The Trusted Adviser October 2010 | Volume 3 • Number 9

Update from ATG Administration

Check and Wire Transfer Fraud – A Growth Industry
 
Title Agents and Lawyers: Be Wary and Protect Yourselves
 
by Ronald Trubiana, Senior Vice President and Chief Financial Officer

 

Small- and medium-sized organizations are being victimized by perpetrators of a new brand of internet crime. Phishing, whaling, vishing and tabnabbing can put you out of business if you are not careful. These are the schemes that the fraudsters are using today to capture your business credentials to get access to your bank accounts. Once they get you, the fraudsters involved in the underground economy unleash various forms of "malware" (malicious software) designed to leverage your internal control weaknesses and the weaknesses in the wire transfer and Automated Clearing House (ACH) processes — the mechanisms that let banks and other financial institutions process checks and other forms of payment. These schemes can result in significant financial losses; title insurance companies and their agents are not only vulnerable, but are frequent targets. The fraudsters know where the money is, and are targeting title underwriters and their agents in what is known as spear phishing. A title underwriter lost $400,000 earlier this year, and just recently, a title agent lost $290,000. ATG has protective processes in place. Lawyers and title agents must take steps to protect clients' funds.

Here is a brief summary of how it works:

Many of these schemes originate in Eastern European countries. The most common scam is the bogus email that you receive from your bank asking that you verify your credentials because of some suspected fraud. This is the so-called &€œcall to action&€& scam where you fear that your account may have been compromised, and you respond. This can also be done via a voice mail or vishing as it is called. You are directed to a fake website of your bank and unwittingly unleash one of the many forms of malware, such as the ZeuS Bot or SpyEye Bot, that sits on your computer waiting for the next time that you access your bank. When you do, tabnabbing takes over sitting behind the scenes of your legitimate bank website. You enter wire information that is going to Party A at Bank A, with Bank A's routing number in the amount of $100,000. Behind the scenes the malware is changing the information that you enter into that of the fraudster. You send the wire thinking that it has gone to Party A, but instead it is going to the fraudster. The fraudster then moves the money out of the country. By the time you figure out that something is wrong, it is too late, and you are out $100,000.

The fraudsters can also befriend unsuspecting victims via postings on social networking sites such as Facebook, MySpace, and Twitter or by downloading attachments from unfamiliar websites. When the victim befriends one of the fraudsters or opens an attachment in an email, the fraudster unleashes one of the Bots. These new Bots are so sophisticated that most antivirus software companies have been unable to detect many of them. Bots are also easy prey for companies still using Windows XP. The Bot just lies in wait on an infected computer waiting for the individual to access bank websites for financial transactions, and then it comes to life. These Bots record all information relating to accessing the account and transmit the information back to the fraudster. The fraudster then duplicates the wire module page of the particular bank and re-transmits it back to the infected computer user. The next time the user logs onto the bank website to send a wire, the bogus wire module page takes over. To the user it looks like the real thing, but there are usually subtle differences. The user then enters the necessary information to send the wire, including the token information, but behind the scenes the wire recipient information is being changed to a bank other than the intended bank and the user is unaware of the change. The user submits the wire to the bank and the bank wires to the altered recipient and bank.

The fraudsters have recruited a series of "money mules" in the states that are used to launder the funds. The money mules are recruited via ads on Monster.com for work-at-home positions as an agent for a large international company. The fraudsters actually enter into contractual agreements with the money mules. The fraudulent wire goes first to a United States bank account in the name of the mule. The money mule takes a commission (typically 10%) and then wires the balance to a bank in New York. From there the money is wired outside the United States, to the county where the fraudsters are based.

At this point, the money is gone and cannot be retrieved. Sometimes the money mules will use Western Union to transmit the funds.

There has been little to no success in catching the fraudsters; however, authorities sometimes catch the money mules in the United States.

To prevent this type of attack, ATG recommends the following protective actions:

 

  • Do not respond to an email that appears to be from your bank requesting you to revalidate your credentials. Banks do not use email for the validation of your credentials.
  •  

  • Be cognizant of scams where a fraudster engages you to represent them and sends you a very large retainer check drawn on a foreign bank for services to be rendered and two or three days later asks you to wire a portion of the retainer to a business partner overseas. By the time you figure out that the foreign check you received is fraudulent, the money is gone.
  •  

  • Do not allow access to social networking sites from computers in your office. Any individual with access to your bank account website cannot be allowed to use social networking websites such as Facebook, MySpace and Twitter. Consider examining recent computer history to see if these sites are being accessed and add content filtering security to your network.
  •  

  • Do not allow an operator to download any information from unknown, non-business related websites.
  •  

  • Pay particular attention to the wire module web page. If you notice even subtle differences, contact your bank immediately and definitely do not send the wire using your computer. Do it the old-fashioned way and send your bank a fax of the wire instructions.
  •  

  • Ensure that two people are always involved in the wire process, one to originate and one to approve and release. Know what your bank agreements say as well. Banks are changing their agreements to require two people in the process, and if you choose to have only one, you are responsible for any fraud that occurs.
  •  

  • Review the information from the bank on the website relating to the wire as soon as possible after sending to ensure that it went to the correct party. Typically once the wire is gone, it cannot be retrieved. The funds may be retrievable from the money mule if you quickly notify your bank so that they can call the receiving bank and notify them that it was a fraudulent transaction. Once the money leaves the money mule, it is next to impossible to get it back.
  •  

  • Know and understand your banking agreements. Banks are not responsible for fraudulent wires, you are, and as such you bear the liability of the loss.
  •  

  • Reconcile your bank accounts promptly.

 

This is a very serious problem — please get this information to your employees who are involved in wiring funds. We also encourage members and their employees to attend the 2010 Harold I. Levine Institute,The Emerging Role of the Real Estate Lawyer after the Mortgage Meltdown, in Chicago on November 18. A portion of this program will be dedicated to this topic.
 

THE TRUSTED ADVISER is published by Attorneys’ Title Guaranty Fund, Inc., P.O. Box 9136, Champaign, IL 61826-9136. Inquiries may be made directly to Mary Beth McCarthy, Corporate Communications Manager. ATG®, ATG® plus logo, are marks of Attorneys’ Title Guaranty Fund, Inc. and are registered in the U.S. Patent and Trademark Office. The contents of the The Trusted Adviser © Attorneys' Title Guaranty Fund, Inc.

[Last update: 10-28-10]