Jan 15, 2019
11:00 AM EST

The Real Estate Wire Fraud Playbook

This is the first webinar in the CertifID Monthly Fraud Briefing Series. It opens up topics and issues as they relate to wire fraud in real estate transactions and helps provide strategies for preventing fraud.

Register to webinar

Streamed on:

January 15, 2019

This is the first webinar in the CertifID Monthly Fraud Briefing Series. It opens up topics and issues as they relate to wire fraud in real estate transactions and helps provide strategies for preventing fraud.

Full webinar transcript:

Good morning everyone. This is Tom from CertifID, and wanted to thank you for joining our kickoff monthly fraud briefing for this year. The CertifID team has worked very hard in putting together a series of programming that I'm hoping you will get tangible benefit out of each and every month. So for those of you that I don't have the privilege, or haven't had the privilege to meet, there's a few hundred on the call, and really appreciate the response.

I'm one of the co-founders of CertifID. I'm an attorney by trade, and also one of the co-founders of Sun Title here in Michigan. So I'm a large agency owner. And I say that because what we're gonna go through today is something that we're experiencing alongside with you, both through the learnings we get and the CertifID platform from our customers and the folks that are coming on the platform, but also in our title operations.

So and I'm also uniquely a fraud victim, and for those that have gone through that experience, I think you'll appreciate what I'm about to say. So my passion really over the last, call it, few years since we had our fraud in 2015, and then further attempts since then on our brand, is to prevent this from happening to your organization and your customers that have put the trust and faith in you to close and disperse the transfer of their property in a proper way.

So, like I said, we went through the event. I spent two years trying to recover a bulk of our funds, which we were able to do through litigation, and then it kinda ended last Fall with a very intense experience where I was actually called to testify in federal court, where the U.S. Department of Justice was convicting on a criminal basis one of the main ringleaders of a cyber syndicate originating out of western Africa. And I only say that because, again, the emotional and the taxing it takes, basically, on an organization when you have a fraud is something that you just don't pick up in the news articles or things like that. We all hear it's bad and this and that, but if you gotta go the distance like, for whatever reason, I was called to do it's quite intense.

So here's what these monthly updates are gonna be about. This is gonna be hard-hitting, raw, kinda real-time what we're seeing and what we feel you need to take back even to your teams to make your company more aware, and more abreast of what's happening, but also your community. So I invite you as you're looking at this material, think about the fact and remind yourself that it really is an ecosystem between our referral partners and our customers and our vendor partners, and the things, the people we have to interact with to successfully close a transaction. They will prey on the weakest link.

So to kick things off we're gonna do kind of an overview of what we saw last year, what we know, as kind of a state of the union, and then I will end with showing just some other programming that we're planning for this series and this year. So each one of them I plan on talking for 30, 35 minutes tops, 10 minutes of Q&A, and you guys can go about your day.

So I'm gonna jump right in. We're gonna start to talk about what's called the wire fraud playbook. So one of the things that I've learned through this experience, and it has been confirmed by many others that have gone through fraud and the FBI and the FTC, and the relationships that we've build, is the fraudsters are really focused on real estate transactions, and they run off of a very well-defined playbook. So if you think about it you think, "Oh, they're bad guys and they're criminals and they're thugs, and this and that." Well, we could describe them as that, and they are all of those things. They're also incredibly well-educated. They're smart. They're patient, and they're running off of a defined methodology that to them is proving success.

So during this series this year I'm not gonna stand up here and just sit here and complain, and that it's all peril and we should close our escrow accounts, and blah-blah-blah. Instead we're gonna start taking a clinical review of what's happening, how it's happening and what are we learning from these experiences. So we can start to reverse engineer, if you will, to make ourselves more secure. Kind of the what, how and then why do we care about this profile or this education, and how can we disseminate it?

