Wire Fraud: What to Know About Protecting Your Business from Business Email Compromise and Electronic Payment Fraud

Show Notes

Led by Andrew Liput, President, CEO & Founder of Secure Insight, this webinar defines the problem of phishing and hacking and their impact on mortgage lenders and their partners.

Andrew reviews current statistics and case studies of business email compromise losses and explains how they could have been prevented. Lastly it offers 5 key steps you should take immediately to help prevent becoming a victim of wire fraud, including internal training and external vigilance.

Originally aired live on March 18, 2026. 

Transcript

SPEAKER_01 0:10

All right. Hi, everybody. Apologies for the late start here by a couple of minutes. Of course, had some technical issues last minute. Everybody knows how it goes, that's here. We're really excited for this session. We're lucky enough to have Andrew Lippett with us from Secure Insight to teach us some more about wire fraud, something super important and relevant right now. So thank you so much for joining, Andrea. We're excited to have you and learn more.

SPEAKER_00 0:37

Thank you very much. Appreciate the Ohio Mortgage Bankers Association's invitation to speak on this important topic that every mortgage lender and everyone associated with the mortgage industry has heard about, is concerned about, and uh is interested in knowing more about. So I'm happy to be here today. Um I know we only have 30 minutes, so I just want to preface it by saying this is not a be-all end-all. You're not going to walk away from this being certified as a wire fraud expert. Uh, however, we are going to touch on the most important topics that I think you should be aware of. We're going to talk a little bit about statistics. I'm going to teach you some basic concepts and also some key phrases and words so that you understand a little bit more when someone talks about social engineering or they talk about phishing or whaling or hacking, um, electronic payment fraud. What is it they're actually referring to? So we're going to get into that right now, and I appreciate your attention. Um, okay, so the topic for today that the heading is business email compromise and wire fraud, what lenders need to know. Again, my name is Andrew Lippett. I'm an attorney. I'm also the CEO and founder of Secure Insight, which is a fraud risk analytics firm. Uh, next slide, please. There you go. There's my handsome picture. I think it kind of kind of looks like me, right, with AI these days, which is another important topic. You never know if you're looking at the person or an AI uh uh creation. Anyway, so uh that's my little bio, which uh you could read later if you want. Bottom line, I've been in the industry attorney, in-house counsel, regulatory and compliance guy. I've spoken at multiple mortgage banking conferences, written hundreds of articles, yada yada, yada. So some I somewhat know what I'm talking about. Next slide, please. Okay, so let's start off by defining the terms. Business email compromise, DEC, is also known as email account compromise. And this is the main way that criminals gain access to information that you don't want them to have. So it's basically as it says, it's a cyber scam, and the criminals or the people who are entering into your business environment, they're impersonating trusted individuals or organizations. So they're going to pretend that they are someone you do business with and it could be and or you work with. They could even try to impersonate another employee. They could impersonate one of your customers, they could impersonate one of your strategic partners or vendors. But the idea is to be able to trick your staff into giving out information or giving access to information that is not public. And in most cases, they're not doing it just for fun, right? They're doing it to gain a financial advantage. So when we talk about wire fraud, we're talking about folks using business email compromise to gain access to your wire information, trying to substitute fake wiring instructions so that whoever on your staff receives them believes that they are real, but they're not, and then the money is sent to the wrong place. Um gave you there the FBI has something called IC3, Internet Crime Complaint Center, uh, which tracks all types of internet fraud, but also wire fraud. And they give it a nice definition there, but it uh you know, I'm not going to read the whole thing. You could read it, but there are two things that they refer to, and that are that are two separate kinds of methods by which people uh implement business email compromise. One is called social engineering, that's an important term to know. And the other is unauthorized computer intrusion or hacking. So that's how they get into your system, that's how they get access to your people, and that's how they uh perpetrate their fraud. Some of the uh examples, and you may have seen or heard about them, hopefully you've never experienced them yourselves. But someone will be impersonating a CEO or executive to request an urgent wire transfer. That's called whaling when they try to try to um uh impersonate a significant person in your company, the CEO, the CTO, the CFO. Um we've actually received them in our company. You know, we have sophisticated tools to weed them out, but I have seen them where an employee gets something saying, Oh, Andrew wants you to buy a hundred gift certificates to give out to the employees. You know, just uh put them on your, you know, you can buy them, you know, at this link or whatever for him. And it's it's not me, it's someone impersonating me, and so on. Uh, they could spoof vendors or suppliers to redirect invoice payments. Hey, we're your your vendor for uh, you know, your credit reports or whatever, you know, this month, by the way, uh send the money here because we've changed our bank. And so someone on your side may not realize it. They substitute the instructions, and pretty soon the vendor is not getting paid, it's actually going someplace else. And then just compromising email accounts to ask for information. They want to grab personally identifiable information, non-public information because it has a value on the dark web. So reselling non-public information of consumers of your customers is something that is very valuable and is being uh sought after by these criminals. Next slide. Define the terms again. Um, there's a federal statute. Again, you don't have to memorize it, just know that there is a federal law, 18 USC 1343, that makes it a federal crime to engage in any kind of fraud uh by wire. So attempting to scheme or defraud people under false prop uh premises in order to get them to transmit money by wire uh for criminal purposes is a federal crime. And it you can see that it's a fine of up to a million dollars and imprisoned up to 30 years. Um it involves a scheme or plan to defraud, intent to