Residential Magazine

The Emerging Wire-Fraud Menace

When a borrower’s funds disappear at closing, everyone suffers

By Thomas Cronkright

For the past few years, the favorite topics of the mortgage industry have included regulation and enforcement, the purchase market and federal interest rate hikes. During that period, however, a more ominous threat has emerged: mortgage fraud, particularly wire/identity fraud at closing, which has grown at an alarming rate.

Mortgage fraud is now forcing itself into the headlines, however, and with good reason. The FBI estimates that compromised e-mails may have accounted for as much as $5.3 billion in business losses globally between 2013 and 2016. In addition, the FBI’s Internet Crime Complaint Center reported that wire-fraud scam complaints from real estate title companies spiked by 480 percent in 2016. These figures are estimated to include just 20 percent of the actual number of wire-fraud incidents that hit the industry.

All indications are that fraudsters are only growing more sophisticated, more aggressive and more successful each day. In all likelihood, you or your business could find itself ensnared in the next big fraud case that makes the headlines. Even if it doesn’t make the news, any fraud scam will have a significant impact on your operation.

Fraud is an issue that impacts everyone involved in the mortgage process, from originators and their lenders to borrowers, and even title companies. It will take a concerted effort from all participants in the process, including originators, to help stamp out this menace.

The threat is real

Even though the numbers are appalling, it sometimes takes a story or two to convince people that a threat is indeed credible. In spring 2015, one Michigan-based title agency was the victim of an identity-based fraud that cost it $180,000. The company spent the better part of two years investigating the circumstances and, in the process, learned just how sophisticated cyber criminals have become.

As is the case in so many examples of wire fraud, this example involved a cashier’s check, a wire request after that check was deposited and a check that bounced a few days later. The perpetrators included a cast of criminals from around the world, including a German citizen working in Europe, a Nigerian national participating from Canada and a vast network of stateside “money mules” who laundered the cash on tight time frames — often in just minutes. Today, some of the participants are in prison, and the company recovered about $140,000 of the stolen funds, but not without a tremendous amount of work and collaboration.

Another eye-opening example comes from Colorado, where a couple lost their life savings during the purchase of their dream retirement home. The couple sold their house with the plan to use the $272,000 in proceeds as a downpayment on their new home. Weeks later, the home was not theirs as planned — and their $272,000 had vanished into thin air.

The couple’s subsequent lawsuit against the mortgage lender, real estate agent and mortgage broker alleges that “during the negotiation, inspection and closing process, the defendants routinely sent sensitive financial information through non-secure e-mail, violating their own and industry guidelines.” The couple’s attorney believes that someone hacked into one of the companies’ databases, retrieving sensitive financial information to which only they would be privy.

The fraudster then sent a wire request under the guise of the closing company, requesting the cash prior to close. In essence, the couple was duped into wiring their downpayment directly to the fraudsters rather than the title company assisting in the closing.

The threat is growing

The above stories are, in fact, fairly simple examples of identity fraud in the closing process. The challenge, however, is that it appears fraudsters are getting more aggressive and more sophisticated. By impersonating businesses that are legitimately involved with a target transaction, fraudsters are starting to demonstrate a real familiarity with the industry, its norms, timing and culture.

For example, in the first case — and in at least 20 other cases the company heard about while researching their case — the fraudulent impersonator never sent e-mails before 9 a.m., which is common practice in the title industry. Nothing happens before 9 a.m. when it comes to a closing. The company also saw fake domains or e-mail addresses that replicated those of legitimate businesses — down to a difference of a hexadecimal or single letter.

The “trigger” to these types of fraud usually involves a change in wiring instructions or the delivery of wiring instructions in the first place. Unfortunately, numerous genuine mortgage transactions involve legitimate changes to wiring instructions. It’s no secret that the days leading up to a closing are usually chaotic, stressful and volatile. All parties can see the proverbial light at the end of the tunnel, and nobody wants to add to the cost or, especially, delay the closing by verifying identity over and over again.

A recent article in RIS MEDIA by Matt Cohen did an excellent job summarizing the typical identity fraud from a real estate agent’s perspective. Originators and other mortgage professionals may recognize several of the red flags from that article described here. Typically, a fraud starts with a hacker accessing a real estate agent’s transaction-management system, a lender’s loan origination system or a title company’s database. This attack usually begins via a phishing e-mail.

From there, the hacker enters the system, identifies transactions ripe for fraud and collects sensitive information that only a housing professional would have. Unfortunately, many people use the same credentials for their e-mail and data-system access so it’s quite possible for hackers to access an agent’s or originator’s e-mail account at this point as well.

It’s not uncommon for a hacker to set up an e-mail filter to begin capturing e-mails sent by the targeted client. These messages skip the professional’s inbox and go straight to the hacker. At this point, the hacker can send messages to clients directly from the real estate agent’s actual e-mail address.

Even if the hackers never access lender or title company systems, they can get sensitive information about those parties from the Realtor’s transaction system, and can replicate e-mails from those professionals as well. Hackers can even send e-mails from multiple spoofed accounts (e.g., the lender and the title agent) to verify information to each other. The rest of the scheme works like a typical wire fraud. When the time comes, the hacker instructs clients to wire their closing funds to an account the hacker specifies.

What can be done?

Although data breaches continue to be a major focus of cyber criminals, real estate fraud today has leveraged sophisticated social engineering techniques designed to “trick” someone into doing something they would not normally do. It’s a modern-day version of a con man but instead of face-to-face trickery, they use technology and industry knowledge as their tools of choice. This makes it harder to identify and stop a fraud scheme once it starts.

Often, the solution to this type of fraud involves some combination of increased diligence, the deployment of common sense and a simple technological enhancement. Unfortunately, all of these things still may not be enough to detect identity fraud at or prior to closing. A new phone-porting scam makes “call and verify” a waste of time once fraudsters insert themselves into the chain of communication. In such cases, the title agent or Realtor is basically calling the imposters and asking them to verify their identity.

A healthy dose of caution and skepticism on the part of all stakeholders in a transaction never hurts, but it’s going to take more to fight back. This includes a way to identify and verify the communication device being used when wiring instructions are delivered. This means verifying that all stakeholders — especially parties that aren’t present at the time of the closing — are who they say they are and also have a legitimate stake in the transaction in the first place. It means confirming and authenticating bank credentials.

It’s amazing how little information comes with some wire requests. The industry has seen plenty of examples of wire fraud where the bank’s name did not match the routing number included on the wiring instructions.

As with any sophisticated fraud, combatting the closing-fraud menace will require layers of technology working together with trained and aware professionals. There are technologies coming online right now that can help. The most effective ones are designed to authenticate parties to the transaction using multiple, overlapping sources of data. There are effective ways to do this that are not so expensive as to be prohibitive to smaller companies.

• • •

For now, it’s time for the housing industry to become aware of the growing menace of wire fraud and to heighten its awareness at all levels, from originators to title agents and beyond. As sophisticated as these fraudsters are, they prefer to work under cover of darkness. By making wire fraud a point of emphasis across the industry, we can take away this advantage and expose their intent before any more borrowers suffers a loss.


  • Thomas Cronkright

    Thomas W. Cronkright II is co-founder and CEO of Sun Title and CertifID in Grand Rapids, Michigan. CertifID is a guaranteed identity verification system designed to prevent wire fraud in real estate transactions. Founded in 2005, Sun Title has grown into one of the largest commercial and residential title agencies in Michigan. Cronkright is a licensed attorney and frequent speaker on identity theft, cyber fraud, real estate and financial topics. 

You might also like...