Odds are someone you know has been impacted by the horror involved with cybersecurity attacks and wire fraud. According to the Internet Crime Complaint Center (IC3), a division under the FBI, fraudsters stole a reported $5.3 billion dollars through email scams in just two years. Since scammers most frequently target small and medium-sized businesses that are connected to Fortune 500 financial institutions, it’s no surprise that title companies are a prime target. In fact, over that same time period, title companies reported a staggering 480% increase in wire fraud attacks.
So how should title companies protect themselves? Before we can answer that, we need to take a quick look at the 2 main ways that scammers target. They’re typically just referred to as “BEC” and “EAC”.
- BEC: Business Email Compromise – targets businesses; this is more traditional, an entire business might receive a mass mail scam.
- EAC: Email Account Compromise – targets specific individuals and is a more evolved version of BEC. In particular, fraudsters now try to engage victims in an email exchange to gradually build trust, instead of sending emails with wire transfer and/or payment instructions at the outset.
In both forms, scammers will use spoofed accounts with slight variations in domains to make them look similar to authentic accounts (ie, changing @abclender.com to @abc.lender.com). In cases of EAC, scammers often research specific individuals in order to impersonate company executives, a trusted vendor, or a person in a position of authority within the company. Through their research, they are able to determine who manages money and use language specific to the company they are targeting in order to request a wire transfer to their personal account. The most common recipients of these email scams are accountants, real estate agents, title companies, and attorneys in the midst of real estate transactions.
The 3 myths
A recent Qualia poll found that a surprising 33% of title agents either weren’t using secure email or didn’t know what their practices are. But with so much at risk, why aren’t more precautions being taken by title companies and their vendors? The truth is that some common misconceptions stop companies from putting the proper tools and procedures into place. The 3 top myths are (1) the issue is too confusing, (2) putting measures into place is too time-intensive, and (3) the whole process is too expensive. Most often, title agents will list a combination of all three!
Let’s take a deeper dive into each of these myths and debunk them.
Keep it simple
Implementing security doesn’t have to be confusing, it’s all about just knowing where to start. There are resources out there to walk you through step by step and ALTA has done a great job of doing this for title companies through their best practices guides and assessments.
Cutting straight to the chase, they recommend doing a lot of what you’re doing, just more of it:
- Clear escrow accounts daily rather than monthly. Doing so can alert you to fraud before it is too late.
- Protect Nonpublic Personal Information (NPI) by having an articulated policy in place for how you secure data you’re using, data that’s filed and data you transfer to others. A written policy goes a long way.
Security can be quick
There’s never a good time to focus on non-revenue generating activities, right? Wrong! There are a host of opportunities that are “low-hanging fruit”, they are not time-intensive, require a one-time setup and low maintenance and have a huge payoff. Just a few examples include:
- Get a private & secure email domain
- Implement a managed antivirus solution
- Change default passwords / don’t use office-wide passwords
- Password protect your Wi-Fi
If you’re using technology to conduct your closings, one of the highest accreditations you can get to prove data security to your business partners is the SOC 2 report.
You may have also heard about the SSAE 16 / SOC 1, which has been around for longer; however, that audit is based on financial reporting, while the purpose of a SOC 2 report is to evaluate an organization’s information systems that are relevant to NPI security. Thus the SOC 2 audit is the gold standard for proving data protection to your current and potential business partners.
Security can be affordable
Security audits like SOC 2 are required to be conducted by an independent third party, so they can be expensive. That brings us to the myth that security is too expensive. Rest assured, there are affordable ways to keep security a top priority.
The first step which is completely free is requesting information from all of your vendors about their SOC 2 certification and making sure it is up to date. This is a great first step that ensures that all of the technology systems you are using are protected and will get you well on your way to making sure your title company is meeting best practices.
If you discover that any of your software providers or vendors aren’t SOC 2 certified, find out why and consider switching to a new provider since you may be putting your data at risk.
After confirming your vendors are SOC 2 certified, there are 2 main roadmaps for you:
- Those on a budget –> ALTA Best Practice Self Assessment
- Those who can afford it –> get SOC 2 certified yourself
What are you waiting for?
The important thing to take away is that security can be either a danger or an opportunity – and you decide which it is.
It can be a danger if you decide to push your luck and don’t take action, but you will likely have lenders and underwriters breathing down your neck to be more careful, or worse yet, you might become a victim of fraud.
If you do proactively put security measures in place then it can be a huge opportunity – you will be able to go directly to your lenders and realtors and prove that you are being more careful with your handling of assets and sensitive information than any of your competitors, which is going to allow you to win more business.
Download our free checklist to help you get started.