This is so important to our real estate community, that I am posting both information from the FTC and from the National Association of Realtors about this scam. I know of one case in Nashville last year where a buyer received last minute instructions by email that looked like they were coming from their lender and closing agent, asking them to send their down payment and funds for closing costs to a different bank wire address. The buyer complied…only to find out it was a scam, their true lender never received the funds to close on their dream home, and the money was wired overseas. Here is the update this week from the FTC, followed by the original message sent in December by the NAR.
Scammers phish for mortgage closing costs
Buying a home is exciting. You saved for the down payment, scheduled the move, and are dreaming of planting new roots. Closing is right around the corner… unless a scammer gets your settlement fees first.
The Federal Trade Commission and the National Association of Realtors® are warning home buyers about an email and money wiring scam. Hackers have been breaking into some consumers’ and real estate professionals’ email accounts to get information about upcoming real estate transactions. After figuring out the closing dates, the hacker sends an email to the buyer, posing as the real estate professional or title company. The bogus email says there has been a last minute change to the wiring instructions, and tells the buyer to wire closing costs to a different account. But it’s the scammer’s account. If the buyer takes the bait, their bank account could be cleared out in a matter of minutes. Often, that’s money the buyer will never see again.
If you’re buying a home and get an email with money-wiring instructions, STOP. Email is not a secure way to send financial information, and your real estate professional or title company should know that. If it’s a phishing email, report it to the FTC.
Here are some ideas to help you avoid phishing scams:
- Don’t email financial information. It’s not secure.
- If you’re giving your financial information on the web, make sure the site is secure. Look for a URL that begins with https (the “s” stands for secure). And, instead of clicking a link in an email to go to an organization’s site, look up the real URL and type in the web address yourself.
- Be cautious about opening attachments and downloading files from emails, regardless of who sent them. These files can contain malware that can weaken your computer’s security.
- Keep your operating system, browser, and security software up to date.
Original warning from NAR –
Urgent Alert: Sophisticated Email Scams Targeting the Real Estate Industry
In the next two weeks, real estate professionals will be contending with high transactional volumes during year-end closings. This is a busy and hectic time for real estate professionals, and many millions of dollars will be sent and received via wire before the end of the year. This is exactly the environment in which online criminals seek to operate.
The National Association of REALTORS® urges its members and state and local REALTOR® associations to be on high alert for email and online fraud.
In May 2015, NAR issued an alert regarding a sophisticated email wire fraud hitting the real estate industry. Since then, the incidents of online scams targeting practitioners have continued to rise but the advice is the same.
Bottom line: Do not let your guard down. Start from the assumption that any email in your in-box could be a targeted attack from a criminal.
Follow this guidance to avoid becoming a victim:
- Immediately contact all parties to all of your upcoming transactions and inform them of the possibility of this fraud. Attorneys, escrow agents, buyers, sellers, real estate agents, and title agents have all been targeted in these scams. You can also download and distribute NAR’s online fraud prevention handout, accessible here.
- If possible, do not send sensitive information via email. If you must use email to send sensitive information, use encrypted email.
- Immediately prior to wiring any money, the person sending the money must call the intended recipient to verify the wiring instructions. Only use a verified telephone number to make this call.
- Do not trust contact information in unverified emails. The hackers will recreate legitimate-looking signature blocks with their own telephone number. In addition, fraudsters will include links to fake websites to further convince victims of their legitimacy.
- Never click on any links in an unverified email. In addition to leading you to fake websites, these links can contain viruses and other malicious spyware that can make your computer – and your transactions – vulnerable to attack.
- Never conduct business over unsecured wifi.
- Trust your instincts. Tell clients that if an e-mail or a telephone call ever seems suspicious or “off,” that they should refrain from taking any action until the communication has been independently verified as legitimate.
- Clean out your e-mail account on a regular basis. Your e-mails may establish patterns in your business practice over time that hackers can use against you. In addition, a longstanding backlog of e-mails may contain sensitive information from months or years past. You can always save important e-mails in a secure location on your internal system or hard drive.
- Change your usernames and passwords on a regular basis, and make sure your employees and licensees do the same.
- Never use usernames or passwords that are easy to guess. Never, ever use the password “password.”
- Make sure to implement the most up-to-date firewall and anti-virus technologies in your business.
If you believe your e-mail or any other account has been hacked, or that you or a client has otherwise been a victim of online fraud, you should take the following steps:
- If money has been wired via false wiring instructions, immediately call all banks and financial institutions that could possibly put a stop to the wire.
- Contact your local police.
- Contact any clients or other parties who may have been exposed during the attack so that they take appropriate action. Remind them not to comply with any requests from an unverified source.
- Change all usernames and passwords associated with any account that you believe may have been compromised or otherwise made vulnerable by the attack.
- Report any fraudulent activity to the Federal Bureau of Investigations via their Internet Crime Complaint Center. More information can be found by clicking here (link is external).
This advice is not all-inclusive, and real estate practitioners should work with Information Technology and cybersecurity professionals to ensure that their e-mail accounts, online systems, and business practices are as secure and up-to-date as possible.
Be aware that these emails are extremely convincing. Many sophisticated parties have been duped. No one should assume that they are “too savvy” to recognize the fraud. In addition, no one should assume that they are “too small a target” to be on these criminals’ radars. This fraud is pervasive, convincing, and constantly evolving.