WFG News

Q & A on Cyber Security and Wire Fraud in Real Estate

By February 21, 2018 One Comment
Q & A on Cyber Security and Wire Fraud in Real Estate

By: Bruce Phillips, CISSP
SVP & Chief Information Security Officer
Williston Financial Group, WFG National Title Insurance Company®, West
a WFG Company

Cyber Security and Wire Fraud, two terms that are becoming more familiar to people. In day to day operations most people do not think of Cyber Security, and Cyber Crime is that thing that happens to other people.

Most people have only heard about Fraud and Data Breaches on the news. Today, more people in the Real Estate industry know someone whose computer was infected by a virus, or have been involved in wire fraud (either successful or unsuccessful).

In this article I will answer several common questions on Cyber Security and Wire Fraud related to the Real Estate industry. I am sure that you will have questions, and the challenges for protecting sensitive information continue to increase. In future posts I will attempt to address those, helping to keep you informed on these important topics.

1. What is the most common form of cyber fraud you see?

Without a doubt, that would be Wire Fraud. The number of attempts we see has increased dramatically, and the success rate of the malicious attackers has followed. In addition, the success rate in retrieving the funds has gone down.

There are a number of factors that I can attribute these changes to. First the change in target from settlement services to buyers has resulted in better success rates for the malicious attackers. That success has drawn additional malicious attackers into the game. This new wave of malicious attackers has brought with them new techniques for perpetrating the attacks.

With the increase in attacks have come an increase on the focus of preventing wire fraud and, in those cases where the wire was sent, a stronger process for recalling the funds have been created. Successes in recalling funds have driven the malicious attackers to create a counter strategy.

As a result of the massive increase in fraudulent wires, several banks have instituted a multi-step process when dealing with the request to return the funds. First the receiving bank will freeze the funds, if they have not already been moved. Then they will request a “Letter of Hold Harmless” from the sending bank before the funds are returned. A “Letter of Hold Harmless” is a legal instrument that generally requires that legal teams from both institutions agree on the wording, which can take time.

These 2 steps have caused the malicious attackers to change their processes. First, they have become much quicker at moving the funds out of the receiving account, sometimes to multiple follow on accounts, to avoid the “freezing” of the funds. In some cases, the malicious attackers have hired attorneys to successfully un-freeze the funds while the sending and receiving banks are agreeing to the “Letter of Hold Harmless” wording.

2. What is the number 1 thing you would warn Real Estate Agents against?

Don’t trust email.

Email is the genesis of multiple types of cyber-crime, from credential harvesting to fraudulent wires. The cost to malicious attackers for sending emails to a mass audience (phishing) is extremely low. Additionally, the quality of these emails has gone up making them harder to detect. The information obtained from those phishing emails provide the malicious attackers details that they can use in targeted emails (spear phishing) looking for specific information or credentials.

Files attached to emails can be used to install software on your computer that can encrypt all of the data on your computer and hold it for ransom (ransomware). Or they can install software to collect the usernames and passwords that you use (key loggers) and send them to the malicious attackers. Malicious attackers can also send you files that, if you open them, can take control of your computer, turning it into a zombie that is part of a Botnet controlled by the malicious attackers and used to attack others on the internet.

3. Have you seen any new ways scammers are trying to commit wire/cyber fraud?

There are two techniques that come to mind, both of them require extra diligence when looking at emails.

Targeting the Buyers:

Malicious attackers are shifting their target to the buyers, and just recently they are adding SMS (text messaging) to their repertoire. Regardless of whether or not the settlement services companies use email to communicate wire instructions, the malicious attackers know that that was the practice in the past and they are using emails sent to the buyers to redirect funds.

Why is this successful? It is very easy to spoof (fake) emails. Malicious attackers can put any email address they want in the “from” field of an email, that is what is displayed in the email application. They then use a different address in the “reply-to” field (that is the address used when replying to an email) so that when the buyers reply to the email they are actually communicating with the malicious attacker. Other techniques include using or creating similar domain names (the part after the @ sign).

