Skip to main content

Once upon a time, our biggest Internet aggravation was a simple chain email. Remember those?  Forward this email to 25 friends or you will get sick.  Well, the world has certainly changed quickly, and now it feels like a full-time job to protect yourself and your clients.

I had the distinct pleasure to interview Bruce Phillips, CISSP, SVP & Chief Information Security Officer at Williston Financial Group about the threats lenders are presently facing and some best practices to protect ourselves, our company and our clients. Not only was our conversation fascinating, but it was also quite the eye-opener!

We discussed Phishing, Vishing and SMishing which are mostly the same thing in that criminals use social engineering to get a person to do something.  These techniques are used in emails, text messages and social media.  Why?  Because where there is money there is an opportunity.  And in our industry, there is money floating around between entities and lots of players in one transaction!

It is likely you know that the number one issue in our industry is Wire Fraud.  According to the FBI, this type of fraud is doubling each year.

  • In 2016 $360 Million in Fraud
  • In 2017 $675 Million in Fraud
  • In 2018 $1.2 Billion in Fraud

As the opportunity grows, so do the criminals attracted to this space.  Criminals have a simple philosophy really if they make money doing it, they do and if not, they go elsewhere.  So apparently our industry, although getting better, makes it a little too easy to propagate wire fraud.

So how do these criminals find their targets?  Most buy playbooks on this subject on the Dark Web and learn that the process is simple yet sophisticated.  They know that originators, real estate agents and their clients love to chatter about everything in their life on Social Media.  This unfettered release of information is collated and used against the targets. Criminals create fake profiles, target real estate agents to see who is buying or selling a home and let the game of trying to intercept the wire to closing begin! The main game is to get a piece of communication to the person transmitting money.  The target can be the lender, borrower, or escrow company, and the email received seems very legitimate!  The email gives the person wire instructions, uses the name of the lender or loan originator and looks quite convincing.  If you think about the number of people a typical borrower corresponds with, in one real estate transaction, it is no wonder that even very educated people are getting duped every day.

We all know that we can never get rid of the criminal element, but we certainly can understand best practices and communicate these practices to our consumer and real estate clients.

Here are some best practices recommended by Bruce Phillips.


Watch for Spoofing – Spoofing is where it looks like it came from a legitimate email but something very subtle is different.  It is in those subtle details that you can determine if the email is a spoof.

Signs to look for:

  • First, don’t trust email and carefully look before you proceed.
  • More people are using Gmail accounts for business, which makes it harder to detect fraudsters.
  • Look at the email.  Is it configured so it seems like the lender sent it, but the reply email is not the same?
  • Is the spelling correct — for instance, Realtor vs. Realter
  • If an email asks you to send money, pick up the phone and call the person you deal with. Unfortunately, the younger generations are more vulnerable because they are used to corresponding via text, email and not the phone. Of course, older generations are more trusting of email, so it goes both ways.
  • 80% of targets are buyers of real estate and 20% are lenders or escrow companies. Protect your buyer through education and communication.  Give them a heads up as to what to watch out for!

Suggested Best Practices for All of Us:

  • Don’t use the same user names and passwords for your accounts. There are plenty of excellent password encryption technologies that develop different passwords for every site and store them for you so that you don’t have to remember them.
  • Change Your Passwords Frequently
  • Use two-factor authentication on any site that offers it. Yes, it adds one more step, but it is unlikely the criminal has your password and is also in possession of your phone.
  • Never use Free Public WiFi unless you are using a VPN [Virtual Private Network]
  • Don’t work as an “Admin” on your computer. Instead, create a standard user account on your computer and use that.  This prevents you from allowing in unwanted guests who can change things because you are logged in as Admin.
  • Don’t click on links. You have no idea where they will take you to.  Instead, go to that company site and access the information from the official site.
  • Always update your computer. Sure, it’s annoying to stop what you are doing and take care of updates, but it does protect your computer by updating your software and putting in security patches for known and popular viruses and malware detected by the software companies you work with.

As much as I hate to say this, we all must be suspicious and pay attention to what is happening to avoid issues, and this includes your customers.  Take the time to educate them about your process and what to expect so that you don’t end up with an unhappy client who sent their entire savings to a criminal and now cannot buy that lovely home you were helping them with!

Tammy Butler, Master CMB

Author Tammy Butler, Master CMB

More posts by Tammy Butler, Master CMB

Leave a Reply