Wire in Real Estate Transactions

Craig Goldenberg Senior Division President Craig Goldenberg

Senior Division President – Direct Operations in ME, NH, NY, NJ, MD, DC, VA

Division President of New York Direct Operations

CIO of Stewart Title Insurance Company

Email: [email protected] Phone: 212.922.0050

Why are we talking about it?

Maryland, August 2017: The FBI says fraudsters used fake emails to fool a settlement company into wiring them the proceeds of the sale of a couple’s home. Amount lost: $411,548

New York, June 2017: A judge trying to sell her apartment received an email she thought was from her real estate lawyer telling her to wire money to an account. Amount lost: $1 million.

Washington, D.C., May 2017: The homebuyers sued the title company for the lost money, but also close to $5 million for an alleged violation of the RICO Act. The title company, which denies it had anything to do with the money going missing, said that it immediately contacted the FBI when the attack was discovered. Amount lost: $1.57 million.

Why are we talking about it?

Colorado, March 2017: A couple, who lost their life savings while trying to buy their dream retirement home, has filed suit alleging that none of the companies involved in the transaction—including a title company—did enough to protect sensitive financial information. Amount lost: $272,000 Minneapolis, September 2016: A retired couple hoping to buy a townhouse to be closer to their grandchildren received an email that looked like it came from the title company with instructions to wire money before the closing. They did. The email was fake. Amount lost: $205,000.

Why are we talking about it? • Real estate transaction schemes increased 480% in 2016 • NY was 4th largest state in 2016 by number of reported victims – 16,426 • NY was 2nd largest state in victim monies lost in 2016 at $106M • By category Real Estate fraud had 12,500 victims in 2016 worth $47M • Online bank accounts takeover increasing by 150% annually. • Hackers creating over 57,000 fake (virus filled) websites weekly.

“There are only two types of companies: those that have been hacked & those that will be. Even that is merging into one category: those that have been hacked & will be again”

-Robert Mueller, Former FBI Director

Terminology

Terminology

Social Engineering psychological manipulation of people into performing actions or divulging confidential information. A type of trick for the purpose of information gathering, fraud, or system access.

…it is much easier to fool someone into giving you their password than it is for you to try hacking their password

Terminology Social Engineering examples

Spoofing Pharming

Phishing Vishing

Spear Smishing

Clone Phishing BEC/EAC

Spoofing Email information is masked in an attempt to trick recipients into believing the message came from someone else.

Phishing The attacker recreates the website or support portal of a renowned company and sends the link to targets via emails or social media platforms.

"We suspect an unauthorized transaction on your account. To ensure that your account is not compromised, please click the link below and confirm your identity.“

"During our regular verification of accounts, we couldn't verify your information. Please click here to update and verify your information. Failure to act immediately…"

“Our records indicate that your account was overcharged. You must call us within 7 days to receive your refund.” Spear Phishing Email or electronic communications scam targeted towards a specific individual, organization or business

Clone Phishing Previously sent legitimate email is resent to recipient however with malicious attachment or link

Pharming an attack intended to redirect a website’s traffic to another, bogus site

Vishing tactic in which individuals are tricked into revealing critical financial or personal information to unauthorized entities.

Can be used in conjunction with spear fishing for greater effectiveness

Smishing uses mobile phone text messages (SMS) to trick victims into taking an immediate action

BEC Business Email Compromise

Scam targeting businesses that regularly perform wire transfer payments.

EAC Email Account Compromise

Similar to BEC but targets individuals rather than businesses

Anatomy of Wire Fraud

Agent, broker, seller Criminal Criminal monitors and or buyer receives compromises user reads all user emails phishing email email account

Original New Bank Bank Criminal collects the Banks and accounts are money Last minute, adversary substituted for a “mule” modifies wiring instructions account BEC/EAC is here to stay

$5,302,890,448 2,370% Increase in exposed losses from BEC from Dollar amount of exposed losses from January 2015 to December 2016 2013 to 2016

BEC has affected people in all 50 states & in 131 countries BEC/EAC Why does it work

• Sense of urgency, bad timing • Take advantage of the “weakest link” • Distracted, Overworked, Disengaged Employees • Similarity in tone & wording but with noticeable differences • Takes advantage of natural