So the steps to committing a fraud are actually these, and it's a methodology. They profile someone in a transaction. Once they profile they typically send a phishing email, and the phishing email is designed, well-crafted, very strategic, designed to get user credentials to access an email account. So then they're in somebody's email account. It might not be ... They might be targeting the buyer for cash to close funds, but they actually gain the email account access through their agents that they're working with, for example.

Then they monitor. They sit there and they lie in wait, and they have algorithms and programs that they've developed for key words, and typically they're monitoring for about 180 days before they show up. "Who are they communicating with? What are they communicating about? When do they communicate? How do they communicate? Oh, I see there's critical information I just obtained about an upcoming closing." So they obtain transaction-level information, then the fraud really strikes, where they impersonate somebody in a transaction that they have intimate details for the purpose of manipulating the target to get them to transfer funds to an unintended destination.

My goal with you, and I hope you'll come on this journey as the goal that you have internally and in your community, is that we throw up safeguards further in this process to prevent profiling, to certainly prevent account access, and through education, they don't get this far to the impersonation and manipulation, which leads to the loss.

So why real estate? It's very simple. Tons of money are being transferred in single blocks of wire transfers. It's unique among other transaction profiles in the U.S. We've got several different parties, typically seven or eight on average. All communicate electronically. We've called this in previous discussions the digital distance that we all have between each other. It's a huge problem. If you're in a market where you have split closings I'll keep you guys on prayer chain, just like we are. It's a disaster. They know the intimate nuances of how information is exchanged on split closings, and they prey on that. And then the bell-ringer of it all is all the information's publicly available and you can find it online. Super easy.

So I'm gonna emphasize this and I'm gonna show you how easy it is. So let's start to unpack. How easy is it to start a fraud if we wanted to? So our team was asked to speak at a large conference last year, and we actually profiled. So what we did was we did a random, literally put this in Google, Kansas City home for sale, and this was the first listing. So this is how we decided what transaction we wanted to profile, okay? So this listing, this nice three bed, one bath in Kansas City shows up. It looks like Anita is our agent with Keller Williams. So we put into a site called Spokeo the address, okay?

And as I'm going through this notice I'm not breaking any laws. We just need to know where to look to find the information, and it's all out there readily available. So for 95 cents I'm going to get the name of the owner of that address, a month and date of birth, three known mobile numbers and some additional information on the house, okay? I'm gonna spend through a different site called Radaris, it's another dollar. So I'm less than $2 in, and I'm gonna unlock the actual date of birth, two email addresses and a slew of previous addresses, and I'm gonna confirm this phone number.

So for less than $2 in about seven minutes I'll have a fully curated profile on the sellar, okay? Let's pivot over to the agent. What do we know about Anita? Well, we found her LinkedIn, and it looks like she's a realtor in the Kansas City area. So let's go to Hunter, and we type in just kw.com to see if we can confirm her email address. What was interesting is while we didn't find Anita's email address, almost 25,000 active Keller Williams email accounts showed up in a simple search in Hunter, okay?

Well, why, and you guys are probably up to speed here, why didn't her email address show up? Because she's not using Keller Williams.com, the secure email service that her broker offers. She's using Gmail, right? So we submit a question to see, "Okay, what account are you using, Anita?" Just in the chat box, and the auto response confirms her actual Gmail account and her cell number that she's using. And then just a few minutes later she confirms from her email account, giving us the mobile number, of her kind of identity online if you will.

So now we've got the agent profiled. Where is Anita going to close? What do you mean? What I'm asking is what title company ... She's a listing agent. What title company is she gonna send her site to down in Kansas City? Well, that's easy because everything syndicates online. So we're just gonna go into Anita's past sales. All we have to do is profile a handful of these, which we did, and I'll show you just one example of how we know with a high degree of certainty where she's gonna close.

So we pick this Summit Street. We go to the Jackson County register of deeds. We pull the deed in connection with the closing that she reported as a sold. Go to last page, and guess what? We see a Christy Woodward. Well that's interesting, because Christy shows up on several deeds of recent closed. So what do we know about Christy? Christy is an escrow officer at Platinum and just looking at the notary contact information we can see a direct email address for Christy.

