Cybersecurity Insurance Isn’t Enough to Fight Wire Fraud
May 21, 2019
By Amanda Farrell
Cybersecurity insurance is recommended for businesses of all sizes in every industry that handles sensitive personal information like social security numbers, credit card information and date of birth. Playing it safe with this information means that businesses shouldn’t assume that their company doesn’t have a vulnerability because it's not obvious. According to experts, if you store data at your location, you have a vulnerability. If you have email, you have a vulnerability, and if you have distracted or untrained employees, you have a vulnerability.
Social engineering is the most common way in which a title agent or other principal in a real estate transaction is duped by cyber criminals, yet most basic plans don’t cover it.
One mistake can sink a title company
I recently heard a story of a mid-size title agency that had an impeccable reputation, followed ALTA Best Practices and maintained stellar relationships with Realtors and lenders. Thanks to a perfect storm of personal and professional stress, an employee who had been fully trained in wire fraud prevention made a mistake.
After a late night of arguing with her husband and waking up the next day to drive through a snowstorm to get to work to get through eight closings, she sent the funds from the sale to another account at the request of the seller via email. The following business day, a terrible revelation was made.
She received a call from the seller asking where their money was at. The email she received from the “seller” was indeed a cybercriminal who had been watching the transaction (because the Realtor involved was not using a VPN) and sent an email with instructions to send the money into their account. By that time, the cybercriminal had absconded with $140,000 and recovering the cash was impossible.
Horrified by the mistake, the title company filed a claim with their cyber insurance company. After reviewing the details of the case, they rejected the claim, stating that the system wasn’t hacked, and the company should contact their E&O insurance provider. Unsurprisingly, the E&O insurer denied the claim and passed the buck back to the cyber insurance company.
As a result of this one incident, the title agency owner ultimately decided to sell her company. The liability and risk of continuing to operate seemed insurmountable.
Understand what is and isn’t covered by cybersecurity insurance
While fund transfer frauds, also known as hacks or system compromises, are covered under every cybersecurity insurance policy, social engineering schemes are distinctly different. It is considered a “third-party phishing scheme,” where the company or agent has voluntarily given the money, unknowingly to a fraudster. Because this type of scheme falls within a gray area, title companies will need to carefully assess if their commercial crime insurance can cover them or get specific social engineering attack coverage through their cyber insurance broker.
Now, this oversight in coverage isn’t meant to deter title companies or law firms from carrying this type of insurance. It's important to understand that cyber insurance is a burgeoning industry and there are lots of variations in how different companies underwrite, package, and categorize cyber risk exposures and coverages.
Solutions to fight wire fraud schemes
Be sure to have the basics covered. Some tips to fight cybersecurity include:
- Install and regularly update anti-virus and anti-malware software on all your company’s computers
- Use a firewall for your internet connection
- Use a VPN when accessing business information on a public wi-fi
- Make backup copies of important business data and information
- Use strong passwords with phrases, numbers, and special characters
- Control physical access to your computers and network components
- Require unique user accounts for each employee
- Keep computer operating systems and browsers up-to-date (missing a patch opens your system up to hacking)
- Train employees on how to spot a phishing attempt
- Mark and report emails as phishing or spam to help take down the sender domain faster and prevent others from falling prey
- Work with lenders, Realtors, and vendors who use proper safeguards
- Set up wire transfer protocols like a rotating daily code or synced FOBs to execute all requests
- Communicate with principals via encrypted emails
- Call to verify wiring instructions using the known phone number before sending funds
The problem with these tips is that they don’t address the issue of social engineering. To keep fraudsters from succeeding 100 percent of the time, humans must be infallible. We’re not. We all make mistakes. We all have bad days, and we all have the innate tendency to trust. We all get frustrated with the slowdown caused by following the proper protocols while simultaneously feeling the pressure to move faster. It's unfortunate there’s often little to no help for title companies that fall prey to cybercriminals even just once.
Fortunately, there are companies (such as CertifID, Vialok and SafeChain) that focus specifically on developing tech tools to stop wire fraud. However, these tools will only work if they are implemented properly and used consistently. All parties in the real estate transaction must work together to prevent and combat the threat of wire fraud.
As Tom Cronkright of CertifID stated, “We are the custodians; we’re the protectors and guardians of the transaction.” Title agents and agent-attorneys have the unique and lofty position of fighting on the front lines of wire fraud prevention. Cybercriminals are waging a war against consumers and real estate professionals, and there are no days off in the foxhole.
Contact ALTA at 202-296-3671 or firstname.lastname@example.org.