defraud, and then using interstate or foreign wire communications, phone calls, emails, text. Um, yes, you can get a text that is a uh um phishing or hacking or um social engineering scam. One hour before I got on to this uh webinar today, a family member came to me and they showed me a text that they received, which was a document purportedly from the state of Maryland saying that they owed money because of a toll violation and it had a QR code, and it said, you know, if you don't pay this within the next seven days, you know, there's going to be all kinds of consequences. Looks very official. I've trained my family not to open and scan any of this stuff, but they did show it to me. And fortunately, they didn't scan the QR code, but it's a you know, it's a scheme that's going around. So if you your phone is also, you know, be careful what you open up up in your phone as well as your email. Next slide, please. Okay, so why are we talking about wire fraud today? Because it's a major importance in mortgage banking. So typically the way it will happen is a lender will face the threat of a wire fraud right at or near a closing. Why? Well, because that is a very, you know, crazy time for most lenders. There's a lot of moving parts, there's a lot of people involved, there's a lot of back and forth communications, there's kind of a stress, that's a stress point for lenders. We're trying to get things closed, there's a rush, you know, the loan officer wants it to close, people are gonna lose their house, whatever it is, there's a lot of chaos going on. So, what does that mean? That means that people sometimes keep their eye, take their eye off the ball, right? They're not paying as close attention maybe as they should. These folks know what they're doing. So that's where they're gonna try to uh aim their uh their social engineering, their um their criminal activities at a time where you are they think you're not paying attention. So an external actor is gonna gain knowledge of your transaction. They could do this by accessing your email system or tempting to substitute wire instructions. This usually occurs, I said, close just about at the closing and the last minute pressures. Normally, what will happen is the email is going to mirror a legitimate party's email so that at a glance it looks accurate. So I'm giving you an example there. John Doe at heritage title.com becomes John Doe, and you'll see heritage is misspelled slightly.com, or John Doe at Heritage Title, and again, title is misspelled. You have the L after the E. So you can imagine if you have staff members and they're getting bunches of emails at a closing and they get this and they look at it and they oh, it's John at Heritage Title. Because they're not really paying close attention, it'd be very easy for them to believe that it's legitimate. And so they receive these new wire instructions, and like, oh, okay, this is where I got to send it. And once the wire goes out, the money's gone. And I'll tell you that it's very difficult to recover unless it's caught immediately. So sometimes banks can reverse wires if you get it quickly. The FBI, as I said, also operates the IC3 website. They do take complaints. The FBI will investigate them, they do have their own methods that they don't disclose as to how they can intercept and um reverse these things. But in most cases, and you're probably talking about 70% and above, the money is gone. It's out of the country, you're not going to get it. Next slide. Okay, so we talked about this briefly, but it's worth going over again. How do the criminals gain access? I mean, how do they get this sophisticated access to our systems and our operations? Well, they do it through a combination of technical exploits and human manipulations so they can figure out a way to get into your system. They may send your staff an email that has a link to something and maybe it looks something, you know, it's a picture of a kitten. You know, do you want to see more pictures of, you know, acute kittens? And who doesn't? I love cats. So, you know, they click on that and it takes them to some website, and that website has a um has a virus in it. It gives an open door for them to get into your system. Now, once they're in, they could see everything that's going on. They're behind the scenes, you don't know it. They see communications going back and forth, they can try to steal or alter data and disrespect operations. So they could do that. Um, the other way we talked about was human manipulation through social engineering, meaning that they get an email address. And they they may obtain this not from accessing your system, but what is more uh a more vulnerable system? The seller, the buyer, maybe even the real estate agent, so, or the attorney's office, god forbid. So they can get in and they see or they catch an email somewhere. There's a way for them to identify. I mean, we all know that you have to file uh a notice of a peer of a of uh a transaction when you're doing mortgage transactions. So they can track things. They're very sophisticated. And they can believe me, today most of our public, or most of our private information is is on the internet. If you do a Google search for me, not encouraging to do that, but if you do, you could probably find out where I live, how old I am, whether I have any children, you know, what my cell phone number is, you know, where I lived 10 years ago, where I went to school. There's a lot of information out there. In fact, there's so much information that I actually wrote an article recently that says, is data privacy even even a thing anymore? Like, should we even care about it? Because there's been so many breaches of billions of uh pieces of information that's already out there that people can get and you can get it for free. And many companies are also reselling the data that's out there. So believe me, it's very simple to find this information. So they're they're scouring all this information, they're tracking transactions, and they're trying to fool people into believing that they are one of their your clients, they're with the seller, the buyer, the realtor, whomever it is. And the goal then is to uh get you to send uh uh money to them and not to where it's supposed to go. There are some really bad people out there who engage in what we call malware. So malware or malicious software, and you've probably heard of this, has been some big things in the news recently, where they drop a virus in. And again, this they can't just sometimes they can penetrate in through open doors and they could be your websites or other things. There's a there's a lot of information there. Uh, it would take hours to get into all of it, but the bottom line is they find an open door somewhere, whether it's through one at your website, whether it's through one of your employees or whatever, and they get inside. And once they get inside, they start looking