So here's the concern, guys. If I'm a fraudster and I have a fully-curated profile on the seller, and I got a fully-curated profile on the listing agent, and I know with a pretty high degree of certainty where the file's gonna close, I'm a couple emails or phone calls away from somebody at a brokerage or at a title company unknowingly giving me the name of the seller, the selling agent that's representing the ... I'm sorry. The name of the buyer, the selling agent representing the buyer, potentially the lender, and maybe even some closing details, because I know so much just in a few minutes.

So this just emphasizes that if you know where to look it's not hard. And this is assuming I'm not paying, unlike the kinda deep dark fraudster where I'm gonna go into the dark web and I'm gonna buy more of an enriched or curated profile on one of these folks.

So the next thing I wanna do is provide some practical tips on how to spot a fraud if it's coming into your organization. And last year we saw what I would describe as next-level fraud attempts and successes based on how they're communicating with title providers. The main profile that we're seeing heating up, and if you take one thing away today this has to be one of those, is mortgage payoffs. Mortgage payoffs, we wrote a whitepaper a few months ago on it. Mortgage payoffs is single-handedly the risk profile that's heating up faster than any others, and I predict it's gonna dwarf even the buyer-side fraud 12 months from now. Why? 'Cause the numbers are so much greater. Your payoffs on average are so much greater per wire than what you have as seller net proceeds, or your buyer cash to close coming in.

So I'm gonna unpack this. So think the setup of this is a fraudster impersonating a lender that is being paid off on a mortgage. So the fraudster shows up and says, "Good morning. A new revised payoff statement has been created for closing with updated wiring instructions. Please kindly send me your fax number so I can fax it to you. Also note we are funding a new deal with this payoff." So I'm gonna use this as an example to unpack these three critical sentences, and I think you'll see how it sets up the aperture to see that this is a fraudster coming in even on the first email.

First off, a new revised Payoff, capital P, okay. Well, that's interesting. What you have to understand and train your folks on, especially internally, the nuances, the things on the margin are those tells that we know we're probably now communicating with somebody that is in the industry, and they're doing a really good job of getting better each year, the fraudsters are, but there are tells, right? Capital P, "has been created for closing with updating wiring instructions." That's interesting.

What's also interesting is that, I learned this from the FBI speaking late last Fall, is there's always three components of a business email compromiser or fraud attempt. Component one, new or updated information. Component two, some time aspect associated with this information, and the need to act. So new or updated information, you gotta act, and the last component is if you don't act there's some ramification to that.

"Please kindly send me your fax number so I can fax it to you." Please kindly? That doesn't even make sense. Plus we don't use the word kindly in the U.S. that much. There's more use of that word in other countries that use the English language as their primary language. But please kindly, that just doesn't even make any sense.

"So that i," lowercase I, "can fax it to you." The other thing, though, is they knew to ask for the fax number when they could've just attached the updated payoff, or embedded the information right in this email. That is super tricky, and what it shows is their domain expertise, that they understand what we trust. We trust the fax machine. So therefore I'm gonna fax it to you.

"Also note we're funding a new deal with this payoff." So we're starting to see for the first time reasons why the information's being updated. Do you fund new loans directly with payoffs from other loans? I don't think so. I think they're brand-new loans. I think the payoff is one side of the house, and the new loan goes to the other side of the house.

So off we go, and I'll speed up here a little bit. So the escrow officer at the title company responds, gives them the fax number, and then fraudster comes back and says, "Hey, fax has been sent!" Okay. You're excited about that. Great. It's a fax, right? It's not a lottery ticket. "Please confirm receipt. The amounts on this updated payoff are still the same as the old payoff!." Okay. I'd expect that they would be. We're getting ready to close. "Only wiring instructions," rather than only the wiring instructions, "have been changed as the seller is using payoff funds to fund another loan for a construction loan." Again, that doesn't make any sense at all. I don't care what you're doing with the payoff, right? But they're giving you a reason why.

