Cyber Snipers Zero In on Industry

September 13, 2016

By Jeremy Yohe

One morning earlier this year, Maureen Pfaff received a random email requesting her title company to wire nearly $11,000 to a TD Bank in Florida. The general manager and chief financial officer for Olympic Peninsula Title Co. immediately became suspicious because the email came from her father. He wouldn’t make a request like this via email.  >>

“Additionally, the formality of the email and signing it the way they did was a dead giveaway,” Pfaff said.

Realizing it was a scam, Pfaff strung the criminal along, eventually sending something encrypted so she could get an IP address to include in the complaint filed with the FBI. Pfaff created a fake wire transfer notification in an encrypted email, which generated a report when opened.

Pfaff said this was the third fraud attempt the company has experienced in the past six months. “They’ve all been different strategies,” she added.

Pfaff isn’t alone. Title agents and lenders alike are seeing increased reports of attacks across the country. Signaling the growing threat, the Federal Trade Commission (FTC) issued a warning to homebuyers about email and money wiring scams. Hackers have been breaking into some consumers’ and real estate professionals’ email accounts to get information about upcoming real estate transactions.

After figuring out the closing dates, the hacker sends an email to the buyer, posing as the real estate or title company professional. The bogus email says there has been a last-minute change to the wiring instructions, and tells the buyer to wire closing costs to a fraudulent account. The FTC warns consumers that email is not a secure way to send financial information.

Email Fraud Schemes on the Rise

Total losses due to account takeover schemes more than doubled in 2015 while losses related to fraudulent email attacks increased nearly threefold, according to a report from PricewaterhouseCoopers’ Financial Crimes Unit. An account takeover occurs when an attack either obtains an individual’s personal information—such as user name, password, account number, Social Security number—or impersonates a customer to gain access to bank accounts or payment systems to make unauthorized transactions. According to PricewaterhouseCoopers, between October 2013 and August 2015 this type of fraud netted hackers over $1.2 billion.

The report says the fastest growing form of account takeover scheme is business email compromise, which uses the hacked or spoofed email account of an employee or customer to initiate a fraudulent transaction. The report says that attackers often research a target’s schedule, waiting until the target is traveling or unavailable for immediate verification. An unsuspecting title or settlement agent receives the email and carries out the wiring instructions, unaware that the email was not legitimate. The funds are then routed to an account controlled by the hacker.

“Account takeover fraud results in reputational damage, loss of client confidence and significant financial liability,” the report said.

Exploiting Human Nature

Verizon’s latest Data Breach Investigations Report also shows phishing schemes picking up dramatically. According to the survey, 30 percent of phishing messages were opened—up from 23 percent in the 2015 report—and 13 percent of those clicked to open the malicious attachment or nefarious link.

Adding to the list of human error are those caused by end users of an organization. Miscellaneous errors take the No. 1 spot for security incidents in this year’s report from Verizon. These can include improper disposal of company information, misconfiguration of IT systems and lost and stolen assets such as laptops and smartphones. In fact, 26 percent of these errors involve people mistakenly sending sensitive information to the wrong person.

“You might say our findings boil down to one common theme—the human element,” said Bryan Sartin, executive director of global security services for Verizon Enterprise Solutions. “Despite advances in information security research and cyber detection solutions and tools, we continue to see many of the same errors we’ve known about for more than a decade now. How do you reconcile that?” 

Don’t Rely on Email to Confirm Wire Instructions

Earlier this year, a new wrinkle in cyberattacks hit the title and settlement industry. An independent escrow company in Southern California received a “legit-looking” email from a lender confirming two wire instructions for a total of $650,000. Instead of verifying the wire confirmations through the lender’s website, the escrow company trusted the email.

Escrow employees sent $650,000 to an account supposedly owned by a party that didn’t exit. Unfortunately, the email was a fake. One of the wires was recalled. The second wire was not and the consumer lost $133,000.

“Title and settlement agents need to know that this can happen to them,” said Bill Burding, general counsel for Orange Coast Title. “When you get a wire confirmation from a lender, don’t disburse off it until you verify it on their website. Companies need a formalized policy of confirming disbursements online.”

Burding said title agents should call their lender if confirming wires online is not an option.

“If your bank doesn’t offer online verification, you shouldn’t be banking there,” he added.

