Know Your ABCs of Avoiding BEC

December 14, 2017

By Joseph Curran

During WWII there was a famous poster that warned “Loose Lips Sink Ships” to remind civilians at home that giving any type of sensitive information about their jobs in the factories could be used by the enemy. Today, we fight a war against fraud in cyberspace yet, despite all the technological advantages of the intervening decades, our defenses are still only as strong as the weakest link.

Using tools and services widely available in the cybercriminal underground, criminals need a single compromised account to steal from a business. In the title industry, perpetrators monitor the real estate proceeding and pick the time to make a fraudulent request to change the payment type or change it from a legitimate account to one under their control.

As reported by Forbes this summer, thieves have been known to research how a CEO communicates and even his or her travel schedule to make it easier to trick employees to comply with fraudulent requests. FBI Special Agent Martin Licciardo said the best defense in that case is “walking into the CEO’s office or speaking to him or her directly on the phone. Don’t rely on email alone."

That logical advice is not so easy to accomplish if the company hasn’t built a culture based on adhering to best practices to avoid business email compromise (BEC).

Admit Your Business is at Risk

The first step is recognizing that BEC is a real and present danger facing the title industry.

ALTA Dispatches from the front lines:

  • Maryland, August 2017: The FBI says fraudsters used fake emails to fool a settlement company into wiring them the proceeds of the sale of a couple’s home. Amount lost: $411,548. 
  • New York, June 2017: A Judge trying to sell her apartment received an email she thought was from her real estate lawyer telling her to wire money to an account. Amount lost: $1 million. 
  • Washington, D.C., May 2017: The homebuyers sued the title company for the lost money due to BEC, but also close to $5 million for an alleged violation of the RICO Act. The title company, which denies it had anything to do with the money going missing, said that it immediately contacted the FBI when the attack was discovered. Amount lost: $1.57 million. 
  • Colorado, March 2017: A couple, who lost their life savings while trying to buy their dream retirement home, has filed suit alleging that none of the companies involved in the transaction—including a title company—did enough to protect sensitive financial information. Amount lost: $272,000.

But could it happen to you? Let’s imagine a criminal impersonates a trusted Counter Party in the RE Transaction by hacking into and using the email account of a Borrower’s RE Agent or Settlement Attorney to send fraudulent wire transfer instructions to the Borrower/Buyer. Based on the Borrower/Buyer’s subsequent request, their financial institution executes an authorized wire transfer to an account the criminal controls.

Yes, unless you have built your defenses, you are under threat of attack.

Be Prepared

Understand the battlefield and make sure you are using the right weapons to combat BEC:

  • Establish a company domain name and use it to establish company email accounts instead of free web-based email accounts.
  • Create intrusion detection system rules that flag emails with extensions that are similar to your company’s. For example, legitimate email of abc_company.com would flag fraudulent email of abc-company.com.
  • Create an email rule to flag emails where the “reply” email address is different than the “from” email address shown.
  • Color code emails from your employee/internal accounts a different color than those from non-employee/external accounts.

Rally the troops and commit to training employees, reviewing company policies and developing good security habits:

  • Be careful posting to social media and the company’s website information about job duties and descriptions, hierarchical information and out-of-office details that can give criminals the information they need to impersonate a trusted Counter Party.
  • Train your team to carefully scrutinize all emails and not be afraid to use face-to-face or voice-to-voice communications when in doubt.
  • Be wary of irregular emails sent by high-level executives, as they can be used to trick employees into acting with urgency.
  • Review and verify emails requesting funds to determine if the requests are out of the ordinary.
  • Confirm requests for transfers of funds by using phone verification as part of a two-factor authentication; use previously known numbers, not the numbers provided in the email request.
  • Verify any changes in vendor payment location by following a call back procedure using contact information on file or having secondary sign-off by company personnel.
  • Similarly, stay updated on customers’ habits, including the details and reasons behind payments.

Communicate Any Breaches Immediately

The following are recommended steps to take if and when you are a victim of outbound wire fraud:

  • Ensure all employees have the information on whom to contact.
  • Contact your banking team immediately via telephone and email to inform it of the fraudulent transaction.
  • Provide a screen shot of the outbound wire if possible.
  • Once informed, your bank will alert its fraud department and law enforcement.
  • The bank will contact the Beneficiary Bank to alert of the fraudulent transaction, get a status update on the transaction and begin recall process.
  • Your banking team should keep you fully informed of the status and any additional steps such as completing an Affidavit of Forgery, Hold Harmless Approval, etc.
  • Once funds are secured, your bank will make restitution to the proper account.

The Internet Crime Complaint Center (a multi-agency task force made up by the FBI, National White Collar Crime Center and Bureau of Justice Assistance that is commonly referred to as the IC3) notes that all participants in real estate transactions, including buyers, sellers, agents and lawyers are at risk. The IC3 saw a 480 percent increase in the number of complaints in 2016 filed by title companies that were the primary target of the BEC/EAC scam.

Be sure that you and your banking team remain vigilant and prepared to meet this growing threat.

Joseph Curran is senior executive vice president and managing director at BankUnited N.A. He may be reached at jcurran@bankunited.com .


Contact ALTA at 202-296-3671 or communications@alta.org.