Real estate transactions, by their very nature, are complicated and involve multiple parties. As both the complexity and number of involved parties increases, so does the opportunities for mistakes to be made. Increasingly over the last few years, hackers have taken notice of the complex nature of real estate transactions and devised ways to insert themselves, surreptitiously, into the process for the purpose of stealing huge sums of money.
While there are hacking risks associated with every role in a real estate transaction, by far the one at highest risk is the Title Company. For purposes of this article the term Title Company is interchangeable with Escrow Agent or Settlement Agent. The title company is ultimately responsible for legal transacting of the property from the seller to the buyer, and handles not only all of the paperwork and filing, but also the transfer of funds between the parties. Due to this integral role of handling the funds, hackers have targeted them as the highest risk to reward entity in the transaction.
In decades past, most real estate funding was accomplished through the physical passing of a checks or cashier’s check from the buyer to seller at closing. As the digital and cyber age has taken over this process, like almost every process, this funding of the real estate contract has changed as well. Almost all real estate transactions today take place as wire transfers, which for buyers and sellers is both a blessing and a curse.
That blessing and curse comes in the form of speed. All parties want the money to be transferred as quickly as possible, but with that speed comes risk. This is the weak spot that hackers exploit.
In Business Email Compromise attacks, hackers use a combination of social engineering, malicious software, and cunning to attack the wire transfer process and divert the funds from their intended destination. This material theft can be accomplished multiple ways, but the most common way is through what is called a spear-phishing attack. Spear-phishing is a specialized type of targeted email virus attack, where the hacker sends a fake email to specific individuals in an organization that’s disguised to look like it came from a legitimate source for a standard business reason. In the case of an attack on a title company, the email could come from what looks like a known real estate agent with an attachment called “Sales_Contract_Final” or some other innocuous name. Unknown to the title company employee, the attachment contains a virus that grants the hacker access to their systems. These types of hackers being patient, may monitor the activities on the infected network for weeks or month undetected. In that time the hacker is gathering intelligence on the title company. Who are they getting important emails from? Which banks are being used for upcoming large deals? What wording is used in their email communications with banks, agents, buyers, and sellers? They may even steal and forge copies of documents used in the transactions. Through all of this intelligence gathering, the hacker is waiting for the right time to strike. When they see their opportunity, they jump into action, intercept the documentation pertaining to the final transfer of funds, change the routing and account information on the funding transfer, and then they slink away back into the shadows.
The hackers also exploit the speed of wire transfers by re-transferring their ill gotten gains to multiple accounts or transfer it repeatedly several times during the very short window where the funds can be recalled. Often these accounts are in China or Eastern Europe countries where prosecuting the theft is nearly impossible.
For title companies, this information should be a serious call to arms. Few title companies employ large numbers of people to safeguard their IT systems, which makes them an even more obvious target for hackers. This is especially disturbing considering the material transfers of money going on with often little or no cybersecurity. Title companies, as well as all companies involved in real estate transactions, should seek out expertise in properly securing their computer systems against these and other attacks, and use this badge of due diligence as a marketing point to give their customers confidence that their transaction will end successfully.
(Diverted real estate funding attacks on individuals usually leads to a total loss of funds, resulting in a bankruptcy filing)