This next statement, though, is telling. "Kindly," again, "use the updated payoff statement for closing and disbursement. Do you know when and what time it will close?" If you have a lender or somebody that is asking for funds on a payoff asking what time a closing's taking place during a day, or what time a wire will be released, you have to stand on the bricks. Because it just doesn't make sense. It's per diem, not per minute. They don't care. As long as you've added enough and you get it there on time to fully clear and settle the account you're gonna be fine. But there's that temporal aspect again.

The escrow officer says, "Hey, I got the payoff," kicks it to closing department, copies the closing officer, and, "Can you please advise on when this is set to close?" And then this is the payoff statement that was included. So you're gonna start to see these, unfortunately, more and more this year in your email stream, in your fax stream, and they're nearly dead knockoffs of the original payoff, which suggests they got their hands, the one of the left here is the original, the one on the right is the one that was updated a week later. The only thing they changed, guys, was the fact that the account number is different. They even opened up this fraudulent account at Wells Fargo in the jurisdiction of where this institution banks with Wells Fargo, 'cause the first three numbers of a routing number are jurisdictionally based. So they even matched on a one-to-one basis the routing number to avoid detection. So this is the best copy that we've seen early last year, and we've seen probably 20 others sent with that degree of sophistication.

Closing department responds and says, "Hey, looks like we're closing as we speak." Fraudster comes back, again, still on Thursday, "Please kindly use the updated payoff letter," I lowercase, "Just fax for closing and disbursement. Do you know what time the payoff funds will be disbursed?" So I hope you guys start to see the thread that is kind of being called out now in this email that you can identify. Closing department says, "We have this scheduled to disburse," to let them know when we're disbursing. So this is a three-day hold. This wasn't a purchase money mortgage. "It is not an investment. We received confirmation it just closed." Okay?

Monday shows up, and does the fraudster, because he's timely and he really wants his cash. "What time will the funds be disbursed tomorrow?" Very direct message into the closing department of the title company. Closer kicks it to disbursement department and says, "Please see below and advise." So at this point the title company is ready to disburse off of those fraudulent wiring instructions.

Tuesday shows up. Fraudster shows up again, overly anxious and eager at this point in my opinion. "Please kindly remember to use the payoff i," lower case, "sent previously for disbursement. What time will the wire be sent today?" And because he's a nice guy and efficient he attaches now the wiring instructions that he had faxed a few days earlier, and then shows up just after lunch to confirm it's been disbursed.

So what do we learn from this? I confirmed from the owner of the company, it's a very large national title agency that had the fraudster stopped at this communication on Monday they would have disbursed off of those fraudulent instructions, and it wasn't until they start to get the heat of these emails on Tuesday, like, "What's the problem, man? Calm down. We do this all the time," that they realize something was awry.

So what I mean to say here is that we as an industry need to be aware that this is not only happening, but we have to assume that our transactions are being profiled, and they can come in with incredible precision, armed with information that we don't know that they have to try to trick either our people, our customer or maybe one of our channel partners, like an agent or a banker or an attorney or someone like that. I think it also shows the fact that we have to have more of a conversation around this issue, and I'll get to that later.

So what are the repercussions? So a fraud takes place, then what does that mean? And we're gonna do a whole series on how to recover a wire fraud, 'cause we've assisted in several successful recoveries. What I wanna touch base on right now is a sort of recent case that was decided in middle of December of last year that starts to frame up a little more of who's responsible for wire fraud losses. 'Cause you go through a loss. You're gripped with anxiety and anger, and you have all this emotion and adrenaline running through you. Then you gotta get the money back, if you can, assuming that it was your money lost. You try to help the person, let's say if it's a buyer, if they lost the funds. But at the end of the day is that it? The buyer lost the money. I was spoofed. I'm not liable.

