Toggle navigation
Logon
Our Legacy
Software
Services
Education
Membership
Resources
Support
Contact Us
Information Center
>
Information Security
>
Information Security FAQs & Tips
>
Email Security
Email Security
I received an email directing me to wire proceeds from a sale to a “new” account. I noticed that the return email address is not exactly correct. I called the seller and he did not send the email. What do I do now?
Report the incident to:
The Federal Bureau of Investigation (FBI),
Internet Crime Complaint Center
(IC3). IC3’s mission is to provide a reliable and convenient reporting mechanism to submit information to the FBI concerning suspected internet-facilitated criminal activity. IC3 will request the following information (if known):
Victim’s name, address, telephone, and email.
Financial transaction information (e.g., account information, transaction date and amount, and who received the money).
Subject’s name, address, telephone, email, website, and IP address.
Specific details on how you were victimized.
Email header(s).
Any other relevant information you believe is necessary to support your complaint.
Federal Trade Commission
(FTC)
US Secret Service
(USSS)
Real estate brokers should report to their state or local REALTOR® association.
I opened an email which simply stated “here is the closing file you requested.” Nothing was attached and there was no reference to a particular file. I tried to respond to the email, but have not yet received a response. Is there something I should do in the mean time?
Unsolicited email may contain malware which will download to your computer if the email is opened. Some malware is designed to record keystrokes in order to determine passwords to sensitive websites, such as online banking or other financial institutions. If you open an email like this one, contact your IT department for assistance.
Some steps you or your IT department can take are:
Take the computer off the network until it can be secured.
Scan your computer looking at all programs that have been installed. Delete any program that you did not install.
Check the server and all other computers on the network to make sure no other machines have been affected.
Change all passwords. This includes passwords to online accounts accessed at that computer.
Make any needed updates to your anti-virus software and firewalls.
I am concerned that my office may have been the victim of a phishing attack. What can I do to protect myself?
Whether your office has been a phishing victim or not, you (or your IT department) should analyze your email settings regularly to determine if Fraudsters have created auto-forwarding rules that allow them to hijack emails and monitor your communications. Their intent is to insert real-looking but fraudulent emails to redirect pending or future payments. The FBI released a Private Industry Notification (PIN) addressing this very threat with recommended mitigation techniques. The PIN can be found
here
.
Is email encryption required?
The TILA-RESPA Integrated Disclosure (TRID) rule does not require email encryption. However, other federal privacy laws enforced by the CFPB require the protection of non-public personal information (NPI). If sending NPI via email, encryption or other security procedures are advisable.
In addition, lenders may require email encryption in correspondence with the lender or its borrower. Inquire with the lenders you work with often to see if they require your email to be encrypted. If you are not required by the lenders you work with, it then simply becomes a business decision for you on whether or not you want to encrypt none, some, or all of your email.
I just received an email from the seller in a current transaction directing me to wire the sales proceeds to their account. This is the first communication I have received with wire instructions. Should I follow the directions?
Not without additional verification. It is common for hackers to gain access to sellers’, buyers’, and real estate agents’ email accounts. Before wiring any funds pursuant to emailed instructions, call the seller on a number which you have been previously provided to verify the information. Be careful not to use telephone numbers provided in the emails, as fraudsters will provide fake phone numbers in the hope you will call the fake phone number and continue with the transaction.
You should also consider requiring the seller to come to your office and sign a change authorization or wire instruction form. At that time, you can obtain a copy of their identification as verification that they truly are the seller.
This is a new area of concern for many real estate agents and sellers so you should consider setting out your office policy on obtaining and changing wire instructions at the beginning of the transaction so as not to cause any party unnecessary delay on or after the closing date.
Are fake emails easy to spot?
Unfortunately, no, fake emails can be very elaborate. Some Fund Members have received email ostensibly from an attorney requesting that a deposit be wired into a phony trust account. These emails may contain the buyers’, sellers’, and real estate agents’ information as well as the property address, sales price, and attorney’s email address. Some of these emails also contain phone numbers that, if called, will put the caller directly in touch with the fraudster who will verify the requested information. Receiving fake email does not necessarily mean that someone’s email account has been hacked. Fraudsters can gather this information from social media accounts or by accessing the Multiple Listing Service.
My email was hacked – what do I do?
You should follow the steps below if you have been a victim of email hacking:
Update or install security software from a company you trust with automatic updates.
Change your password and set up two-factor authentication (
Outlook and Microsoft
,
Google
,
Yahoo
).
Change your security questions and make the answers as creative as possible (try to avoid questions and answers that are easily obtained through social media platforms such as mother’s maiden name, names of pets, high school attended, hometown, etc.).
Report the incident to your email provider, IC3, FTC, and USSS.
Notify everyone on your contact list.
Scan your computer with an updated anti-virus program – delete anything suspicious and re-start your computer.
Check your email settings to make sure no one added any links to your signature and that your emails are not being forwarded to someone else.
Change passwords or security questions for other sites (especially those where you use the same password and security questions!).
Check your email folders – search for “password” to see what other compromises might have happened.
Monitor your credit and financial accounts for fraudulent activity.
The buyer called to verify that we received the deposit via wire per our email instructions. The problem is that we did not send any such request. What should we do?
Instruct the buyer to contact his bank immediately to try to retrieve the wire. Depending on the circumstances wires can be retrieved up to 72 hours after they are sent. The buyer should also report the crime to IC3, FTC, and USSS. Some banks may require this reporting to law enforcement during the recovery process.
To cut down on the possibility of future occurrences, you might consider including information in your introductory letter to the parties about how they will receive information about deposits and wire instructions from you. This introductory letter should be sent via U.S. Mail to cut down on the possibility that it will be intercepted by a fraudster from a compromised email account.
What is two-factor authentication?
Two-factor authentication is a method of confirming a user’s claimed identity by utilizing a combination of two different components. In most email two-factor authentication schemes both a “knowledge factor” and a “possession factor” are used.
The “knowledge factor” is something that the user knows, typically the password to the email account. The “possession factor” utilizes something the user possesses, typically a cell phone.
In a common two-factor authentication scheme, a user will enter the password to the email account. The correct password will trigger a text message to the phone number previously provided by the user with a one-time verification code contained therein. The user must then provide the verification code to the email server within a specified time period to be granted access to the account.
What steps should we take to protect ourselves and our clients from a potential email scam?
A couple of very basic steps will help:
Notify all parties to the transaction of your policies regarding email usage, changes to wire instructions, and changes to contact information including telephone numbers.
Exchange telephone numbers early in the transaction and insist upon oral verification of important communications. If a party’s telephone number changes over the course of the transaction, have procedures in place to verify the accuracy of the new phone number and the authority of the person making the change. The party may need to appear in person to provide the new number.
Do not use telephone numbers provided in emails unless their authenticity has been confirmed.
Verbally verify with the recipient all outgoing wiring instructions prior to initiating the wire.
Take caution when opening email attachments from supposed parties to the transaction. If in doubt as to identity of sender, call and confirm it was sent by them.
Tips on spotting phony email:
Carefully review the sender’s email address against the email address you have on file. For example, if a party’s email address is
joesmith@abccompany.com
, look for slight variations such as extra or missing characters, or different domains. Note how the following email addresses are subtly different:
joe.smith@abccompany.com
,
joesmith@abcompany.com
,
joe_smith@abccompany.com
, or
joesmith@abccompany.net
.
You may need to hover your cursor over the sender’s email address in order to see the entire address and not the nickname associated with the account, e.g. “Joe Smith.”