Phishing scam of the week

Standard

I have subscribed to “CyberheistNews” at knowbe4.com and highly recommend this brief newsletter as an excellent source for current information on the latest scams that may hit your office and personal computers.

The news this morning was striking because it involves current events. Social engineering follows seasonal patterns, as we know. We have noticed in our business, that long weekends lead to attacks because of the extra day that we may not be sitting at our desks to keep computer systems and our wires safe. The newsletter cites holiday-themed phishing attacks between Thanksgiving and New Year’s Day.

email fish hook

The news today involves implementation of the European data privacy regulation going into effect on May 25. It’s called General Data Protection Regulation (GDPR) and the scam email looks as if it is from Apple and claims that if you do not take action, your account will be “restricted”. But in fact, as usual, the scammers will attempt to steal your identity and credit card information.

In addition to looking legitimate, according to CyberheistNews, the bogus website is more sophisticated than most phishing sites because the fraudsters correctly set the web directory permissions and encrypted the spoofed site using Advanced Encryption Standard (AES) in order to successfully bypass some anti-phishing tools used in antivirus solutions.

The victim is asked to “update payment details” in order to see their accounts return to normal. Taking this action sends the victim’s payment information to the scammers.

According to the newsletter, companies worldwide are, in fact, working on becoming GDPR compliant and trying to make sure the people whose data they have collected have consented to give them information. Criminals are aware of this and are using this turn of events to their advantage.

And, then, there is the royal wedding. CyberheistNews’ advice about that is that the wedding is a scammer’s dream, and computer users should be advised to seek news about it only from trusted websites.

Don’t click links in emails or social media links related to the royal wedding or open suspicious attachments that claim any kind of problem with GDPR. Delete these emails or forward them to you IT experts.

And subscribe to this newsletter!

Advertisements

Real estate agent rental scam exposed

Standard

Two agents, one in Texas, and one in NY, allegedly involved

Most successful dirt lawyers have excellent working relationships with the real estate agents who assist their clients in buying, selling and leasing real estate. And most effective real estate agents prove themselves to be trustworthy in their business practices. Recently, two almost identical scams in remote states involved alleged real estate agents, according to a May 4 article in Housing Wire titled, “Two real estate agents caught behaving badly”, by Jacob Gaffney.

house sale fingers crossed

The first story is set in Missouri City, Texas, and was originally reported by the television station, KHOU 11 News. According to this story, police are investigating a woman purporting to be a real estate agent who approached John and Pamela Hall offering to sell their dream home located at the corner of Montego Bay and Palm Harbour. The Halls had already vacated the home, and the alleged real estate agent promised to sell the home quickly. Both homeowners signed the paperwork allowing the culprit to list their home.

Several days later, the Halls were called by someone interesting in renting their attractive waterfront home from a listing they saw on Craigslist. When the Halls investigated the Craigslist entry, they discovered that the alleged real estate agent had actually created fraudulent documents, including a power of attorney and a deed, to take title to their home in the name of an LLC. When the Halls drove by their property, they saw someone moving in! The new “tenant” reported that he had paid $5,000 up front to lease the home.

The television station attempted to find the real estate agent’s name in the records of The Texas Real Estate Commission, but no such agent was found. The culprit used different names in dealing with the Halls and the tenant, and, so far, has been successful in stealing $5,000. The scam has no doubt caused a great deal of inconvenience to the Halls, not to mention the potential expenditure of funds in the form of attorney’s fees necessary to straighten out the public records.

The second story took place in Hampton Bays, New York. Southhampton Town Police said they received two complaints in February involving an alleged real estate agent taking deposits for a rental home. The prospective tenants were told the home was not yet available when the respective move-in dates approached, and the home owners had no relationship with the real estate agent and never received rent. Additional victims came forward, and police arrested Melanie Williams, 54, in April, on three counts of fourth degree grand larceny and three counts of first degree scheme to defraud. Detectives say they believe there may be additional victims in this scheme.

