Coupled with recent news from the Federal Reserve Bank and predicted rate cuts in 2024, the risk of wire fraud substantially increases as buyers and sellers rush to complete deals. Unfortunately, financial institutions face both state and federal regulatory penalties if falling victim to wire fraud, in addition to a permanent loss of funds.
The wire fraudsters follow a simple 4 step process to illegally redirect wired funds to their accounts, stealing them from the intended beneficiary:
Identify title and escrow companies (often the same company in Louisiana) that close residential and commercial property deals, which often require wire transfers of large sums of money to satisfy old mortgages, secure down payments, and hold deposits/earnest money in escrow.
From that list, identify those companies without dual factor authentication, which can be accomplished through purchasing access credentials from credential brokers on the dark web or performing brute force attacks on office.com until the correct password is identified. NOTE: if cyber criminals can identify a single password used by a person for one account, there is (sadly) a decent likelihood that the same password is used for his/her/their email account.
Access the email account and watch traffic between the legitimate user and any banks to identify pending transactions. Identify the PDF or email carrying the wiring instructions. Copy the format and change the wiring numbers to the criminal’s preferred bank account.
Send an email from the user’s email address to the payor saying that wiring instructions changed for some made-up reason, and send the false instructions the day of or immediately before the closing date. Also use additional details to create a sense of urgency.
Unfortunately for some, the responsibility for the lost funds often falls on the title companies. The actual buyer and seller of the properties likely have no participation in the movement of funds. And, it’s more often than not, that escrow/title company failed to meet their legal responsibilities to prevent such actions.
On June 7, 2023, the U.S. Government updated the Gramm-Leach Bliley Act (GLBA) cybersecurity requirements in the Safeguards Rule. The Federal Trade Commissions can penalize any financial institution (which includes both the bank and the escrow company) for failure to meet these 9 elements, now included in the Safeguards rule:
Designation of qualified individual to oversee and enforce an information security program.
Creating an information security program based on risk assessments that identify potential security vulnerabilities.
Design and implements risk safeguards.
Regularly test the information security program and protection.
Implement policies and procedures consistent with the information security program.
State how the business will oversee its technology providers and employees to enforce the information security program.
Evaluate and adjust the information security program following testing and monitoring.
If have information on 5,000 or more consumers, establish a cyber incident response plan.
If have information on 5,000 or more consumers, require its “qualified Individual” to report annually (or more) to controlling body on the effectivity of the information security program and policies.
In 2020, the Louisiana Insurance Commissioner further codified information security requirements for all insurance producers, which includes title companies. La. R.S. 22:2504 requires insurance producers to follow cybersecurity requirements, which are substantially similar to those published in the GLBA Safeguards rule, including the creation of an information security program, risk assessments, and a cyber incident response plan. Insurance producers are further required to notify the commissioner of certain events and follow certain investigatory procedures.
While there are an increasing number of “paper tiger” laws with minimal enforcement given resourcing constraints, cyber criminals are now reporting their own victims to regulators to increase extortion pressure. In November 2023, Russian based group, AlphV reported one of its victims, MeridianLink, to the Securities and Exchange Commission.
Accordingly, failure to implement cybersecurity protections and follow applicable regulations now not only risks private law suits, but state and federal penalties, and reporting by the criminals themselves.