What every real estate professional needs to know about wire fraud
Protect your clients — and your reputation — by learning how to detect and prevent financial scams.
October is National Cyber Security Awareness Month. Most real estate professionals may think of this as a time to change passwords or update software, but it should be an opportunity to consider, assess and mitigate any form of cyber risk that threatens your business.
Wire fraud remains one of the biggest cybersecurity risks facing the real estate industry, and when your clients get scammed, you lose more than your commission: You lose your reputation and the confidence of potential clients. Bad word of mouth from fraud victims will keep customers from working with you, which can devastate your business over the long term.
Understanding how wire fraud scams work — and staying vigilant — will help you avoid them.
Common forms of wire fraud in real estate and other industries
There are four basic forms of wire fraud that range from simple to sophisticated.
Data hacking: This is one of the most common and simplest attacks. Cybercriminals hack your router, or a bank's router, and divert wire transfers to their own accounts, leaving little trace of their activity. These hacks are more likely to occur at the end of the business day, which gives criminals an opportunity to move the money before the fraud is detected.
Email compromise: This is the fastest-growing type of cyberattack. Criminals hack your email, or a client's email, then send a legitimate-looking request to wire money, which goes to an account the criminals control. The only giveaway may be an unfamiliar bank name or account number. A less-sophisticated version of this attack will use an email address that looks legitimate at a glance, but has a small misspelling or a number or symbol in place of a letter, such as firstname.lastname@example.org.
Familiar fraud: This is a form of embezzlement, where an employee redirects funds from business accounts to accounts that they control. Without stringent, regular audits of a business' financial activity, this form of wire fraud can be very difficult to detect.
AI-enabled voice scams: This is the newest form of fraud. Criminals use online tools to sample and recreate the speaking voice of a client or vendor. They will call you, possibly using a spoofed phone number that looks legitimate, and ask you to wire money to an account they control.
How to prevent wire fraud in your real estate business
Excluding "familiar fraud," which often takes place quietly over a long period of time, attempts at wire fraud share two common characteristics: a sense of urgency, and an unfamiliar bank or bank account number. Criminals are counting on a lack of vigilance and a desire to be helpful on your part to enable their fraud.
These simple steps can help you detect and avoid these scams.
Call the party requesting the transfer. Verify the request with a phone call to the individual, using a phone number on file at your business. Remember that scammers can fake the number you see on your phone, and they may even have control of a client's or vendor's email. It may be helpful to have a second, authorized individual to call, such as a spouse or attorney, to verify a wire transfer request.
Set up a password with clients and vendors. This is the best way to stop business email compromise and AI voice scams. When you establish a relationship with a client or vendor, set up a call-and-answer password. For example, when you call the client, you say, "My father was a deacon," and your client responds, "My father was a cobbler. He also saved soles." This may sound silly, but it is actually a very effective spycraft technique. Explain to clients that this is a fraud-prevention method, and they will see its value.
Put a second set of eyes on transfer requests. Gather banking information from your clients and vendors when the business relationship begins (remember that collected banking information is considered personally identifiable information, PII, and must be securely retained, which includes encryption if stored digitally). Before initiating any wire transfer, have someone else in your organization review both the transfer request and the information on file. Any discrepancies or variations should be red flagged and require a voice confirmation.
Initiate wire transfers in person at a bank. Online transfers offer convenience but may lack the safeguards that banks put in place for in-person requests. If possible, initiate the transfer at the bank that will receive the transfer and ask them to verify ownership of the receiving account.
Refuse transfer requests late in the day. Set a policy with vendors and clients that any transfer request received after 3 p.m. will not be processed until the next business day. This will give you time to review the request and deter criminals who are hoping for a quick, late-day transfer.
If you detect a wire fraud attempt, time is of the essence. The first thing you must do is immediately report it to the client's bank so they can take action to protect the account. Then contact the bank holding the fraudulent account (if known), the affected client or vendor, and local law enforcement. This will provide the best chance to recover stolen funds and prevent criminals from targeting others.
Robert Siciliano is the head of training and co-founder of Protect Now, a cybersecurity employee training company that provides CE-eligible training tailored to the real estate industry.