Wire Transfer Fraud and Cyber Security
In spite of the press that it has already received, wire transfer fraud in real estate transactions continues to be a problem that buyers and sellers need to be aware of. Some of my colleagues have reported an upswing in this activity late last year and early this year.
The basic scam involves an email that appears on its face to be authentic but in fact fraudulently directs the buyer or the lender to wire funds to a bogus bank account. The email instructions appear to be authentic because they contain the title company’s email information, company logos, the correct names of the parties and the property involved, and other information specific to the transaction. Usually the email generated by the scammer comes from an address that looks very much like that of the title or escrow company but is not actually accurate. The bogus email directs the buyer or lender to wire the funds to a specific account, but that account turns out to be one set up by the scammer. If the money is transferred, the scammer immediately withdraws those funds from the account they set up. If the buyer or lender detects the fraud, that usually occurs too late to recover the funds.
Several years ago, my colleague, Vickie Naidorf, developed an alert on this subject. Her alert provided as follows:
To protect your funds and to avoid identity theft, you are encouraged to take appropriate, immediate steps to secure the computer systems that you use, along with all email accounts. Buyers and sellers should confirm all email wiring instructions directly with the escrow officer by calling the escrow officer on the telephone; in that conversation, the correct account number information should be repeated verbally before taking any steps to have the funds transferred.
If there is any indication that buyers, sellers, or anyone else has received questionable wiring instructions, you should promptly notify your bank, your real estate agent, and the escrow holder.”
SILVAR issued an alert on this subject with this recommendation previously. The language has been adopted in the San Mateo County/Santa Clara County Advisory.
Given the prevalence of email and other forms of electronic communication in real estate transactions and the ongoing use of this particular type of scam, buyers and sellers should be reminded of its existence and be on the lookout for it. While historically this scam has been perpetrated on buyers rather than sellers, it is conceivable that a seller could be victimized if they are to receive sales proceeds by wire transfer from the escrow company to their bank.
The issue of cyber security was discussed at the recent C.A.R. meeting in late January. My takeaway from the presentation included the following:
- While, historically, larger companies have been the victims of cyber security attacks, small businesses, including real estate agents and their clients, are now being targeted by cyber scammers as well. Part of the reason for this is that smaller businesses often do not have the technology and resources to address the issue;
- The data that these cyber scammers are seeking (e.g., names, addresses, credit card or bank account information, email addresses, Social Security numbers, employment details, etc.) is just the same and as readily available from a real estate company and its agents as from larger entities such as Target, Anthem, etc.;
- California law now requires a business that merely “maintains” personal information about a California resident to “implement and maintain reasonable security procedures … to protect the personal information from unauthorized access, destruction, use, modification, or disclosure.” This California law also requires that a business that discloses personal information about a California resident pursuant to a contract “shall require by contract that the third party implement and maintain reasonable security procedures”;
- Many third-party providers who maintain, store, and/or transmit personal information on behalf of our clients have contracts requiring that we indemnify them for any loss or harm, even if they are responsible; and
- Cyber attacks and security issues will continue to increase, and while our court system and government regulators have not yet provided comprehensive guidance on what constitutes “reasonable” security procedures and practices, businesses that are affected by these new laws and regulations need to become familiar with them and decide what policies, practices, and procedures need to be established and implemented in order to comply with these requirements.
My ultimate takeaway from this discussion was that if you are operating a business that is subject to this law, it is important to develop a data security program and implement and maintain safeguards to protect private data. My recommendation is that you consult with a qualified attorney who specializes in this area of the law.