The Russian proverb quoted by President Ronald Reagan seems to be good advice in any situation concerning a real estate agent, or any professional for that matter, who is not known personally. Tell your clients to trust but verify!

Two new fraud scams

Standard

The fraudsters keep updating their repertoires!

Fraudsters are creative! It seems as soon as we learn and educate our staff members about new fraud schemes, the swindlers change their schemes to keep us on our toes. I wanted to pass along two new schemes that recently came to my attention.

The first was reported in our company publication, Fraud Insights, and it involved a residential sale in Las Vegas. An astute title insurance company employee, Larissa Conrad, was able to frustrate the fraudster’s plans. Here’s how the scheme unfolded. On March 7, Larissa sent an estimated closing statement to the listing agent. The closing involved the payoff of a Wells Fargo mortgage. The listing agent purportedly sent back to Larissa, by email, an “updated” payoff statement. Larissa compared the two payoff statements carefully. The wiring instructions were particularly troubling:

Larissa called the payoff lender and confirmed her suspicion that the second payoff was from a fraudster. She then called the listing agent, using a trusted telephone number, and reported that someone was posing as him in the transaction and sending emails from an account that looked like his. She wired the correct payoff amount using the correct wiring instructions, saving $153,300.37.

The second scam, involving texting, was reported by CyberheistNews. The victim receives a text asking whether a password reset for a Gmail account has been requested. If not, the text advises, please reply with the word “STOP”. If the victim replies with “STOP”, the next text urges the victim to send a six-digit numerical code in order to prevent the password from being changed. By sending the code back to the attacker, the victim is enables the bad guy to complete the password change and to have access to the account and all its email.

Remember that Google and other companies will not ask whether you don’t want to do something with your account. A reply to a text like this often notifies the fraudster that a valid telephone number has been reached.

two factor authentication

A two-factor authentication process is highly recommended because it provides an additional layer of security and makes it harder for attackers to gain access. The victim’s password alone is not enough to pass a two-factor authentication process. Typically, the first authentication factor would be based on knowledge (a password) and the second factor would be based on possession (of an ID card, a token or a smartphone, for example). Ask your IT professionals for assistance is keeping your accounts safe by using this process.

And, as always, the best advice may be to keep schooling yourself about the various scams as they are reported. I’ll do my best to help!

Scary telephone identity compromise story from one of our own

Standard

Our company distributes a great publication, Fraud Insights, which tells scary fraud stories every month. Lisa Tyler, National Escrow Administrator, edits this publication and does a great job keeping us informed about new scams. A Fraud Insights story in March came from one of our company employees who told her personal identity compromise story to prevent it happening to the rest of us. I’m going to translate the story to South Carolina terms and call the victim Pam Paralegal.

Pam Paralegal was working on a messy residential purchase file in her office in Charleston and was not focusing on the telephone call on her cell phone that she received purportedly from her personal bank. The caller ID was indeed Pam’s bank’s name. When Pam answered, the caller identified herself as Jill Jones and said she was with the fraud department of the bank. Ms. Jones said she was going to text a code to Pam to confirm Pam’s identity.

scammer calling

Pam received the text code and read it back to Ms. Jones.  Ms. Jones then asked if Pam had authorized a $1,000 transfer from her account that morning. Pam said that she had not made that transfer. Pam told Ms. Jones that she would log into her online account to determine whether that transfer was showing up, but Ms. Jones told Pam the bank had already shut down her ability to access her account via the Internet. Ms. Jones told Pam that she needed her to read off an additional text code to authorize the shutdown. When Pam read the second text code back, the phone line went dead.

Pam immediately started receiving emails from her real bank. The first email confirmed a change in Pam’s password. The second email confirmed Pam had authorized a $1,000 withdrawal via electronic funds transfer. Pam called her bank to report the incident and later received a call back from the real fraud department. Pam was informed that the thieves had stolen $1,000 by using her Social Security number, and that they really had shut down her account.

