In December 2015, the National Association of REALTORS^® (NAR) sent out an urgent alert warning that criminals were hacking into the email accounts of real estate agents or other persons involved in transactions and using the information gained from the hack to dupe parties into fraudulent wire transfers. And we probably thought to ourselves that this scam was absolutely terrible, but we were relieved that it was not happening to those in our marketplace. Unfortunately, that is not the case. The FBI has reported three attempts to defraud Wisconsin title companies, brokers and their transaction parties during the past couple of months. This scam is right in our backyard — not just somewhere else.

Wire fraud scams hit Wisconsin

In late December, a Milwaukee-area title company emailed wire transfer instructions to a real estate agent whose client was purchasing a residence. The buyer client needed to take approximately $115,000 to closing. The wire instructions provided to the agent listed a SunTrust Bank routing number and account number, and the “from” line in the email listed an email address for a title company employee that the agent was familiar with. 

Unbeknownst to the title company and the buyer’s agent, an unknown subject (UNSUB) had intercepted the email containing the wire instructions, changed the routing and account numbers, and sent the email to the real estate agent. The buyer then wired more than $115,000 to the UNSUB’s designated bank account. It is too early in the investigation to know whether the UNSUB hacked into the title company’s account, the agent’s account, or both, but it appears almost certain that at least one of those situations occurred. It was not determined that the wire instructions had come from a bogus email account until after the wire had been sent. 

In late January, an UNSUB sent an email to a different Milwaukee-area title company, pretending to be a broker who was representing a seller in a purchase transaction. The UNSUB indicated in the email that her seller clients wished to have the sale proceeds wired to a designated bank account, which turned out to be the same SunTrust Bank account used in the first described scam. The title company alertly noticed that the broker’s email address was slightly different than the one she normally used. The bogus email address ended in “@mail.com.” The title company contacted the broker and verified that she did not send the email containing the SunTrust Bank routing instructions. At the FBI’s request, the title company responded to the UNSUB with an email indicating that they had been unable to wire the proceeds to the designated bank account and requested that the UNSUB provide an alternate account number. The UNSUB then sent an email listing wire instructions for a Bank of America account.

Also in late January, an UNSUB attempted to have $400,000 wired to the same SunTrust Bank account. 

FBI recommendations

Obviously everyone should be extra careful before wiring any funds in response to email wire instructions. At a minimum, the individual who will wire the funds should confirm the wire instructions with the person who sent them. This confirmation must be done using contact information other than any information from that email because the contact information there will likely be bogus if the wire instructions are fraudulent. For instance, if the email came from a REALTOR^®, use a telephone number you already had or contact information such as telephone numbers of fax numbers that you find on the company website or the WRA website. Verify that the person sent the email and that the instructions are correct before any wires are sent. 

The FBI also recommends that individuals change the passwords for their email accounts on a regular basis — at least every 90 days. Talk to your IT administrators about checking email accounts on a frequent basis to ensure that the IP addresses utilized to access your email accounts are IP addresses that correspond only to the devices you use. The IT administrator may also be able to help with locating and understanding the metadata contained in the email header if you have received a suspicious email.

NAR prevention pointers

NAR has received reports that sophisticated email scams are targeting the real estate industry. Typically the criminal hacks into the email account of a real estate agent or other person in the transaction and uses information that’s been acquired to dupe the buyer into a fraudulent wire transfer. The hacker will send a legitimate-looking email informing the buyer of a last-minute change to the wiring instructions, and the buyer dutifully sends the money off to the criminal. 

Bank wire transfers are highly regulated and generally are very secure. The points of vulnerability come from outside of the banking system itself. A criminal will hack into a real estate professional’s email to monitor the emails and transactions discussed, then lie in wait for the best opportunity. At that time, the criminal will email the buyer in a transaction, pretending to be the agent or the title company representative, giving the buyer new wiring instructions. This email will likely look legitimate because the criminal has been studying the agent or representative and has learned the tone of that person’s emails and knows the transaction details from monitoring the emails. This email can be very hard to catch until it is too late. 

NAR offers several suggestions to try to prevent wire fraud:

1. Avoid sending sensitive financial information via email or use encrypted email. Ask the company’s IT consultant for help in setting up a secure email system and/or encryption.
2. Use up-to-date firewalls and anti-virus technologies.
3. Educate parties about the possibility of fraud and the brokerage communication practices.
4. The person wiring funds should contact the intended recipient immediately before sending funds to confirm the wiring instructions using independently authenticated contact information — not any contact information from the email.
5. Avoid opening suspicious emails and unsolicited attachments.
6. Clean out email accounts on a regular basis.
7. Change usernames and passwords on a regular basis, and be sure to use hard-to-guess passwords with a combination of letters, numbers and symbols.

If a broker or party fall victim to wire fraud, the following steps are recommended: 

• Change usernames and passwords.
• Contact clients and other impacted parties.
• Report the fraud to the FBI Internet Crime Complaint Center at www.fbi.gov/scams-safety/e-scams in addition to the FBI agent listed in the gray box on the next page.
• Report the fraud to the Federal Trade Commission at www.ftccomplaintassistant.gov/#crnt&panel1-1.
• The broker should report fraud to their state and local REALTOR^® associations.

Best practices for avoiding cyberfraud

In addition to the tips listed above, a brokerage firm should develop and enforce formal policies for ensuring data security:

• Create, maintain and follow a comprehensive Data Security Program and Document Retention Policy. See NAR’s Data Security and Privacy Toolkit for guidance at www.realtor.org/law-andethics/nars-data-security-and-privacy-toolkit. 
• Avoid storing clients’ personally identifiable information for longer than absolutely necessary. When you no longer need it, destroy it.

Unsecure email accounts are open doors to cyber criminals: 

• Never trust contact information in unverified emails. 
• Store important emails on your hard drive. 
• Do not use free Wi-Fi to transact business. 

If you have the bad luck to experience a breach of data, a successful scam or a hack:

• If a money wire has gone out, immediately contact the bank to try and stop the funds. 
• Notify all affected or potentially affected parties. Many states have data breach notification laws. 
• Change all of your passwords. If possible, change usernames as well. 
• Talk to your attorney. 
• Contact the police. 
• Report the breach to the FBI Internet Crime Complaint Center at www.ic3.gov/default.aspx.
• Report to your REALTOR^® associations.

Contact the FBI 

If you or anyone has been a victim or attempted victim of a scheme that sounds like any of those described in this article, contact FBI Special Agent Brian Due at Brian.Due@ic.fbi.gov or 414-291-4305.

Resources