Examples of these are:

  • instead of
  • instead of
  • instead of

The latest twist is using text messages to add legitimacy to the request. The buyer receives a phone call with the number not blocked. The malicious attacker fakes a poor connection then disconnects. Moments later, the buyer receives a text (SMS) message from the same phone number stating some sort of qualifier like “Hi, I tried to call you on behalf of your escrow officer/real estate agent relating to your purchase. You will receive an email shortly with your wiring instructions.” The malicious attacker then creates a fake email (using the techniques described above) and sends the buyer an email with fraudulent wiring instructions.


Why go to all the bother of writing ransomware that demands victims pay a Bitcoin ransom? If all you want is cryptocurrency, why not use the infected computers to mine the crypto coins themselves? That way you don’t have to rely on a human victim buying some Bitcoin, and nervously making their way onto the dark web to make their ransom payment. According to security researchers at Proofpoint, that’s exactly the reasoning shown by online criminals who are moving from regular ransomware to crypto-jacking/crypto-mining.

Similar to ransomware, attachments in emails are used to install software on victim computers. The troubling news is that some web sites that you may go to have been compromised to install the Crypto-Mining software on your computers, sending the mined bitcoins to the malicious attackers.

4. If you could give a Real Estate Agent advice on how to avoid being a part of cyber fraud, what would that be?

Change your email password and enable Second Factor Authentication on your email account. If you are not already doing so, change your password to a strong 10-character password, every 90 days. And if your email provider supports it use Second Factor Authentication. If your email provider does not support Second Factor Authentication, you should consider changing your email provider. Those two simple changes ensure that you are no longer the source of information the attackers use to defraud your customers.

Don’t use the same password for everything. If you do, the malicious attacker only needs to find that one password to gain access to everything (email, banking, investment, etc.…), and they will try that one password everywhere. Also, don’t use similar passwords. Merely changing a number or a couple letters, while the rest is the same, does not keep malicious attackers from recognizing your password pattern and using it to quickly find your other passwords.

Don’t trust links received in email, if you want to go to the web site, type in the address yourself. Also, don’t trust files attached to an email, especially if you are not expecting it. When in doubt, pick up the phone and call to confirm that the sender sent you that file.

Use commercial anti-virus software, and update it frequently (most will allow you to let them auto-update).

Patch/update your computer software religiously. If an update or patch is released apply it as soon as you can.

Update your phone as soon as you can. Attacks on phones are increasing.

5. Are there any options for making sure your device is secure when using free Wi-Fi?

Distrust free Wi-Fi, it can be easily impersonated. If that happens then the malicious attackers can capture everything you send or receive, including usernames and passwords.

  • Never use public Wi-Fi networks to access sensitive information or business email. If you need to get online to browse for directions or do something else that is less sensitive remember the risks that you are taking.
  • Know the Wi-Fi network you are connecting to, don’t just blindly connect to any Wi-Fi network. If you are in a restaurant, coffee shop, hotel, or other business verify the name of their Wi-Fi network, and prefer those that require a password over wide open networks.
  • If you regularly use public Wi-Fi or need to access sensitive information or business email, using a Virtual Private Network (VPN) is a must. You can find a variety of trusted VPN services online, but if you want a trustworthy and reliable service you will have to pay for it.
  • Only browse websites that start with HTTPS and avoid websites that start with HTTP while on public Wi-Fi. Websites that start with HTTPS are encrypted, adding an extra layer of security and making your browsing more secure. If you connect to an unsecured Wi-Fi network, and use regular HTTP instead of HTTPS, your traffic is visible if hackers are snooping around in the network. Never enter a password into a website that does not use HTTPS.
  • Configure the wireless settings on your devices to not automatically connect to available Wi-Fi hotspots. This ensures that you do not unknowingly connect to public networks.