Pam purchased a credit monitoring service, filed a police report, and contacted all three credit bureaus to make them aware of the incident. And she is still missing $1,000.

Here are seven tips from the Better Business Bureau ® (BBB) offers to protect against telephone scams:

  1. Do not trust caller ID: Victims fall for telephone scams because they assume the number on their caller ID is the correct person. Scammers can easily spoof numbers to make it look like a certain person is calling you, when in reality they are not. Some scammers will use your own telephone number for the caller ID. Others will use your prefix with a different last four digits to make you assume you’re being contacted by a neighbor.
  2. Do not give out personal information: Any legitimate person or business who reaches out to you will already have your information on hand. If they do not, or if you receive a call out of the blue asking for personal information, just hang up.
  3. Scammers usually pose as a trusted source: Like the story from Pam who was called from someone posing as an employee in the fraud department of her bank, scammers will pose as a trusted source to attempt to obtain information from you. Hang up immediately.
  4. Do not press buttons: Many “robocallers” will prompt you to “press 9” to be taken off their call list. Pressing 9 will only do the opposite and flood your phone with even more calls. Pressing a number on the keypad alerts the scammers that they have reached an active telephone number.
  5. Beware of big name companies calling: Scammers impersonate big name companies, charities and legitimate businesses, hoping that you will be more inclined to give personal information to them. If you receive such a call, hang up immediately, find the appropriate number and call the business to verify.
  6. Sign up for the Do Not Call Registry: To cut down on the amount of calls you receive, you can register your phone number for free through the Federal Trade Commission (FTC) Do Not Call Registry. This registry prohibits calls, informational calls, telephone survey calls and calls from companies you have recently done business with.
  7. Do not answer: If you receive a call from a number you don’t recognize, let it go to voicemail. Any legitimate person or business will leave a message. If a scammer decides to leave voicemail, you will have time to think about what is being asked by them, instead of being pressured on the spot to give up your personal information.

That last tactic is the one used in our household and with my business cellphone. If I don’t recognize the number, I don’t answer the call. It makes more sense to return the call of a legitimate caller than to become involved with a scammer or telemarketer. That’s my plan and I’m sticking to it!

Another settlement agent sued for failing to protect buyer in email diversion

Standard

My first blog of 2018 discussed a novel lawsuit (at least novel to me) brought in York County against a residential closing law firm. A home purchaser had lost $50,000 in closing funds that were diverted by a third-party criminal posing as the transaction’s real estate agent. Did you hear that? The real estate agent was hacked. The law firm was not hacked and was only involved in the loss because it was the settlement agent. 

The law firm’s paralegal and the purchaser had discussed the funds necessary to close by telephone, but no mention was made in that conversation of the wiring instructions. The complaint stated causes of action in negligence and legal malpractice and listed the following breaches of duty:

  • Requiring the purchaser to wire funds without counseling the purchaser about methods by which the secure delivery of wired funds could be compromised;
  • Failing to counsel the purchaser about the risks and insecurity of email communications, particularly of private, sensitive and financial closing information; and
  • Failing to be alerted by the circumstances of the purchaser’s telephone call to the firm’s paralegal.

email fish hook

American Land Title Association’s ALTA News, dated March 9, reports on a similar lawsuit filed in Wisconsin. The original news story was written by Brian Huber and reported by gmtoday on March 8. 

In the Wisconsin lawsuit, the email of the settlement agent, Merit Title, was apparently compromised. According to the complaint, a Merit Title employee used an unsecured system to email the closing statement and wiring instructions to the purchaser. The following month, the purchaser received an email purportedly from Merit Title, but with a missing “T” in the domain name (merititle instead of merittitle). The second email provided wiring instructions that were similar in format, structure and design to the ones sent by Merit, according to the complaint. The purchaser lost $82,000 in the scam.