Deliver What You Say

The rash of attacks supports the need for title and settlement companies to implement a system to protect customer data. Whatever system a company employs, it’s important to accurately explain how data is protected. The FTC recently issued a consent order against Henry Schein Practice Solutions, a software provider for dental practices, for allegedly marketing its software using deceptive assertions. The FTC fined Schein $250,000 for alleged false marketing advertisements related to the level of encryption the company provided to protect patient health data.

Schein advertised that its software provided industry-standard encryption methods to protect sensitive patient information as required by the Health Insurance Portability and Accountability Act (HIPAA). However, the FTC alleged that Schein was aware that its software did not comport to the Advanced Encryption Standard, which the National Institute of Standards and Technology (NIST) recognizes as meeting the regulatory data encryption obligations under HIPAA. By failing to meet the encryption standards identified by the NIST, Schein was found to have misled patients about the level of protection its software provided.

The significant fine the FTC assessed for Schein’s deceptive marketing correlates with the type of data Schein was encrypting. “Strong encryption is critical for companies dealing with sensitive health information,” said Jessica Rich, director of the FTC’s Bureau of Consumer Protection. “If a company promises strong encryption, it should deliver it.”

The primary lesson that title insurance and settlement companies should take from this consent order is the importance of clearly and accurately identifying encryption methods. The primary lesson that title insurance and settlement companies should take from this consent order is the importance of choosing secure encryption methods. When choosing software to handle security, pay special attention to the actual encryption details rather than the marketing spin. Steer clear of products that might claim to be secure while not actually conforming to industry encryption standards. Implying that the services meet certain regulatory standards may be seen as deceptive, as Schein’s advertising was found by the FTC in this case.

In another action by the FTC, Wyndham Hotels & Resorts in December settled charges that its security practices unfairly exposed the payment card information of hundreds of thousands of consumers to hackers in three separate data breaches. Under the terms of the stipulated order, filed in the U.S. District Court for the District of New Jersey, Wyndham agreed to:

  • Implement a comprehensive data security program
  • Conduct a Payment Card Industry Data Security Standard evaluation and engage in yearly assessment of the handling of customer payment card information
  • Comply with 20 years of compliance to the FTC on the settlement agreement requirements

According to Steve Gottheim, ALTA’s senior counsel, this decision suggests the FTC has authority to go after companies that were hacked, sanctioning them for unfair trade practices instead of the traditional Gramm-Leach-Bliley Act privacy law.

ALTA’s Title Insurance and Settlement Company Best Practices require that title insurance and settlement companies encrypt non-public personal information that is sent electronically. The ALTA Best Practices also requires companies to provide a copy of their privacy policy to customers and to alert customers if a security breach occurs as required by law.

NAIC Gets Involved

The National Association of Insurance Commissioners (NAIC) and state insurance regulators are ramping up efforts to tackle cybersecurity issues. The NAIC’s Cybersecurity Task Force adopted the Principles for Effective Cybersecurity Insurance Regulatory Guidance in April 2015. The 12 principles adopted direct insurers, producers and other regulated entities to join forces in identifying risks and adopting practical solutions to protect information entrusted to them. In addition, the NAIC is developing new reporting requirements for insurers to better track cyber insurance policies issued in the marketplace.

Responding to feedback and pressure from ALTA and state regulators, the NAIC’s commissioner agreed to hold an extended in-person discussion to address concerns about the association’s proposed state model cybersecurity law.

In March, ALTA submitted a letter to the NAIC’s Cybersecurity Task Force outlining concerns with the group’s draft Insurance Data Security Model Law. ALTA encouraged the NAIC to work with state attorneys general and consider whether states will pass two different data security laws: one for insurance and a separate one for all other businesses. ALTA suggested that the NAIC host an open conversation about data security that facilitates consensus about our shared goals and pain points. Finally, ALTA expressed concern that the proposal does not adequately take scalability into account. ALTA believes that an insurance-specific data security law could conflict with other state and federal data security laws, making it difficult for title and settlement agents to comply with all their legal and contractual obligations.

“We are concerned that the Preliminary Working and Discussion Draft would not establish a single standard for consumer protection, which is likely to create confusion and conflict among various regulators, state attorneys general, courts, industry and consumers,” Justin Ailes, ALTA’s vice president of government and regulatory affairs, wrote in the letter. “As currently written, the Preliminary Working and Discussion Draft appears to take the most severe penalties, adds an extensive additional regulatory burden and private rights of action under state regulation. No state today approaches data security in this manner.”

