Cybercrime continues to thrive in the real estate brokerage environment. By this, I don't mean the kind of electronic skullduggery that results in stolen identity information or hacking into someone's bank account. Rather, I refer to the business of fraudulently inducing a principal -- sometimes even an escrow officer -- into wiring funds to a bank account controlled by a hacker or someone in business with the hacker.
Here's what can happen: the hacker gains access to the "network" of participants involved in a real estate transaction. His entry point may be through a real estate agent's email account, or escrow's, or any one of a number of affiliated services such as title or home warranty. Certainly, the hacking of an agent's account seems the most likely. The hacker will monitor the transaction, learning all the names, phone numbers, and financial information involved. Then, at some point near closing, the hacker will send an email -- posing as one of the relevant figures -- issuing false instructions as to where money is to be wired. Too often, the people who receive the bogus instructions will comply.
More frequently, this kind of theft is occurring at the beginning of a transaction. One scenario is this: the hacker is monitoring electronic communication between the buyer's agent and the seller's agent (and between the agents and their principals). Shortly after a purchase is agreed upon, the hacker sends the buyer an email (appearing to have come from his agent) telling him where to wire the earnest money. That will be to an account controlled by the hacker.
The scam at the beginning of a transaction doesn't generally yield as much money. It is deposit money, not a down payment. But it takes less time and saves watching an escrow that might fail anyway.
California REALTORS® have available to them a useful one-page document entitled "Wire Fraud Advisory." We have discussed that in an earlier column (July, 2016) and need not review it here. Instead, it is important to focus on the use of the form.
Two things: (1) As the above scenario illustrates, the advisory -- read "warning" -- should be provided early on in the process. Just as agency relationships need to be disclosed and discussed prior to writing a purchase offer, so should the wire fraud advisory. (2) It should be given singular attention, not simply included in a pile of papers with "you should read these" instructions. The issue needs to be addressed.
Some companies have their own version of the advisory, which is fine -- as long as they are provided in a timely and focused manner.
Indeed, some companies are now advising their clients to use cashier's checks, rather than to trust the electronic handling of their funds. Is that just too impossibly retro for you? Well, it made sense to some of the people who recently attended the most recent meeting of the Directors of the California Association of Realtors (CAR).
The topic of wire fraud received extensive discussion; and one group was formulating a request for the Standard Forms Committee to revise its treatment of earnest money deposit in the standard purchase contract (Residential Purchase Agreement, RPA). As it is now, the default position in the RPA is that deposit funds will be provided by electronic transfer. (One can still choose an option of personal check or cashier's check, or cash for that matter.)
Brokers initially loved the electronic transfer -- and probably most still do -- because it relieves them of the bookkeeping and procedures to follow when they have to handle checks. That relief now needs to be balanced against the risk of cyber fraud.
Speaking of which, it emerged in other discussions that brokers need to do a thorough assessment of their risks in this regard. It turns out that more than a few insurance policies that have an electronic fraud provision don't, in fact, cover the kind of fraud and loss that has been discussed here.
A topic for another day.
Bob Hunt is a director of the California Association of Realtors®. He is the author of Real Estate the Ethical Way. His email address is firstname.lastname@example.org.