More than $3.1 billion in actual and attempted losses due to cybercrime has been reported since October 2013, according to the FBI. Residential real estate transactions are particularly vulnerable to these scams – and by the time someone realizes something is wrong and contacts law enforcement, it’s often too late.
In a panel discussion at the Real Estate Bar Association’s annual fall conference earlier this month, FBI supervisory special agent Michael P. Kelly said in the last two years, approximately $55 million had been reported stolen from victims of cybercrime in the Boston area. Of that, $13 million was recovered and returned, and about twice that amount was frozen. Because the crimes are often sophisticated and elaborate, there have been relatively few arrests.
“We’re seeing two to three new cases per week on average,” Kelly told the crowd.
The FBI has seen a 1,300 percent increase in victims and loss since January 2015, Kelly said. The crimes have occurred in all 50 states and 79 countries.
In a relatively new approach to traditional money laundering, criminals are diverting stolen funds to chains of people called “money mules,” who are often unwitting participants in the scheme. Those mules separate the money into streams, and ultimately to the thief’s account, which is often in a foreign country. All that quick movement makes it very difficult for law enforcement to catch up with the thieves before the money is gone.
Victims Have To Act Fast
Malpractice attorney George A. Berman of Boston-based Peabody and Arnold LLP, also speaking at the conference, said these attacks often happen on Fridays, particularly before a long weekend. By the time someone realizes that money wasn’t deposited where it should have been, three or more days could have passed, giving thieves a big head start on law enforcement. He advised anyone who thinks they may be a victim of a cybercrime to immediately contact the FBI.
“The chances of the money being recovered drop precipitously with every hour that passes before the theft is reported to law enforcement,” he said.
Though there are now cybercrime insurance policies available, the phenomenon is so new and sophisticated, it can be difficult to determine what’s covered and what isn’t, he said.
The best, most efficient way to report a cybercrime to the FBI is not to call them, but to report it through the agency’s website, www.ic3.gov, Kelly said. Victims can fill out a form and the case will be referred to an agent immediately, who will contact the victim within hours.
Cybercriminals don’t necessarily need to hack a lender’s or conveyancing attorney’s email to commit these crimes; they also hack consumers’ emails and wait – sometimes for years – until they see the opportunity to strike, said Mark Van Divner, chief information security officer for San Francisco-based First Republic Bank.
“These scams are getting more and more sophisticated,” he said. “So the best protection is, if there’s a last-minute change in payment instructions, pick up the phone and verify them.”
How To Avoid Becoming A Victim
“Email is a 1980s technology,” Tod Beardsley, senior security research manager for Austin-based Rapid7, a security management firm with offices in Boston, told Banker & Tradesman. “It’s the worst possible communication mechanism we have – and it’s searchable. People trust email too much. They treat it like it’s private,” and it is not.
Consumers shouldn’t give their personal information to anyone via email, he said, adding that when he recently bought a house in Texas, he had to teach his real estate agent and loan originator that email is not secure enough to transfer sensitive data.
“You’re giving up everything,” Beardsley said. “They have this model where they want or need all this info, but these kinds of transactions tend to happen fast. First, there’s a lot of waiting around and then a lot of action. It’s an ideal environment for fraud.”
It’s in everyone’s best interest to not share sensitive transaction data over email, he said, especially when the stakes are so high.
“I trained them that there was no way I was going to give them that information over email,” Beardsley said. “I said, ‘Can I share a Google Drive folder with you?’ At that point, I can mediate the access to it. Once the transaction is over, I can turn off access to it. I can delete the whole thing. I’m a big fan of moderated portals, like DocuSign. The data itself is not floating around in email and you are required to use a username and password.”
Though many people occasionally purge their inboxes, they often don’t delete their sent mail folders, which are essentially a searchable database of all of the electronic conversations a consumer has had for the past several years. Criminals count on this and mine these folders for information they can use to steal from you.
All of the experts agreed, the best way to protect all parties in a real estate transaction from cybercrime is to never email sensitive personal information, always be certain who you’re dealing with if you’re not talking face-to-face, and whenever last-minute changes to transactions are requested, always take as much time as necessary to verify who is requesting them.