As it continues to consider a standard for data security and investigation and notification of a breach of data security, ALTA encourages the NAIC to consult existing state and federal requirements that licensees are already required to follow.

“It may also be prudent for the NAIC to engage with and solicit comment about the Preliminary Working and Discussion Draft from state and federal regulators including state attorneys general, the Federal Trade Commission (FTC), and Consumer Financial Protection Bureau (CFPB),” according to Ailes.

Interestingly, a new report from SecurityScorecard shows that U.S. federal, state and local government agencies rank last in cybersecurity when compared against 17 major private industries, including financial services, retail and health care.

The analysis measured the relative security health of government and industries across 10 categories, including vulnerability to malware infections, exposure rates of passwords and susceptibility to social engineering, such as an employee using corporate account information on public social networks.

CFPB Licks Its Chops

Sending a warning shot to the industry as to its expectations, the CFPB in March took action against online payment platform Dwolla for deceiving consumers about the safety of its online payment system. The CFPB ordered Dwolla to pay a $100,000 penalty and fix its security practices.

The CFPB cited its authority under the Dodd-Frank Act to protect consumers against deceptive practices and false representations. This was the bureau’s first data security action, and builds upon advances made by several other agencies, including the FTC. The consent decree said Dwolla falsely claimed its data security practices “exceed” or “surpass” industry security standards and claimed information was “securely encrypted and stored.”

“Rather than setting ‘a new precedent for the payments industry’ as asserted, Dwolla’s data security practices in fact fell far short of its claims,” the CFPB stated in its action letter. “Such deception about security and security practices is illegal.”

In addition to paying the penalty, the bureau ordered Dwolla to train its employees on company data security policies and procedures, and on how to protect consumers’ sensitive personal information. Dwolla also was ordered to fix any security weaknesses found in its web and mobile applications, and to securely store and transmit consumer data.

Rajesh De, the former general counsel to the National Security Administration, now leads Mayer Brown’s cybersecurity practice. According to De, the case highlights the standards that regulators are expecting from companies with regards to data security, such as the development of written security plans and risk assessments.

Stop and Take a Breath

While many of the fraudsters target real estate agents or homebuyers involved in a purchase transaction, Lisa DeWolf, senior vice president and director of operations for Trident Land Transfer Co., shared details on a recent attack involving a seller’s mortgage payoff.

 The title company received a mortgage payoff statement via fax from an unfamiliar lender in Oregon. As was typical with payoff statements, the incoming document was three pages long and printed on company letterhead. The settlement was scheduled and the closer began communicating by email with the fraudster. The thief informed the closer that “the lender’s account was under upgrade and would she kindly respond to his email to receive the new wiring instructions.” The closer responded and eventually received a revised payoff with a few minor changes:

  • The amount the closer was required to collect from the seller and wire to the bank increased by a little more than $500.
  • The bold, upper-case sentence informing the company to call the lender to verify payoff information from the first page and replaced with new wire instructions. In addition, the lender signature and phone number were not on the revised payoff statement.
  • Page three, which included the breakdown of a fee totaled on page one, was typed in a different font. At a glance, this was the most noticeable red flag.
  • The sender’s email address changed from firstname.lastname@bankname.com to firstnamelastnamebankname@gmail.com. This shift from a legitimate corporate email address to Google’s free email service was another obvious area of concern.

Fortunately, the closing was postponed. The new closer assigned to the closing noticed the many, subtle red flags. Although Trident Land Transfer has many procedures in place—including secure email and a stringent policy around wires—it was the lender’s email that was hacked. DeWolf encourages stringent training on the different scenarios for everyone involved in closings. If it weren’t for the keen eyes of Trident’s closing team, this situation could have had a very different outcome for the company.

“Anyone moving too quickly may have followed through with the fraudulent instructions,” DeWolf said. “These criminals are becoming very clever, cutting and pasting existing verbiage from legitimate correspondences into their communication to you.”

The moral of the story is that everyone needs to remember to slow down and pay attention to the details.

“How many people, and especially banks, do you know who change their bank account information at the last minute? Not many. Last-minute changes in wiring instructions are a huge red flag,” DeWolf said. “This illegal activity on our industry is very lucrative for these crime syndicates. Cyber criminals know that this is a very busy time of year for our industry and our teams are juggling many balls at once. They are counting on us to drop one.”

Jeremy Yohe is ALTA's vice president of communications. He can be reached at jyohe@alta.org.


Contact ALTA at 202-296-3671 or communications@alta.org.