In a social engineering test, 50% of a lender’s employees click on a phishing email. 20% click on an attachment or grant permissions to enable macros or other highly dangerous behavior. 5% of the employees are “serial” clickers…they click on everything How do we defend ourselves How to defend ourselves

• IT hardening – Security Stack • Various layers of perimeter and network security designed to prevent data breaches and hacker exploits • Endpoint monitoring to rapidly identify a security flaw/breach and allow for immediate response and remediation

90% of breaches and hacker exploits start with social engineering. Humans remain the most vulnerable link in information security How to defend ourselves – Security Stack

• Register all company domains that are slightly different than the actual company domain • Establish a company domain name, avoid free web based accounts • Two Factor Authentication Email • Do not use Hotel & Public Wi-Fi • Do not comingle personal assets with work • Use Corporate VPN • Use Personal VPN • Set Passcodes on mobile devices • Passwords…

How to defend ourselves – Phishing Detection

• Misspelled email domains Steewart.com • Double letters Bankofamerica.om • Look-a-likes • Vowels replaced Youtube.om • Grammar Problems Facebookc.om • Sense of Urgency • Similar (but not the same emails) • Foreign Bank • Weekends and Holidays • Emailed change in instructions • New beneficiary

How to defend ourselves – Phishing Prevention

• Hover over links to view URL, do not click • Double check email addresses in header of email • Know the habits of your customers, including the details of, reasons behind & amount of payments • Do not use “Reply” option, use “Forward” and type email address of recipient • Slow it down – does it really have to go out now • Assume email has already been compromised

How to defend ourselves – Phishing Prevention

• Don’t be so open on social media • Be careful what you post on company websites, especially job duties & descriptions, hierarchal information & out of office details • Know the habits of your customers • Have I been pwned? https://haveibeenpwned.com/

How to defend ourselves – Phishing Prevention from the Enterprise

• Increase training & awareness • Establish & Communicate verification process with clients • Limit number of employees within a business who have authority to approve &/or conduct wire transfers • Identify your “crown jewels” • Restrict access to Non-Public Personal Information to authorized employees who have undergone background checks • Establish plan for disposal and maintenance of Non-Public Personal Information

Wire Fraud Happened, Now What? Wire Fraud Happened, Now What?

• Contact the financial institution immediately upon discovering the fraudulent transfer. • Request that the financial institution contact the corresponding financial institution where the fraudulent transfer was sent. • Contact your local Federal Bureau of Investigation (FBI) office if the wire is recent. The FBI, working with the United States Department of Treasury Financial Enforcement Network, might be able to help return or freeze the funds. • File a complaint, regardless of dollar loss, with Internet Complaint Center www.ic3.gov or, for BEC/EAC victims, bec.ic3.gov Recent Changes in New York Regulations guiding our industry

• Gramm-Leach-Bliley Act (GLBA) 1999 • Safeguards Rule, which stipulates that financial institutions must implement security programs to protect private financial information

• Cybersecurity Regulation (23 NYCRR Part 500) • Requires supervised entities to asses their cybersecurity risk profiles and implement a comprehensive plan that recognizes and mitigates that risk. NYDFS Cybersecurity Regulation Who is covered • Licensed lenders • Mortgage Companies • State-Chartered • Insurance Companies Banks doing business in • Trust companies New York • Service Contract • Non-U.S. banks Providers licensed to operate in • Private Bankers New York NYDFS Cybersecurity Regulation Who is exempted • Fewer than 10 employees • Less than $5 million in gross annual revenue for three years or • less than $10 million in year-end total assets NYDFS Cybersecurity Regulation To be compliant • Establish an effective cybersecurity program • Create and maintain a written cybersecurity policy • Designate a Chief Information Security Officer (CISO) • Hire qualified cybersecurity personnel or utilize third party providers • Establish an incident response plan NYDFS Cybersecurity Regulation To be compliant February 15, 2018 • Covered entities must submit their first certification of compliance • CISO must file cybersecurity report • Regularly conduct penetration testing and vulnerability management • Conduct Bi-annual risk assessments Questions