Well, the courts are stepping in through cases that are being decided that says maybe, maybe not. So a case was decided in eastern Pennsylvania, and here's the setup of this case. Small law firm. Senior partners working on a commercial closing, and 580,000 is going to be wired. Senior partner's email is compromised. Email request goes to a junior partner that says, "Hey, we need to wire the funds for the upcoming," whatever, "ABC Company closing, and I need it done tonight, and it needs to go to," literally, "the Bank of China." And the junior partner says when they email back, "Are you sure? It's not ready to close, and this is kinda coming out of nowhere." And there's a small email exchange, but ultimately the senior partner throws the gauntlet down, which is the fraudster throwing it down, saying, "Look, I'm in another part of the country. I'm stepping into a meeting. This has to happen right now." So when you talk about new information, timely, bad things are gonna happen.

So the junior partner relents, sets up the wire through Bank of America and releases it. Bank of America within an hour later does the callback procedure, confirms the identity of the junior partner and releases the funds. About an hour later they're talking. So this was later in the evening. The wire went out about five. They're talking somewhere around 7:30, 8:00 that evening, and the junior partner mentions casually, "Hey, that wire went out, so that's all set." Senior partner, "What are you talking about? What wire?" "Well, the one that-," and then obviously it was uncovered.

Excuse me.

What was interesting is even though they immediately reacted and contacted Bank of America for the recall, the recall was not initiated in a timely manner, and nearly all of the 580 was lost because of jurisdictional issues. So the law firm sues. Law firm sues Bank of America on a litany of different claims for the attorneys on the call. Breach of contract, breach of fiduciary duty, breach of torts through negligence, and all these things. And the court, interestingly, actually issued a dismissal in favor of Bank of America, called the summary disposition dismissal, a 12(b)(6) under the court rules, and the only way to get that is if the court is presented with facts so compelling that they can't find an issue of fact that could arise that warrants the case for even moving forward. Literally kicked this thing out of the court.

And in that decision, it's interesting, because the judge makes a couple really compelling quotes that I want to share with you. And one is this, "Any duty the bank owed to the law firm was contractual, not a duty based on social policy." What that means is he went into what's called the four corners rule, and looked at the deposit agreement, wire transfer agreement, the callback agreement, all these things that none of us read. I don't even know they're out there. You probably don't either. But yet they haul them in, throw them on the table in the court and say, "Look, all this is covered." And then thus the law firm, and this is so critical, may not recast their breach of contract claims against the bank as tort-based claims. What does that mean?

In almost every other litigation profile around the country the courts are dealing with negligence claims, the Bain case that we wrote a whitepaper on, right? Negligent misrepresentation is what the agent and the broker were held personally responsible for from a liability perspective. That is a tort-based claim. This courts says, "We're not even going there. We got enough under the contracts, and therefore you can't recast these claims." And I think it's a pretty telling statement. The other is, and at the end of the opinion, and the judge is spot on here, "The computer hacker's the culprit, but the computer hacker isn't in the courtroom. So based at what I'm looking at as between the law firm and the bank the weight of this loss falls squarely on the law firm."

So it happened to be a real estate transaction. It happened to be a law firm, not a title company, but guys, this type of activity is the same profile that we're struggling with. So just know that the courts now are stepping in and starting to frame up the discussion points and, frankly, the risk profile that all of us share if there is a loss. So the main takeaways from kinda the educational piece today that I'm hoping you leave with are three. One, all information is out there and they are focused on real estate transaction. One of the things that I learned during my trial experience, during through witness prep and going down there and spending time with the lead investigators of the FBI, is that this issue isn't going away, and it's only going to get more sophisticated with more velocity. And the reason is is this isn't high-tech crime. This is systemic, strategic, but it's very low-tech, more high-impact. Because at the end of the day you're just tricking people. And it's easy to trick somebody if you can impersonate somebody well enough that, especially when you're not face-to-face. So that's what's happening.

