest rates, pressure mounted on commercial property owners this year to refinance existing loans before rates went up. At the same time, with more remote work and greater competition to obtain a shrinking pool of applicants, commercial mortgage companies have increasingly moved to online applications and fulfillment.
As a result, cybercriminals and other fraudsters have moved in and phishing schemes are more prevalent. Phishing scammers pose as trusted parties — such as commercial mortgage brokers, lenders and legitimate borrowers. With greater pressure to refinance due to rising interest rates, scammers have an opportunity to swoop in and offer foreclosure rescue, loan modifications or bailouts to property owners.
According to FBI data, real estate fraud is on the rise, with more than 13,600 complaints filed in 2020 — a 17% increase from the prior year. From 2007 to 2010, the U.S. Department of the Treasury’s Financial Crimes Enforcement Network specifically analyzed commercial real estate financing fraud. It found that these cases tripled during the four-year period, and a large percentage were perpetrated by the use of false documentation and false identities.
Commercial mortgage brokers should take care to avoid fraud by educating themselves about current cybersecurity scams and threats. Always double-check email addresses and phone numbers to make sure you’re talking to the correct person, and inform your borrowers that they should do the same.
Borrowers are frequently defrauded online by phishing scammers acting as commercial lenders, agents or others who participate in a transaction. As interest rates go up, scammers try to entice victims with promises of interest rates that are below market — and often significantly below market.
The scammer will induce the victim to complete an online mortgage application, which will include personal information about the borrower such as their name, address, work history, financial and banking information, and Social Security or taxpayer ID. Often, the scammer will already have obtained some or all of this information from other sources, establishing their bona fides with a lender by demonstrating that they already have this information.
After the fake application is completed, the scammer may issue the borrower an official-looking letter of intent agreeing to provide a mortgage at a substantial discount. The borrower will be asked to provide a deposit, a processing fee or a third-party report fee, which can be in the thousands or tens of thousands of dollars. Scammers also may monitor legitimate activity, up to the point of money transferring hands, and they will jump in at the last moment to provide false instructions that will move the money into the scammer’s account.
The money may be wire transferred (typically to a domestic account and then to an offshore account) or even transferred through cryptocurrency. Once wired, the scammer disappears. Wire fraud like this led to more than $213 million in losses in real estate transactions in 2020, according to FBI data.
There also is the possibility that by extension of simply communicating with these attackers or visiting their tainted websites, the victim’s computing system will be compromised. This can be accomplished with a keylogger, a remote-access trojan, ransomware or some other form of malicious software that is leveraged by the perpetrator to later attack the victim’s legitimate contacts, data and finances.
Scammers may pose as regulators or other government agents, inducing victims to part with personal information or funds. This is particularly true with respect to soliciting participants in government-sponsored loan programs such as COVID-19 relief funding, Paycheck Protection Program-style loans and rebates, U.S. Small Business Administration lending, foreclosure relief programs and more.
Additionally, with an increase in property owners researching better loan opportunities, scammers are casting out wide-net phishing emails. These are often generic emails stating something like, “We have the results of your loan inquiry,” which prey on the likelihood that at least a portion of the possible email recipients have, in fact, looked into a new loan in the recent past.
Other fraud activities are not focused on stealing money, per se, but at fraudulently obtaining the title to a property. The party may pose as the owner and induce the title holder to transfer control of a commercial property. At this point, the asset may then be used to obtain funds in numerous other ways.
According to the FBI, there was a 65% increase from 2019 to 2021 in identified global exposed losses due to business email compromise fraud, also known as email account compromise. In fact, statistics collected by the FBI’s Internet Crime Complaint Center (IC3) revealed a total of more than 241,000 domestic and international business email incidents, for an exposed loss of $43.3 billion, from 2016 to 2021.
The actual number is likely far higher as a significant portion of these types of crimes go unreported. But by implementing a reasonable set of best practices, commercial mortgage lenders, brokers and borrowers can greatly improve their ability to avoid falling victim to these threats. And if a threat is suspected, be sure to report it to the IC3.
The best defense against these fraud activities is to be wary of any unauthenticated entity online. Mortgage bankers and originators should have aggressive brand-protection strategies to look for, report and remove any fraudulent websites, social media postings, advertisements, mass emails or other communications that purport to come from them or appear to be endorsed by them.
Users should be warned about the dangers of phishing attacks, how to spot them and how to respond. The American Bankers Association has launched an aggressive “Banks Never Ask That” campaign to educate potential victims about the fact that banks don’t solicit financial information from non-customers. Companies should have — and insist that their customers have — multifactor authentication and fraud identification tools.
Commercial mortgage professionals need to take their time with every incoming email, text and phone call to make sure that the person they’re communicating with is who they claim to be. For example, determine whether the source email and domain address are the same as in previous communications.
Lack of complete documentation should create cause for concern for both borrowers and lenders. Pressure to act quickly or demands for wire payments also are red flags. If something seems suspicious, pick up the phone or pay a personal visit to verify exactly what is happening.
All of these steps should be in the context of complying with the basic information security protocols under the National Institute of Standards and Technology cybersecurity framework, as well as the procedures adopted by the Federal Financial Institutions Examination Council for banks, mortgage companies and other organizations. Lenders and originators should educate themselves on these frameworks, which lay out guidelines and best practices for managing cybersecurity risks.
Users should look for telltale signs of fraudulent websites, such as the use of obscure or foreign domain names, and misspellings or hyphenations in domains and emails (including character substitutions such as the number 0 for the letter O). Borrowers and brokers should always thoroughly check out any potential lender (and their website), and they should ensure that the listed address is a real address with a physical office (not just a P.O. Box).
Is the lender listed in their state of business with a business license or corporate identity? Do they finance their own loans? Do they have a loan servicing department? What is their source of funding? Be skeptical and ask questions because legitimate lenders will be happy to answer. As always, if something seems too good to be true, it probably is. And that’s especially true when interest rates rise. ●
Jeffrey Bernstein is the director of cybersecurity and compliance advisory services for Kaufman Rossin’s risk advisory consulting practice. Kaufman Rossin is a certified public accounting firm that provides professional services to businesses, organizations, institutions and their leaders. Bernstein advises clients in highly regulated industries on the protection and compliance of their networks, applications, systems, data, devices, people and property. Follow him on Twitter @Jeff_Bernstein1.
The technical storage or access is strictly necessary for the legitimate purpose of enabling the use of a specific service explicitly requested by the subscriber or user, or for the sole purpose of carrying out the transmission of a communication over an electronic communications network.
The technical storage or access is necessary for the legitimate purpose of storing preferences that are not requested by the subscriber or user.
The technical storage or access that is used exclusively for statistical purposes.The technical storage or access that is used exclusively for anonymous statistical purposes. Without a subpoena, voluntary compliance on the part of your Internet Service Provider, or additional records from a third party, information stored or retrieved for this purpose alone cannot usually be used to identify you.
The technical storage or access is required to create user profiles to send advertising, or to track the user on a website or across several websites for similar marketing purposes.