One Thursday morning a few months ago, my boss sat across the desk listening intently to a call on my speakerphone. On the other end of the call was a real estate attorney and her trusted long-time paralegal, both clearly frazzled and experiencing the worst two days either imagined possible.
We first spoke the afternoon before, and the purpose of the current conference was to update us on numerous calls to banks, their clients and the FBI. Over our 30-minute conversation, the collective mood of all participants swung from panic, to hopeful, to elated, only to conclude with full-fledged panic once again.
The attorney’s clients, a retired couple from the mid-west, wired a large majority of their life savings the Tuesday before, intent on purchasing a dream retirement home in the North Carolina mountains. Only they didn’t send the wire to their attorney. Instead, the majority of the nearly $750,000 purchase price was directed to a Wells Fargo account in San Francisco.
The fraud was only discovered early Wednesday afternoon when the paralegal realized the buyers never called to verify previously transmitted wiring instructions. As a courtesy, she sent an email reminding the clients to call before sending the wire for Thursday’s closing. The unnerved clients called to discuss, as not only had they already transmitted the wire, but this same paralegal confirmed receipt via email the afternoon before. It soon became apparent a spoofed email account had been used by a criminal hacker to send fraudulent instructions and to later confirm their receipt. Our insured immediately contacted us, and we worked with everyone involved to freeze the account and reverse the wire.
Over the last two years, we unfortunately gained a great deal of experience developing emergency response plans assisting our insureds and their clients recovering stolen funds. Victims are remarkably successful if the fraud is discovered and reported to the receiving bank early enough. Our anecdotal rule of thumb is a near full recovery is possible if the theft is reported within 24 hours. Fraud discovered after 2 business days rarely ends with a significant recovery. The period in the middle is difficult to accurately predict.
This case fell in the middle range. The buyers, a sophisticated couple, admitted they ignored several red flags and should have never sent the wire. While naïve, this couple was fortunate enough to have a fair amount of influence, both with their local mid-west bank and, through business contacts, Wells Fargo. In reporting the fraud, they bypassed lower level branch employees and were able to get a head start in the recall process. After hearing all of our recommendations were followed, my boss and I were cautiously optimistic funds would be recovered.
As our phone conversation was winding down, great news arrived in the paralegal’s email inbox. She read an auto-generated email from the wiring department of the firm’s bank. It verified receipt of funds from the clients’ mid-western bank. Apparently, the client’s influence and hurried efforts paid off in record time – the fraudulent wire was reversed and then forwarded to the correct account.
Everyone on the telephone call briefly celebrated, breathing a second sigh of relief. We switched thought processes from recovery efforts to planning a forensic investigation to determine the source of the attack.
We did not know where the infiltration came from, but it was obvious the fraudsters monitored extensive email communication on this transaction and were very familiar with the real estate closing process in North Carolina. The outfit running this scam was not a group of fake Nigerian princes butchering the English language. Rather they had industry-specific knowledge and appropriate syntax in their communication – one of the spoofed emails even used “y’all” appropriately. (This contraction requires a fair amount of nuance - my in-laws relocated to North Carolina from the North 13 years ago and still butcher the colloquialism.)
The afternoon before, the attorney prophylactically changed all passwords in her office, including her email accounts, system logins and particularly bank account logins. We now explained to the attorney she needed to engage her IT vendor to look for evidence of infiltration – if our insured had been compromised, she had a duty notify affected clients and determine the extent of the compromise.
In the interim, the parties in other closings would need to be contacted to make sure they also had not received fraudulent instructions and knew the correct account information. We advised the attorney to work under the assumption that it was her system that had been compromised until we could prove otherwise.
The more I thought about the quick return of funds, the more abnormal it seemed. Eventually I concluded the assumption the law firm had been hacked was a near certainty. Most likely, the wire confirmation was not legitimate but instead designed to delay the discovery and wire recall process.
I asked the law firm to call the local branch manager and confirm whether the wire was actually received. While we waited on hold for the results, I looked at the forwarded email confirmation in detail.
The auto-generated email used appropriate bank logos and looked identical to other confirming emails recently received by the attorney. The local community bank in question had recently been acquired by a regional bank, and the IT departments were still merging their online systems. The sending email domain was listed as the new parent bank, but the account information was listed under the name of the old bank. This was the exact way all other wire confirmations were received by the attorney in the six weeks since the acquisition. This detail was encouraging, as only someone familiar with the recent operations of the financial institution would know this detail. However, the early return of the funds was just too soon for me to have any confidence this confirmation was legitimate.
Shortly thereafter, the attorney and paralegal returned and confirmed the wire had not been received. We examined the extended headers in the email, which revealed the actual sender was not the regional bank but a free email provider based in Germany. After a little more effort, it soon became obvious the hackers gained access to the paralegal’s email account and had monitored it for weeks. They passed on other opportunities to divert wires, waiting until this large transaction was in the pipeline.
Luckily for everyone involved, Wells Fargo was able to freeze the account and all funds were eventually returned, actually in record time. However, this record was not hours, but a couple of days.
Considering wire reversals sometimes can take months and require consistent pestering and extensive paperwork, the buyers were very fortunate. They were able to purchase their dream vacation home the following week and used the same law office to complete the transaction.
Currently unsettled legal issues of liability for the theft, contributory negligence, and insurance coverage did not have to be explored. Those issues will eventually work their way through the appellate court system, but, for now, we took the opportunity to update our best practices recommendations to reflect a new lesson learned.
The twist on this transaction was the hacker sending a spoofed wire confirmation. Had it been sent the day before, the paralegal would have found no reason to email the clients reminding them to confirm the instructions. Firm personnel would have read the email, assumed all funds were properly received and closed the transaction the following day. The office would have then wired the seller’s loan payoff and net proceeds as normal. The most likely scenario is the missing funds would not have been discovered until the trust account was reconciled or when the shortfall caused checks to bounce. By then, the stolen funds would have been long gone and unrecoverable.
The real hero in this story is the paralegal, whose diligence and client service stopped a crime. Unfortunately, the story doesn’t end here. The subsequent forensic investigation revealed our hero was the cause – this same paralegal clicked on an emailed malware a few weeks earlier and allowed her computer and email to be compromised.
Everyone was fortunate and disaster was narrowly avoided, though others in our industry have not been as lucky. We now recommend our insureds not accept (or even receive) wire confirmations via email or fax, but rather securely logon to their bank’s online portal to confirm receipt. Of course, the scams will continue to evolve and increase in sophistication and the industry can only attempt to respond.
Troy is Managing Counsel for LM Title Agency, LLC, a wholly owned subsidiary of Lawyers Mutual serving attorneys throughout North Carolina. Prior to heading the title agency, he worked for Lawyers Mutual as Claims Counsel, focusing primarily on real estate, fraud and technology related claims. His experience includes working as Claims and Subrogation Counsel for a title insurance underwriter and eight years in private practice handing real estate litigation, commercial transactions and residential closings. Contact Troy directly at 919-585-1182 or email@example.com.