Imagine working your way through the grinding process of homebuying — you can practically feel the front-door keys jingling in your pocket, when a cyber thief snatches the earnest money you have in escrow.
And here’s the worst part: there’s nothing you can do about it. That earnest money is likely gone for good. For some folks, this could be a loss of a few thousand to a few hundred thousand dollars, depending on the terms of your contract. Most sellers require between 1 and 5 percent of the cost of the house to be put in escrow when the sales contract is signed.
The FBI estimates that in 2017 escrow cyber thieves either successfully or attempted to wire almost $1 billion to criminally controlled accounts. This is a sharp increase from the $19 million figure in 2016.
“It’s a huge problem out there. And it’s getting worse. We’ve never heard of anyone being arrested for this. The real victim is the consumer,” says Barry Miller, attorney and president of The Closing Agent in Orlando, Florida.
How escrow fraud works
Escrow fraud preys on ignorance and hastiness as it relies on fake email accounts to execute the scam. One way this scam works is when the fraudsters hack into a title company’s system to retrieve emails and information about upcoming home purchases.
They’ll often set up a fake website under a name similar to the title company you’re working with. For example, if the name of your title company is “Johnson and Sons” the fraudsters might make “sons” singular, so the website and email address reads: Johnson and Son.
This slight difference in the URL in what otherwise looks to be a legitimate site is easy to miss if you’re busy, as many people are, says Todd Spodek, managing partner at Spodek Law Group in New York City.
From there, the thieves will email you instructions to wire the money needed to close on the house. In other cases, they’ll email the title company to wire the money to the seller. The scam works the same way no matter who they’re targeting.
The money is then wired to the fraudster’s account, where they immediately withdraw it and disappear. There have been rare instances where the money has been intercepted, but in most cases, it’s unretrievable.
“Every day this is happening. Insurance companies have giant policies because of cyber-attacks. You can imagine how complicated this can get with financial institutions. The best advice is not to rush,” Spodek says.
“A lot of times law firms are busy, people move quickly, people won’t do the due diligence that’s necessary. If you wanted to you could create an email address, a fake domain and a fake number – send an email to a client, we’re all in agreement, execute the wire. I just sent the money to Nigeria. I would be in violation of everything. It’s important to slow down.”
How to protect yourself from escrow fraud
Vigilance is the key to averting escrow fraud, according to experts. Both consumers and title companies need to know the risks and take the proper steps.
Make sure the email addresses match
Phishing and whaling (when high-profile employees are targeted) attacks are how escrow frauds are accomplished, so it’s crucial to verify email addresses and contact information, says Jennifer Gardner, research manager with the National Association of Insurance Commissioners, or NAIC.
“First and foremost, check the email address that it’s coming from. Is it perfect? Is it one letter off? Make sure you’re working directly with someone at the title company. Set up a meeting with them, speak to them on the phone and I would always say call that person back. Verify any information about instructions,” Gardner says.
Don’t use the phone number in the email
It’s rare that homebuyers will have to deal with wiring money because the title company or closing attorneys usually handle that. But in the event you receive an email from your title company, particularly if it has to do with sending money somewhere, don’t use the information in the email to verify the instructions, Garland says. Sophisticated cyber thieves will set up phone lines where a person will answer using the name of the title company.
In fact, some scammers will establish a line of communication using the fake email address weeks before they mention wiring money.
This is tricky to detect because now you have a history of communication and trust. The best thing you can do is make sure you have your title company’s correct email address and phone number. If someone starts emailing or calling you from the title company, you should immediately cross-check their contact information with what you have already verified.
Find out what safeguards your title company uses
Many mom-and-pop title companies don’t have the security in place to thwart sophisticated attacks, making them relatively easy targets, explains Miller.
This means if a hacker gets access to account information, the next line of defense is identity verification and alertness. Spodek, an attorney who often deals with escrow accounts, says that he requires a written notarized statement authorizing transfer of funds as well as a video conference.
“Even though I require a notarized statement, notarization can be faked. I make sure we hop on Facetime, Skype or WhatsApp. I can’t meet every person at the bank, but it’s important to do everything you can to make sure you’re talking to who you think you’re talking to,” Spodek says.
Request proof of insurance from your title company
Cyber insurance is a vital bulwark for any company that’s dealing with personal data and money. If your title company is either not insured or underinsured, then you could be in hot water if a cyber thief strikes. Find out if the company you’re entrusting funds to is properly insured, says Miller. This means going beyond asking, to getting a copy of the policy.
“A lot of agencies have cyber insurance. Consumers need to request a written confirmation that the company they’re about to do business with has a policy. Get a copy of the binder, don’t just rely on what they say. They could easily lie,” Miller says. “If they have a $50,000 policy deductible and it’s expiring before you’re closing, I’d be wary.”