around, right? So they're you have no idea they're there. They're looking, they're seeing things, they're looking at emails, they're looking at into your database, what do you have stored? And if they are really malicious, what they're going to do is they're gonna drop something in there and you're gonna get a notice saying, all of your information is now on lockdown. We have it all, you can't access it, and unless you pay us a half a million dollars by you know 10 p.m. tomorrow night, we're going to steal it all and release it on the dark web. This happens very often. And so you have to then decide what you're going to do. Do you have backup of the information? You have to realize that once non-public information has been uh taken, there are obligations to notify consumers and so on. There could be class action lawsuits, there could be regulatory and compliance consequences, or do you just pay the uh ransom and they release it? Now, some people say, well, they won't release it. What if they pay the money, they won't release it? Well, in reality, you know, and the FBI has confirmed this, is that most malware criminals have like a code of ethics, their own particular code of ethics, they will release it because they know if they don't, then they will keep it if you pay. But it's a it's it's one of the highest and most significant, you know, events you do not ever want to be a part of. Next slide, please. Okay, we talked about this a little bit. We talked about exploiting software vulnerabilities. These are all topics that could take an hour or more separately, just be aware of it. Um, most companies are gonna have some kind of software to help close those vulnerabilities. They also have software that can identify and notify you internally if you have vulnerabilities. Um, you can do certain things like penetration testing, which is going to uh evaluate the ability of an outsider to penetrate into your system. Um, so if you handle, store, maintain large uh uh amounts of non-public information and data, you should have some kind of system in place in order to monitor just how well you are protecting that information from being attacked or locked out or removed. Um weak passwords and credential attacks. Um, so poor password practices, uh, you know, they can guess passwords. A lot of people, what do they do? They use their birthday, their kids' birthday, all that information is available. They know how to how to exploit that. Um and then there are there are other things that they can do by exploiting uh different uh access points into your systems. So, again, this is a lot of information. I'm not trying, I don't want to overload you just so you have a basic understanding of how they're going to do this. This gives you just basically a summary of that. Next slide. Okay, some case studies. So opening a suspicious email. An employee receives an email, the email includes their name and even the company name. It is disguised as a vendor invoice request. Employee clicks on the attachment, which gives the criminal access to the employee's computer, but they can read all incoming and outgoing messages secretly, and this leads to a wire fraud event. Okay. Number two, visiting a compromised website. I'm sure you all have policies in place that your employees are not supposed to be going to web uh sites they shouldn't be looking at during the workday. There are there is software that you can implement where you can block um URLs. Uh, I encourage that because even someone can just not even maliciously do it, but accidentally access a site that doesn't have um protections, that is vulnerable, that has um a virus attached to it. Once they go there, they're exposing um you know your IP address, they're giving the ability for those criminals to gain access to it. So um I gave an example here. An employee uses the company computer to visit an anime gaming site hosted in Asia. Now, is that made up? No. I've got kids who love anime gaming and they're always on those sites, and I always have to tell them be really careful because there's a lot of those sites that have viruses in them that can compromise their computers. Site has no security or controls, and the developers easily gain access to the employee's desktop and drop ransomware inside, leading to a large loss. Third, last-minute wire instruction change. Employee receives an email, so they think, from an attorney title agent asking that net proceeds be wired to a different bank and account number. The email address and wire instructions refer to James River Title and Settlement Company. However, the actual recipient should be James River Title and Escrow LLC. Well, we're looking at that right now. We're both saying, we're all saying, well, they're different. They are. However, again, in the chaos of a closing, you get it, somebody looks at it, it looks the same. You know, we our minds can be tricked, especially if we're under stress or there's a lot of moving parts, and we just kind of glance at it and says, Well, that looks right. Yeah, James River title. Yeah, I remember them. Okay, that's good. But it's not really the same company. Someone has opened up a bank account under that name. They give you wire instructions and it goes to the wrong company. So these are all case studies based on actual incidents that have occurred in the industry. Next slide, please. Okay, recent mortgage lender fraud loss statistics. In case you don't believe me, that this is a big deal. So in 2024, the real estate sector reported cybercrime losses of around$145 million that were actually reported. Now, why is that important? Because most of them are not. So take that number and multiple of maybe two, three times, because many, many cybercrime losses are not reported. Why? Well, because reputational risk, they don't want to get sued, they hide things. In fact, if you see in many cases where it eventually does become public, and if you read the details, you'll find out well, this actually occurred like eight months ago or 12 months ago. So why are we only finding out about it now? They didn't immediately let anybody know. They tried to deal with it themselves and got to the point where they couldn't. And so that also exposes you, by the way, if you don't immediately take action, you're trying to hide it, and you don't immediately notify the victims of that particular incident, you could have uh regulatory uh and compliance uh issues. Okay, um, so I said broader uh IC3 data shows that internet-enabled losses, that's all kinds of uh internet crimes at$16 billion in 2024. Where everyone's using the internet now, the more we use it for transactions, we move into the digital financial aid where everything's online. Well, that's all great, but everything online means that you know more and more people can criminally access it. HUD and Fannie Mae fraud analysts, I was just on a on a uh webinar with someone from HUD. According to their statistics, 