Hackers are trying to steal mortgage funds
Tuesday, April 17th, 2018
Banks, credit unions, mortgage lenders, loan originators, title insurers, title, real estate agents, and consumers in the state of New Jersey need to be on the lookout for hackers that are trying to steal mortgage funds during the transaction.
The warning comes courtesy the state’s banking regulator, the New Jersey Department of Banking and Insurance, which issued a warning this week about hackers targeting real estate transactions.
“There are many versions of wire fraud that pose financial threats to firms conducting mortgage loan transactions, as well as the consumers and small businesses they serve,” New Jersey Department of Banking and Insurance Acting Commissioner Marlene Caride said.
“They all share one unfortunate result: the funds diverted through these criminal acts are nearly impossible to recover. The purpose of today’s bulletin is to remind those New Jersey firms involved in wire transfers to take every step necessary to protect small business owners, consumers and themselves against this constantly evolving fraudulent threat,” Caride added. “These industries handle millions of dollars in wire transfers every day in connection with mortgage loans and taking precautions to safeguard these transactions should be a high priority.”
This isn’t the first time a warning like this has been issued. Over the last few years, hackers have begun targeting real estate deals with more frequency.
Nearly two years ago, the Federal Trade Commission and the National Association of Realtors issued a warning to people interested in buying a home about scammers who were posing as real estate agents, Realtors and title insurance companies to steal consumers’ closing costs.
Last year, the American Land Title Association said that the previous warning from the FTC and NAR didn’t do enough to protect consumers and the group wanted the Consumer Financial Protection Bureau to issue a warning of its own.
Then, the FTC and NAR issued another warning, but that didn’t stop the scammers from stealing from unwitting buyers.
Now, it’s New Jersey’s turn.
According to the New Jersey bulletin, which can be read in full here, these types of scams generally include different types of “business email compromise techniques,” in which the normal wiring instructions are changed in order to divert the mortgage funds from the intended recipient to the hackers.
The New Jersey bulletin also provides more detail about how the hackers are inserting themselves into the transaction process.
The bulletin states that the schemes may use “social engineering or computer intrusion techniques,” like malware or phishing.
Here’s more on the scams:
With sophisticated hacking mechanisms, a perpetrator will target weakly guarded transactions and, for instance, send the buyer an email from an address nearly identical to the closing agent’s, with a plausible subject line, advising of a “wiring change.” When the buyer complies, the funds are wired to a scammer who is often overseas and usually impossible to track down.
The bulletin also reveals a new worry for all involved, using an imposter phone.
Previously, the FTC told participants to verify all details of the transaction via a phone call, but that might be safe anymore either.
From the New Jersey bulletin:
One precaution law enforcement agencies have urged is a “call and verify” routine, but scammers are now deploying phone “porting” technologies, to intrude into that safeguarding process, masquerading as a trusted party.
“This department recommends that every regulated person that uses wire transfers be extremely careful when communicating wire transfer instructions electronically, and ensure that any third-party service providers are extremely careful,” the bulletin stated. “You should also take the time to inform all other legitimate parties to the transaction about applicable precautions.”
The bulletin also provides several tips for all involved in real estate transactions:
- Closely verify email addresses before using them. Scammers mimic legitimate addresses and subject lines, but they are not 100% identical
- Avoid web-based email
- Strictly follow your specific business procedures for confirming the validity of changes made to wire transfer instructions.
- Use a confirmation process, which may include verbal communication via a mutually agreed telephone number between the known parties, as well as mutually agreed code words designed to combat phone “porting”
- Get to know the fraud resistance capacity of your third-party service providers, especially closing agents; become sufficiently aware of the relevant parties’ normal wire transfer activity to recognize suspicious variations