There’s a lot of discussion about phishing scams in the mortgage industry, and it’s well-deserved; the latest RSA Quarterly Fraud Report indicates that phishing accounts for 50% of all fraud attacks, and that’s up 70% from the previous quarter.
The biggest threat, though, is still classic wire fraud, according to Bruce Phillips, SVP and Chief Information Security Officer at Williston Financial Group.
The losses are staggering: in 2017, data from the FBI’s Internet Compliant Crime Center puts losses from “business email compromises” at $675 million, which was in increase from $360 million in 2016. Although Phillips hasn’t seen the latest numbers, the estimates are more than $1 billion for 2018.
“It’s continuing to increase, and I don’t see an end in sight to this because they’re making money at it. As a matter of fact, what we’re seeing is the number of actors that have joined in and now are playing in this pool has increased,” Phillips said.
Phillips said that the nature of the attacks have also changed. It used to be that nearly all of the wire fraud attempts were to redirect the funds out of escrow; now, the scams are direct to buyers and sellers. It’s much easier to get consumers to slip up, but it can be more devastating since there is no recourse once the money is gone.
“There’s so many pieces of paper you have to sign, there’s so many things you’re being told about, and they’re coming from so many different angles, that how do you educate them in that? And that’s probably one of the biggest challenges we have, whether you’re a real estate agent, a mortgage broker, a mortgage lender, a title and escrow officer, we all have to singing from the same playbook and try to get into their moment so that they recognize that this is happening,” Phillips said.
Most consumers aren’t paranoid about the risks and the need for constant vigilance regarding electronic communication, so Phillips suggests a few touch points that may make the conversation easier:
1. You can’t trust email
This may be the toughest, seeing that most people today use email for a large majority of their communication. But it is not a secure way of communication, and it’s easy to spoof. Using it to relay any kind of sensitive information is a big risk.
2. Call before wiring money
When transferring large sums of money, instruct consumers to call a known, established number of the institution to confirm that the name and account number of the bank from the wire instructions is correct. This might be even harder than the conversation about email because the new wave of homebuyers does everything on their phone—except make a call, Phillips said.
3. Free WiFi has its risks
Under no circumstances should anyone conduct business over free WiFi unless operating using virtual private network (VPN) software to encrypt data. For those people who have taken it a step further and use their phone for a large part of their business or personal communication, (everyone’s guilty as charged), having a PIN or passcode doesn’t just protect it in the event of loss; Phillips said that having that extra layer of protection encrypts everything on the phone. No PIN/password, no encryption.
4. Multi-factor authentication
For both originators and consumers, multi-factor authentication is a much. So much so that Phillips said that if people don’t have it activated, “Stop what you’re doing now and go turn it on. That’s number one. Number two, if you haven’t changed your passwords in the last 90 days, change it. And number three, don’t ever reuse passwords.”
These tips are nothing new, however, millions upon millions of dollars continue to be lost year after year because people and businesses aren’t taking appropriate precautions. Some of those steps will cost, and that’s a real challenge to small businesses. But, Phillips said, managers need to assess their risk. Taking margin compression into account, how much additional business has to be done to compensate for those losses? For real estate professionals, it means extra properties that they have to market and sell, so sharing this information with those partners can be of great use to them.
“If you look at it from the perspective of what the average loss is and what it would take for you to get there and recover that loss, then it’s a different discussion,” Phillips said. “I will tell you right now: if they are successful once, they will be back. If they try two or three times, they just may move on to somebody else. But one success . . . it seems like everybody comes out of the woodwork.”
Wire fraud isn’t particularly high tech (although Phillips said that the masterminds of the operations have become savvier over the years when it comes to expanding their operations). The benefit for originators, their clients and partners, then, is that they don’t necessarily have to be particularly tech savvy to fight fraud.
Sometimes it’s as simple as being aware—and being wary. If something appears in an inbox and it’s not expected, question it. Every originator who can convey that level of healthy skepticism to their clients and partners is helping to protect them. If something doesn’t look right, or if it causes pause in any way, then use another method of communication such as a call or a text to question the sender.
“You don’t want to run your life being scared all the time, but that’s really the thing: if it looks wrong, or if it’s just concerning, or if it looks out of ordinary, then it probably is,” Phillips said.