11% of mortgage transactions exhibit some sort of fraud risk. That means that billions of dollars are potentially at risk of loss every year. Specific claims and examples. Um, FBI noted that 2024 mortgage fraud losses neared 175 million, with the average claim of over$145,$43,000. Median or average losses per incident often range from 68 to 276,000, depending on the party affected. So these are all big numbers. Not many mortgage lenders can survive one, let alone a multiple of these types of incidents. That's why we always have to be on guard. You have to have tools in place, you have to have operational procedures and guidelines for all of your staff, you have to do training and so on and so forth. Next slide, please. So, what about Ohio? Was Hio somehow exempt from all this? No. Um, now I didn't get spend too much time researching this. There are ways you could do it, but I did find at least uh four examples here. In 2021, in Marysville, Ohio, a home buyer was defrauded of almost$300,000 because of a spoofed email mimicking a title company's wire instruction. In another instance, an Ohio Real Estate closing incident, a buyer wired funds to a fraudulent account after receiving spoofed wiring instructions via email from what appeared to be the title company. This is a common denominator there that title company was spoofed. The wire instructions were changed. In this case, the buyers were a victim. They weren't sophisticated enough. It's important for all also to educate our customers. So the buyers, the seller, the attorney, everyone, there should be notices. There should be some kind of warnings to make sure that they verify any changes instructions, verify any instructions they get so that they are not allowing a fraud to take place. In Cincinnati, a home buyer lost$7,500, which was wired to a fake title company that never existed. So according to reports that I've read, median losses in such real estate wire fraud nationally exceed$70,000, with Ohio seeing frequent attempts. So yes, it's a problem in the state of Ohio, and it's something we all need to be concerned about. Next slide, please. Okay, a word about knowing your settlement partners. Okay, so lenders, you have an obligation to vet your vendor relationships. Anyone with whom you're sharing buyer uh consumer personal information, financial information, you're allowing them access to your uh loan documents, your collateral security documents, you're sending them your money. You need to know who these folks are. Um, so attorneys, title agents, and escrow officers and their staff, they are the one vendor in your whole vendor relationship uh world that has the highest risk. Why? Because they have access to all of that. It's not just the borrower NPI, it's the closing documents, the collateral security, it's the funds. So they are a huge risk. And so you really need to know who they are. What is their risk? Are they licensed? Are they insured? Are they who they say they are? Have they ever been, you know, uh a discipline for fraud in the past or anything? These are things you need to do. Regulators require you to maintain a robust third-party service provider risk assessment policy. You know, that's under uh um the CFPB issued a bulletin way back in 2012 that started this whole process. And as of today, um, regulators, all regulators, GSCs, um, everyone expects you to have a policy in place, even your warehouse banks and your investors. So it's a critical that you evaluate these third parties, what are their credentials, insurance licensing, and internal operations? Do they have cyber fraud? Do they have uh EL insurance? Because you don't want to be on the hook if there is an incident, because no procedure, no policy, no tool is going to eliminate 100% fraud. So there is gonna be incident someday. You need to know are you gonna be able to offset or offload that loss to one of those third parties that you're doing business with? Next slide. Okay, suggested best practices, implement multi-factor authentication. So, what is that meaning that you're gonna have, you know, an email and a phone code, something so that you know who you're dealing with, that uh that they are who they say they are. So you're gonna use an outside vendor or there are tools that you can implement that allow you to do that. Um, most importantly, I think is train employees on fraud recognition, conduct regular training sessions, show them what a fraudulent email looks like, explain to them how important it is to look carefully at where the email is coming from. And most importantly, if there's going to be any significant change in your transaction, the wire instructions are changing. Don't pay it here, pay it there. That should be an immediate red flag. Stop, don't do anything else. Let's make sure this is real. Um, and then establish verification protocols for payments. The other thing they could do is they could make a phone call. They could use a tool like our tool to verify that the wire instructions are belong to that company. There are different tools out there. There are secure payment gateways, there are um ways that when you send emails, that you could do it uh in a confidential manner that requires somebody to enter a code in order to open it. There are lots of tools available and a lot of procedures to help you avoid becoming a victim of wire fraud. Next slide. Some more suggested best practices, monitor and audit all financial transactions. So again, whenever you're going to send a wire out, have a process in place. We don't send wires out until we do these three things. Call somebody to verify it, make sure that it was sent from an email that we know. You know, get some kind of verification tool to make sure that also that it's going to the right place. Use secure communications. I talked about that. I have a I have a problem with employees using like a Gmail account or Yahoo or something. Your employees should be on your internal email. It's much easier to get into and exploit other email services than your own internal server. So you should think carefully about that. And then I said, like I said, partner with vendors for fraud protection. So work with tech firms that offer risk management platforms to evaluate vendors and verify identity and bank information before a wire is sent. And you should strongly consider having cyber insurance to cover potential losses from fraud incidents. Because, as I said before, we can take all the procedures and steps in place that we can. We can train, educate, but sometimes all that, you know, all the uh those steps are not going to prevent some incident from happening. So you want to protect yourself with insurance. Next uh slide, please. Okay. I actually think I covered that in just about 30 minutes, which was the time I had. So we'll hold it open for any questions anyone might have. Uh Will, I'm not sure how you want to do that. I guess in the chat. There we go.