Looking for last-minute demands and implied consequences in emails. We just have to take a beat now. We gotta use the old Reagan trust but verify. We really do need to slow-walk and say, "Okay, how do I know that I can trust this information, especially if it's information that is an update or a change to something that we have recently received?" And the other case in Bain shows that each of us play a role in the integrity of the transaction in what I call the chain of trust that we all get built around when we're trying to coordinate all the different things that we need to in our workflow to have a successful closing.

So from a next step standpoint I wanna provide an action item this month. Every month I'm gonna leave you with a tangible action item that I feel you should go out, train against internally. This one really hits your agents. So if you wanna do one thing to add value to your agents it would be this. Two-factor authentication being turned on their email accounts, time wise two-factor authentication. For those of you who don't know, typically to log into an account you need a username and a password. Two-factor adds an additional layer of security by initiating a unique code or token that would be put in in real time, and then account access is granted. So it would be username, password. I initiate a token request. I get the token. I put it in.

The stats are fuzzy on this, but conservatively the cyber experts are saying that this could avoid up to 70, maybe 80% of all business email compromised takeover just by having two-factor. Why? 'Cause these people are lazy. They're human. And if you put up enough walls and fences, think about it. You are the house on the block with the barbed wire fence and the rottweilers and the lights and the sirens and this and that. They're not gonna pick your front door. They're gonna go on to the neighbors house, and that what we're after. They're not gonna stop. They're just not picking this lock. We're gonna stay safe, and so are our customers.

So how do you do it? The shortcut, myaccount.google.com. You're gonna get brought to this landing page. You click on the security tab. From the security tab you'll see two-step verification. That's what you want. And then Google, 'cause they are 100% on board with this, walks you through a nice tutorial to set up two-factor authentication. And then you say, "Here's an extra layer of security. Keep the bad guys out." Which it will. And then you just simply walk through their methodology and get started, and it's an easy tutorial. You link your phone or another device to it. You can do it in multiple different ways. You can get a text message. You can have Google Authenticator send you a token from their apps. There's multiple different ways you can choose.

And then in case you lose your phone, or your kids throw it in the lake or whatever, you actually get to bind a secondary device to unlock in case you lose your primary device. So guys, I've been in sessions literally with hundreds of realtors, and I'll ask, "Hey, how many of you have a Gmail account?" 95% of them raise their hands. This is the last one I did, "How many of you have two-factor authentication turned on?" And only one hand remained raised, and the guy asked a question, what was two-factor authentication? So they are just simply not aware, and they need to, because when we look at hardening our security and lowering our risk profile. We have to bring in our referral partners into this conversation or we're gonna get exposed or spoofed, and then all of a sudden we're on our feet in front of court, and we didn't do anything, but yet we were drug into this because of the lack of what they call internet hygiene on one of the other partner's side.

So the other thing I'm willing to do, because I know some of you, everyone's on kind of a different continuum of where they are in their organization. We have the largest underwriters in the country on the call. We have very small agents and attorneys. We have everything in between. What I will say is you have to look at 2019, or at least I hope you will, and say, "We need to start making the investment in the technology, the commitment to the education, and going out and broadcasting what we've learned to keep the lives of our channel partners and customers more safe." So for those of you that wanna get started sooner than later I'm offering to do just a quick assessment, if you will, that might start the path, kinda kick start the path for you on some of these major foundational pillars. And after the call everyone will receive a link to my calendar just to schedule five or seven minutes. And everyone that goes through this I'm gonna send our list of security best practices, which is a really robust menu of what you should be considering in each area of these components.

So the first we talk about is just people. What are we doing to educate our internal staff? Are we using the times together to show by fraud examples, things like that. What investments and what should you look at on best practice around hardware and software to make sure the stuff isn't hitting your people in the first place? Process has to change. How we're confirming and exchanging and relying on wiring information, I think, everyone would agree is just not keeping pace with what we're seeing on the fraud landscape. And then lastly, insurance. We have E&O and we have Cyber. If you haven't gone through a renewal, if you have recently you'll agree, major changes in the last 12 months in the insurance landscape. And I'll go through some of those. We're gonna do a whole series on the insurance.

