Another settlement agent sued for failing to protect buyer in email diversion

Standard

My first blog of 2018 discussed a novel lawsuit (at least novel to me) brought in York County against a residential closing law firm. A home purchaser had lost $50,000 in closing funds that were diverted by a third-party criminal posing as the transaction’s real estate agent. Did you hear that? The real estate agent was hacked. The law firm was not hacked and was only involved in the loss because it was the settlement agent. 

The law firm’s paralegal and the purchaser had discussed the funds necessary to close by telephone, but no mention was made in that conversation of the wiring instructions. The complaint stated causes of action in negligence and legal malpractice and listed the following breaches of duty:

  • Requiring the purchaser to wire funds without counseling the purchaser about methods by which the secure delivery of wired funds could be compromised;
  • Failing to counsel the purchaser about the risks and insecurity of email communications, particularly of private, sensitive and financial closing information; and
  • Failing to be alerted by the circumstances of the purchaser’s telephone call to the firm’s paralegal.

email fish hook

American Land Title Association’s ALTA News, dated March 9, reports on a similar lawsuit filed in Wisconsin. The original news story was written by Brian Huber and reported by gmtoday on March 8. 

In the Wisconsin lawsuit, the email of the settlement agent, Merit Title, was apparently compromised. According to the complaint, a Merit Title employee used an unsecured system to email the closing statement and wiring instructions to the purchaser. The following month, the purchaser received an email purportedly from Merit Title, but with a missing “T” in the domain name (merititle instead of merittitle). The second email provided wiring instructions that were similar in format, structure and design to the ones sent by Merit, according to the complaint. The purchaser lost $82,000 in the scam.

The lawsuit claims Merit “had knowledge or should have had knowledge of a cybercriminal epidemic whereby hackers target title companies to learn about real estate transactions occurring and the hackers then send fraudulent wire instructions to the buyers prior to the closing.” Merit Title should have known of preventive steps to protect the buyers, the complaint stated.

My guess is that we are about to see numerous suits like this, seeking payment from the deepest pockets involved in real estate transactions. As I asked in the earlier blog, would the processes established by your law firm for the protection of your clients defend against this type of fraud?  If not, get busy and make changes.

ALTA has a list of resources that can be used to provide the appropriate safeguards, and your title insurance company should be able to assist you in implementing the appropriate resources in your office. Most of the protective procedures involve making sure your own systems are secure. But these lawsuits seems to indicate that consumers must also be advised of the dangers of dealing with others involved in closings who do not use secure systems. You don’t want to be left holding the bag for a comprised email system of a real estate agent!

Advertisements

With great power comes great responsibility

Standard

Six sensational ways to stop cyber villains

Cybersecurity is job #1 for dirt lawyers. Even in our close-knit state, we hear of attacks every week. A lawyer’s office could easily be forced out of business by one of these evil attacks. In our office, we read everything printed on the topic, and I offer you the six best, simplest tips I’ve seen. The first five are from American Land Title Association, developed with the help of the FBI, and the sixth is from the South Carolina Bar.

  1. Call, don’t e-mail: Confirm all wiring instructions by phone before transferring funds. Use the phone number from the recipient’s website or business card.
  2. Be suspicious: It’s not common for the companies involved in real estate transactions to change wiring instructions and payment information. Use common sense, stay alert to things that don’t look or feel quite right in a transaction and use your “Spidey senses”!
  3. Confirm it all: Ask your bank to confirm not just the account number but also the name on the account before sending a wire.
  4. Verify immediately: Call the recipient to validate that the funds were received. Detecting that you sent the money to the wrong account within 24 hours gives you the best chance of recovering your money.
  5. Forward, don’t reply: When responding to an email, hit forward instead of reply, then start typing with a known email address. Criminals use email addresses that are similar to real ones. By typing email addresses you will make it easier to discover if a fraudster is after you.

Thank you, ALTA and FBI, for those great tips!

The best tip, by far, that I have seen comes from the South Carolina Bar.  This tip is not only excellent for avoiding cyber fraud, it’s a great way of avoiding mistakes of all kinds in real estate practices. Here it is:

  1. Give yourself and your staff permission to slow down! We know things are hot out there not only in terms of the weather but also in terms of the speed of closings. Many of us who weathered the financial downturn remember what it was like when things were hot in 2005 – 2007. Closing speed can be increased only so much without causing error after error. Remember illegal flips prior to the financial downturn?  How many of them could have been prevented if someone had stopped long enough to think or long enough to bounce the scenario off of a friendly title insurance company underwriter? The same is true of protecting your clients’ money. Stop and think and allow your staff members to spend the time to stop and think.

Thank you, South Carolina Bar, for this great tip.

And, finally, I strongly recommend insurance against cyber fraud. Check with your E&O carrier to see what it offers. If it does not offer insurance to protect against this danger, find a company that does!  Call your title insurance company for suggestions!