unknown 28:20

Yeah.

SPEAKER_00 28:21

I believe that Will's going to make this PowerPoint available to everyone. So if you want to look at it with more leisure, um also um I can put my information, my email address uh in the chat box. So if you have any questions um and you um would like to ask me personally, you can reach me um at that email address and I'd be happy to uh answer them for you.

SPEAKER_02 28:48

Yeah, I'll uh share the slide with um everyone um that signed up for this webinar. Um I'll just shoot you guys all an email. So be on the lookout for that. And I'll include your contact info as well, Andrew.

SPEAKER_00 28:58

Great. All right. I guess I was just so incredible that uh I answered everyone's questions and uh they're overwhelmed. So that's fine. Um again, sometimes questions come up later, but I want to thank Will and Heidi for the opportunity to be here in the Ohio Mortgage Bankers Association, which we are proud members of and support 100%. And um, we're just appreciate the opportunity to be able to talk on this important topic today.

SPEAKER_02 29:25

Yeah, thank you so much, Andrew. Uh, really appreciate you coming on. And um, once again, everyone, uh just be on the lookout for that email. Um, I'll follow up and send the slide deck as well. So thank you guys so much for participating and uh thank you again, Andrew.

SPEAKER_00 29:37

Absolutely have a great week, everyone.

SPEAKER_02 29:40

See you guys.