Information Center

 

Information Center > Information Security > Information Security FAQs

I just received an email from the seller in a current transaction directing me to wire the sales proceeds to their account. This is the first communication I have received with wire instructions. Should I follow the directions?

Not without additional verification.  It is common for hackers to gain access to sellers’, buyers’, and real estate agents’ email accounts. Before wiring any funds pursuant to emailed instructions, call the seller on a number which you have been previously provided to verify the information.  Be careful not to use telephone numbers provided in the emails, as fraudsters will provide fake phone numbers in the hope you will call the fake phone number and continue with the transaction.


You should also consider requiring the seller to come to your office and sign a change authorization or wire instruction form.  At that time, you can obtain a copy of their identification as verification that they truly are the seller.


This is a new area of concern for many real estate agents and sellers so you should consider setting out your office policy on obtaining and changing wire instructions at the beginning of the transaction so as not to cause any party unnecessary delay on or after the closing date.

I received an email directing me to wire proceeds from a sale to a “new” account. I noticed that the return email address is not exactly correct. I called the seller and he did not send the email. What do I do now?

Report the incident to:

  • The Federal Bureau of Investigation (FBI), Internet Crime Complaint Center (IC3).   IC3’s mission is to provide a reliable and convenient reporting mechanism to submit information to the FBI concerning suspected internet-facilitated criminal activity.  IC3 will request the following information (if known):
    • Victim’s name, address, telephone, and email.
    • Financial transaction information (e.g., account information, transaction date and amount, and who received the money).
    • Subject’s name, address, telephone, email, website, and IP address.
    • Specific details on how you were victimized.
    • Email header(s).
    • Any other relevant information you believe is necessary to support your complaint. 
  • Federal Trade Commission (FTC)
  • US Secret Service (USSS)
  • Real estate brokers should report to their state or local REALTOR® association.

My email was hacked – what do I do?

You should follow the steps below if you have been a victim of email hacking:

  1. Update or install security software from a company you trust with automatic updates.
  2. Change your password and set up two-factor authentication (Outlook and Microsoft, Google, Yahoo).
  3. Change your security questions and make the answers as creative as possible (try to avoid questions and answers that are easily obtained through social media platforms such as mother’s maiden name, names of pets, high school attended, hometown, etc.).
  4. Report the incident to your email provider, IC3, FTC, and USSS.
  5. Notify everyone on your contact list.
  6. Scan your computer with an updated anti-virus program – delete anything suspicious and re-start your computer.
  7. Check your email settings to make sure no one added any links to your signature and that your emails are not being forwarded to someone else.
  8. Change passwords or security questions for other sites (especially those where you use the same password and security questions!).
  9. Check your email folders – search for “password” to see what other compromises might have happened.
  10. Monitor your credit and financial accounts for fraudulent activity.

What is two-factor authentication?

Two-factor authentication is a method of confirming a user’s claimed identity by utilizing a combination of two different components.  In most email two-factor authentication schemes both a “knowledge factor” and a “possession factor” are used. 

The “knowledge factor” is something that the user knows, typically the password to the email account.  The “possession factor” utilizes something the user possesses, typically a cell phone. 

In a common two-factor authentication scheme, a user will enter the password to the email account.  The correct password will trigger a text message to the phone number previously provided by the user with a one-time verification code contained therein.  The user must then provide the verification code to the email server within a specified time period to be granted access to the account.

The buyer called to verify that we received the deposit via wire per our email instructions. The problem is that we did not send any such request. What should we do?

Instruct the buyer to contact his bank immediately to try to retrieve the wire.  Depending on the circumstances wires can be retrieved up to 72 hours after they are sent.  The buyer should also report the crime to IC3, FTC, and USSS.  Some banks may require this reporting to law enforcement during the recovery process.


To cut down on the possibility of future occurrences, you might consider including information in your introductory letter to the parties about how they will receive information about deposits and wire instructions from you.  This introductory letter should be sent via U.S. Mail to cut down on the possibility that it will be intercepted by a fraudster from a compromised email account.

I opened an email which simply stated “here is the closing file you requested.” Nothing was attached and there was no reference to a particular file. I tried to respond to the email, but have not yet received a response. Is there something I should do in the mean time?

Unsolicited email may contain malware which will download to your computer if the email is opened.  Some malware is designed to record keystrokes in order to determine passwords to sensitive websites, such as online banking or other financial institutions.  If you open an email like this one, contact your IT department for assistance.

Some steps you or your IT department can take are:

  • Take the computer off the network until it can be secured.
  • Scan your computer looking at all programs that have been installed. Delete any program that you did not install.
  • Check the server and all other computers on the network to make sure no other machines have been affected.
  • Change all passwords. This includes passwords to online accounts accessed at that computer. 
  • Make any needed updates to your anti-virus software and firewalls.

Are fake emails easy to spot?

Unfortunately, no, fake emails can be very elaborate. Some Fund Members have received email ostensibly from an attorney requesting that a deposit be wired into a phony trust account. These emails may contain the buyers’, sellers’, and real estate agents’ information as well as the property address, sales price, and attorney’s email address.  Some of these emails also contain phone numbers that, if called, will put the caller directly in touch with the fraudster who will verify the requested information.  Receiving fake email does not necessarily mean that someone’s email account has been hacked.  Fraudsters can gather this information from social media accounts or by accessing the Multiple Listing Service.

Displaying results 1-7 (of 9)
 |<  < 1 - 2  >  >|