Cyber Incident Preparedness for Closing Attorneys

Standard

And what to do if you suspect a compromise

With the increase in wire fraud that is happening in closing offices around the country, our company recently shared two documents that I thought would be beneficial to pass along to all South Carolina dirt lawyers .

The first document is a Public Service Announcement from the FBI dated August 27, 2015 concerning Business Email Compromise (BEC). BEC is defined as a sophisticated scam targeting businesses working with foreign suppliers and businesses that regularly perform wire transfers. Legitimate e-mail accounts are compromised through social engineering and computer intrusion to conduct unauthorized wire transfers.

We have seen this happen in more than one law firm in South Carolina!

cyber-fraud-theif

This PSA states that the total number of victims from October 2013 through August 2015 was 8,179 and the total exposed dollar loss was $798,897,959!

The second document was prepared by Linda Grahovec, the Director of Education and Marketing for our company. This document provides two cyber incident checklists, one for use in preparing, and the other for use if your office is attacked.

Here are three pieces of advice for all closing attorneys:

  1. Use an e-mail system that requires two-factor authentication;
  2. Never wire funds based on the content of an e-mail. Always assume e-mail has been compromised, and validate the information by phone. A good practice would be to refrain from sending wiring instructions by e-mail.
  3. If you suspect fraud, contact the bank immediately.

Please remain vigilant! Read everything you can on this topic, and continue to update and guard your systems. One incident could easily put a law firm out of business. Title insurance companies are excellent sources of information and training on these topics! Call on them!

Ransomware: A Scary Prospect for Dirt Lawyers

Standard

The Cyberdivision of the FBI is serious about ransomware!  An FBI speaker last Friday at the SC Bar’s excellent tech seminar, an annual seminar I highly recommend for solo and small firm lawyers, emphasized awareness and employee training are critical to prevent data losses in your operation.

Ransomware is a form of malware that is most often delivered through spear phishing e-mails. Spear phishing is a type of e-mail fraud that seeks unauthorized access to confidential data. Ransomware is what it sounds like. Once the fraudster gains access, your system is locked down, and money is demanded to provide access. You have to pay for your own data!

hacker

“H4ck3rz R Us, how can I help you?”

The FBI recommends prevention, business continuity and remediation, but suggests that there is no guarantee of prevention even with the most robust controls in place. Methods of prevention include:

  • Provide extensive awareness and training for your staff.
  • Use strong anti-virus and anti-malware solutions that are set up to update automatically.
  • Regular scans should be conducted of the anti-virus and anti-malware solutions.
  • No user should be assigned administrative access unless that access is absolutely needed.
  • Those with administrative accounts should only use them when necessary.
  • Keep access to a minimum. If a user only needs specific files, he or she should not have access to other files.
  • Ask your IT professionals to implement controls to avoid common ransomware techniques.

But since prevention is not guaranteed, the most attention should be paid to business continuity and remediation. In short, back up your data regularly and regularly verify the integrity of the backups.  Secure backups. Ensure backups are not connected to the computers and networks they are backing up.

The FBI does not endorse paying a ransom to the fraudsters and teaches that paying the ransom does not always ensure regaining access to data.

The FBI encourages victims to contact a local FBI office immediately to report a ransomware attempt and to request assistance. Victims are also encouraged to report cyber events to the FBI’s Internet Crime Complaint Center (www.ic3.gov.)

Beware of Cyberattacks on Free E-mail Services

Standard

Think a client won’t sue for misdirected funds?  Think again!

domain securityE-mail services, even those with the tightest security possible, can be hacked. We have heard local stories, as close as Rock Hill and Charleston, of funds being misdirected by cybercriminals through intercepting e-mails and sending out fraudulent wiring instructions.

Law firms have taken action: encrypting e-mails, adding tag lines to emails warning that wiring instructions will not be changed, adding warning paragraphs to engagement letters, in addition to normal security efforts. Many offices now require confirmation of all wiring instructions by a telephone calls initiated internally. No verbal verification?  No wires!

Last month, an attorney in New York was sued by her clients in a cybercrime situation. This time, the property was a Manhattan co-op, and the funds amounted to a $1.9 million deposit. The lawsuit alleged that the attorney used an AOL e-mail account that welcomed hackers. The complaint stated that had the attorney recognized the red flags or attempted to orally confirm the proper receipt of the deposit, the funds would have been protected.

The old phrase “you get what you pay for” is definitely applicable in these situation. Attorneys who continue to use free email services are putting themselves and their clients at greater risk for cyberattacks. Criminals understand that free email services have low security against cyber-intrusion, so they naturally gravitate to those accounts for their dirty work.

I heard one expert say that free e-mail services are not only not secure, they are also unprofessional! Surely, lenders will soon look at this issue as they decide who will handle their closings.