Wire fraud is a growing problem for mortgage lenders of all sizes and their clients. This kind of fraud targets downpayments and loan funds being sent into escrow.
The scammer, who could be internal or external, uses a version of a phishing ploy — often using email purporting to be from a legitimate company — to infiltrate networks and watch transactions progress. At the right time, they send fraudulent instructions and divert funds into their own hands.
If the money is sent to the scammer, there’s little chance of recovery. The borrower’s personal information and accounts, as well as those of other parties in the transaction, may be compromised. Mortgage originators should understand what’s at stake for their clients and what’s being done to prevent these crimes.
This type of incident can be especially devastating to a homebuyer who has saved for years to amass their downpayment, but it’s costly for mortgage companies, too. Lenders spent an average of nearly $8,000 to originate a loan in first-quarter 2021, according to the Mortgage Bankers Association. If a loan does not close due to fraud, there’s no revenue to collect, and the lender is at risk of lawsuits and litigation, further cutting into profit margins.
Mortgage transactions are lucrative targets for scammers for many reasons. First, there’s a lot of money moving around. Second, the sending and receiving parties may not know each other and likely have never done business before. Third, unlike the securities industry, which has an exchange to help companies verify IDs and trade in seconds, real estate and mortgage industry players often can’t verify who they’re dealing with in real time.
Yet these disparate and often geographically separated parties must work together, often at the last minute, to close the transaction and distribute funds. Such urgency and anonymity create a perfect storm for bad actors. In 2020, the FBI’s Internet Crime Complaint Center received more than 19,000 complaints tied to business email compromises with adjusted losses of some $1.8 billion. There are likely losses that go unreported due to the lender’s embarrassment and concern over reputational damage.
The escalation of fraud, especially cases that target the mortgage industry and consumers, recently caught the attention of Fannie Mae and the Consumer Financial Protection Bureau. These industry leaders have encouraged lenders to use third-party solutions to help protect themselves and their clients from wire fraud.
The importance of safeguarding mortgage transactions cannot be overstated. This is about people’s life savings. At the same time, much of the process has moved online. Unfortunately, in a climate where many people are working from home, the risk of fraud only keeps rising.
Company leaders that are facilitating transactions have to embrace business processes and technologies to preemptively head off these challenges, as well as to be cohesive, collaborative and coordinated with their peers and all verified companies involved in the closing process. To do so, mortgage companies and their employees should embrace these business practices and technologies that hold promise for shoring up vulnerabilities.
The first thing a mortgage company needs to do is an in-depth cybersecurity assessment. This will help you to understand where your company is vulnerable by identifying gaps in your security and backup procedures, including your ability to recover data after a disaster.
With this knowledge, you will be ready to build a plan for moving forward with updated cybersecurity policies and an instant-response program, which is your plan for responding to a breach or incident. The plan should identify everyone you need, from your attorney to your public relations representative, to respond appropriately and guard against any reputational risk.
Security-awareness training should be ongoing. Researchers from Stanford University and a top cybersecurity organization found that 88% of all data breaches are caused by an employee mistake, so it’s extremely important to arm your team with the knowledge and proven tools they need to protect your data and systems.
This set of “living documents” should be updated frequently so employees understand what to do if they see something out of the ordinary, and will know what steps to take to protect your business and clients. Your program should both instruct and test employees on how to spot spoof or scam emails, as well as what actions to take. (Don’t click on that link!)
Employees should be on the lookout for ransomware, phishing attacks, social engineering and fraud attempts. Many of these approaches will play on their sympathy to help someone, especially families or individuals affected by recent disasters. And, of course, training needs to be ongoing because scammers are adept at changing their approach.
With many employees still working from home at least part of the time, businesses have vulnerabilities they never dreamed of when everyone was located in the office. In other words, you’re only as strong as your remote employees and their networks. This reality demands that you take steps to continually monitor and adjust to what’s happening externally so that data and systems, including backup and disaster recovery systems, are fully protected. Rules for data security, privacy, confidentiality and sharing are a must. These rules must be continually monitored, tested and updated.
There’s no doubt that staying ahead of scammers is costly, especially for smaller institutions. A software-as-a-service model allows you to “quick start” your fraud-detection program. These secure, cloud-based applications are built by a trusted third party and are accessible to your business through the web or an application programming interface — a direct online connection between a company and a data provider.
This model eliminates having to invest in costly development and ongoing testing and maintenance of proprietary applications. Additionally, these companies often facilitate a “pay as you go” model, so you’ll only pay for the services you’re using instead of a set monthly price. Other tools include machine learning and just-in-time ID verification. Machine learning is a subset of artificial intelligence based around the idea of giving machines access to data to “learn” for themselves and improve decisionmaking over time. Just-in-time technology allows users access to privileged information and resources only when necessary.
These intelligent algorithms process large data-sets to find correlations between user behavior and the likelihood of fraudulent actions — reducing the risk of repeat offenders. This is augmented by just-in-time security measures, which allow lenders to validate stakeholders in real time, detect and deflect fraud, and find an alternative agent.
The market is now starting to see so-called “private-label” tools that lenders can provide to their clients to prevent transaction-level wire fraud. Because they are developed and supported by a third party, no development time or costs are incurred by lenders.
Consumers use these tools on their smartphones, tablets or other devices, and they can trust that their personal information and instructions (such as the wiring of account information) is coming from a party that’s been verified in real time. They also can securely and digitally share where they would like to receive funds using current banking-technology integrations, thus ensuring they are protected as a seller or a cash-out refinance party, for example. This ensures that a client’s mortgage experience is safe, transparent and reliable.
● ● ●
A comprehensive approach that integrates leading-edge business practices and innovative technologies for every closing transaction is necessary to protect your business systems, data and borrowers so you can keep transactions moving forward with verified entities. After all, nobody wants to prevent closings from taking place. You just want to make them safer. ●