So some of the future topics. So I'm hoping that you'll come back, that you found this useful. We're gonna roll into questions, 'cause they're queuing up rather quickly now. But each month I wanna dive into the meat of some of these issues. We're gonna talk about phishing in business email compromise with examples of the top phishing lures that are hitting organizations and individuals. We're gonna be getting wire fraud law statistics. I already have some that are mind-blowing from last year. And we're gonna give it a landscape of what the velocity around this is. We're going to spend time on, "Okay, a wire fraud hit. What do I do next?" A minute-by-minute analysis of the steps and the sites and the phone calls and the confirmations that need to take place.

I'll bring on somebody, a special guest, to talk to you the issue of insurance and liability, because it's changing. You wanna make sure you don't have a gap with what your coverage is if there is a loss. And then we'll talk through as this evolves, data security best practices, and always fresh fraud examples. So if you guys have any suggestions or topics or things that you would like covered this is meant to be kind of a form, if you will, where we can all huddle up, quick half hour, that was great, I'm gonna do some training on this, and then wait for next month's programming. I also invite you to invite your industry partners, your brokers, the mortgage compliance head, the people that you work with on a regular basis. They're free to attend this as well.

So with that ... I went one slide too far. In the panel section there's a question panel, and you can submit any question that you'd like to me. And they're showing up here on a monitor that I'm looking at. So I'm gonna start to walk through the actual questions that I've received.

One of them is are bogus lenders and others using real email addresses, or is the email address a tip-off? So I discussed this idea of impersonation versus being hacked. This is a great question. Normally what we see is that somebody is hacked. So we talk about this idea of encrypted email and all this stuff. And I'm not nixing encrypted email as a best practice, but understand it decrypts at rest. So if they have access to the account most encrypted emails allow you to put in the email account and then select your own password. So the fraudster can just unlock the encrypted email. So we haven't seen any instances where in the stream of email communication they're grabbing it out of the internet, pulling it down, deciphering the information, and then putting it back up. They're not that sophisticated.

But the question is what's the difference between impersonation and hacked? If it's hacked then it's coming from the actual email, and that's what we've seen on a profile of the buyer-side fraud, where it's coming ... The Bain case, it came from the sellers email account, the wiring instructions that went to the buyer, and then the buyer was defrauded. Bank emails, we've had situations where a mortgage broker's email was actually compromised and revised CDs and instructions were being sent to the closing parties.

A spoofed email is one that looks really similar. So for example, I'll use one of our brands, Sun Title. Well, they could register a domain suntitles.com, or they could register, rather than the L in title they could register an I so it looks like it is coming from the right company, but it's not. If you're being spoofed it's a good indication that you're not hacked, and that someone else in the transaction is hacked and is being influenced by that communication. But to answer the question directly, we're seeing both. We're seeing they're hacked and they have control over the email, and they'll write scripts that any email communication in this fraud chain get dumped into a deleted folder, or swept away so the actual account holder can't see it. But also we're seeing really kinda next level spoofs where you hover over it, it looks like it's coming from ABC Bank or ABC Title, but you have to dive a little further in to see the root domain of it. It's called second-level masking that we're seeing.

One question is we receive a lot of phishing emails. We assume we are all safe as long as we don't click the link, right? So the answer to that is absolutely. So this is a situation where training and education, guys, is our best line of defense, internally and externally. How we're training our staff, if you're not expecting an email, or the email just seems out of the ordinary, the timing of the email seems odd based on what I've seen, all those things need to be red flags. And before you click on an attachment send it to your IT provider and make sure it's clean, and you sandbox it, what's called sandboxing, before it gets released into the distribution chain internally.

But the number one thing that you can do, 'cause sometimes just clicking on it you could install a little piece of software called malware, and then who knows what that does. They can monitor keystrokes and sessions and screen views and things like that.