The lawsuit claims Merit “had knowledge or should have had knowledge of a cybercriminal epidemic whereby hackers target title companies to learn about real estate transactions occurring and the hackers then send fraudulent wire instructions to the buyers prior to the closing.” Merit Title should have known of preventive steps to protect the buyers, the complaint stated.

My guess is that we are about to see numerous suits like this, seeking payment from the deepest pockets involved in real estate transactions. As I asked in the earlier blog, would the processes established by your law firm for the protection of your clients defend against this type of fraud?  If not, get busy and make changes.

ALTA has a list of resources that can be used to provide the appropriate safeguards, and your title insurance company should be able to assist you in implementing the appropriate resources in your office. Most of the protective procedures involve making sure your own systems are secure. But these lawsuits seems to indicate that consumers must also be advised of the dangers of dealing with others involved in closings who do not use secure systems. You don’t want to be left holding the bag for a comprised email system of a real estate agent!

Fake news? No, a fake homeowners’ association!

Standard

The schemes fraudsters use to dupe property owners out of their hard earned money seem to get stranger and creepier! On February 8, a television station in Kansas City, Missouri, FOX4, reported on a homeowners’ association scam involving a quiet neighborhood in Northland Missouri.

The station reported that for years, people living in the Summerfield subdivision ignored the invoices that arrived in the mail demanding payment to a homeowners’ association. Summerfield has no owners’ association! “Summerfield Homeowners’ Association” has no board and provides no services, but someone in its behalf mailed invoices and later filed liens against the neighborhood homes.

One homeowner reported that when he moved into the neighborhood in late 2017, he was told that there was no owners’ association and no monthly assessments. But just before Christmas, a $445 lien was filed against his home as well as thirty other homes in the neighborhood.

The liens made reference to a telephone number for a company that manages the association, Column’s Park, LLC, but the man who answered the telephone at that number, according to the news report, was “some random guy” who said the number had belonged to him for five years and had nothing to do with Summerfield subdivision. The man purported told callers to let everyone in the subdivision know that he had not caused the problem, and that he was convinced it was a scam. He was apparently weary of fielding the telephone calls of the frustrated homeowners.

Unable to resolve the conundrum themselves, the neighbors called FOX4 Problem Solvers for help. The television station traced the liens to two individuals, one residing in a federal prison, convicted on an earlier charge of mortgage fraud. This convict apparently came up with a new idea for duping consumers out of money. The other individual said she believed the subdivision should have an owners’ association to pay for the upkeep of a neighborhood drainage basin. The connection between the two individuals was unclear.

The owners finally took action by hiring an attorney to assist them in eradicating the liens.  What a story! Hopefully, we won’t see this one in South Carolina.

Department of Insurance files data security bill in SC legislature

Standard

Bill is similar to model data security law adopted by NAIC

If you are a SC title agent, this bill will likely affect you if it passes!

The National Association of Insurance Commissioners (NAIC) adopted the Insurance Data Security Model Law, intending to promote rigorous cyber risk management practices, in October. And the South Carolina Department of Insurance (SCDOI) has introduced a similar bill in the South Carolina legislature. The South Carolina version, the South Carolina Insurance Data Security Act, is now in committee, and can be read here.

The model law creates data security standards for insurers and agents. The rules would apply to the real estate lawyers in South Carolina who are also title insurance agents. The rules require overseeing third-party providers, investigating data breaches and notifying consumers and regulators of data breaches.

security unlocked data breach

Insurers and agents will be required to have a written information security program for protecting sensitive date. Incident response plans and data recovery plans will also be required. Compliance certifications to the DOI will be required annually.

One important exemption applies to licensees with ten or fewer employees. This exemption will benefit small South Carolina law firms. Cyber security insurance may become a hotter commodity in South Carolina if this law passes, but the law is not intended to create a private cause of action.

We will watch this legislation and keep everyone posted on how it proceeds through the legislative process in South Carolina.