Another question, how many mortgage payoffs have you heard of that were successful where the title agent's held responsible? How many successful? I would say last year ... So here's the maddening thing about fraud right now, is that we're not talking enough about it. So what I'm about to say just you could multiply probably by 100, maybe 200 around the country, maybe even more, because people just aren't raising their hands saying, "Yeah, I sent money to a fraudster thinking I was sending it to ABC Bank." So I know of at least a half a dozen successful mortgage payoffs that were diverted last year based on just the communications that we've had directly with customers. I'm sure the FBI has seen hundreds and hundreds more.

So I'm hoping that this is the year where we as an industry ... The title industry has asked to receive all the money, close the file, push all the money out of the escrow accounts. So I'm hoping that this is the year we come out and say, "You know what? We didn't create the problem. The problem isn't going away. Let's have a more honest timely conversation with everyone about what this means," internally and externally. Just because you had a fraud attempt or you were being profiled or you had a near miss, it's not your fault. You're just doing business. And that's what everyone is feeling.

How are the fraudsters able to bypass the PATRIOT Act? Why can't the bank not verify the identity of a fraudster? I don't mean to be too cavalier about this, but the now your customer rules under Dodd-Frank just simply aren't working. So I could go into the dark web, and for depending on the profile and the person I'm trying to impersonate, 15 to maybe $40 on the high side, and I could have every piece of information on an individual that I'd like. What's interesting is when the bank is in front of you and you're doing this kind of weird conversation to meet their know your customers, they don't have a picture of you on their screen. So you could present to them a fake driver's license and a second form of ID, along with anything else that they have made, and you're gonna get account access. The same is true if you're doing the account access online. You just need to be able to answer the questions.

We've seen corporations set up in names of other corporations that are being defrauded, so that when the title company calls back the bank and says, "Hey, is this," whatever, "ABC Holding Company?" And they say, "Oh yeah, it's ABC Holding Company. Wire the funds here." And that's being a fraudster that had created an EIN number and an account and everything in the name of the person they're trying to defraud.

Another question I wanna answer, can you do two-factor if you don't use Gmail? In most cases yes. So Gmail, your large platforms ... And two-factor, guys, isn't just on Gmail. You can put two-factor on Facebook, on LinkedIn, if you use collaborative sites to work in groups. You need to look every account setting that you have personally to see if you can turn this on, because they infiltrate and then they start squirreling around and getting information that they shouldn't. If you can't use two-factor authentication one of the other strategies is using dedicated VPNs, virtual private networks, that are machine-based, between each device in your company and your company's servers. So that reduces a little bit of friction at the user level, and I would say even heighten security for the organization. So I would say at a minimum two-factor authentication. If not, take the additional steps, it's not that costly, ask your IT provider about private VPNs that are machine-based.

The link to the presentation today will be distributed to share with the rest of my staff. So we'll be providing a link to the presentation for everyone that attended. Like I said, this is meant to be open and collaborative, and have content that you can then share with others. Please share with your staff and invite anybody that couldn't make it today to watch this and attend next month's. I'm hoping to grow this group that we've created here north of 1,000 each month to start to really disseminate this information that we have.

I think we're out of time. I'm gonna hold myself to a commitment, 'cause I could talk for the rest of the day. But I wanna say this, guys. Thank you for the 45 minutes we've spent together. We'll follow up with some emails if you wanna take advantage of just a few minutes with me, and I can start to set the framework of some of the more important priorities you might wanna look at from a data security perspective. You can click on an email, and any feedback you have on this please provide it. And also on LinkedIn, please follow me on LinkedIn. I'm posting videos and blogs that you guys can use as little snippets for training, and feel free to share and comment on those as well. So with that, I wanna thank you for the time today. The LinkedIn connection is just Thomas Cronkright. There's my direct email. And I hope you guys have a wonderful and safe rest of this month until we connect in the middle of next month. Take care. Thank you.