The new face of mortgage fraud
Editor's Note: This is part one in a three-part series from the August edition of National Mortgage News magazine about the growing prevalence of business email compromise fraud. Read part two and part three here.
In Grand Haven, a small resort town nestled on the eastern shore of Lake Michigan, a homebuyer walked into his credit union. It was an unseasonably warm, but pleasant, October afternoon in 2016, with a slight breeze coming off the lake.
The homebuyer brought with him an email he'd printed out, containing instructions for wiring about $50,000 in closing costs to Sun Title, the settlement company that was coordinating his purchase of a home the next morning.
At first glance, the email appeared perfectly normal, down to the use of Sun Title's logo in the email signature. The contents of the message were seemingly innocuous, as the homebuyer had been expecting the wire instructions and was looking forward to finalizing the transaction.
But the reality was far more sinister and the potential outcome even more disastrous, had it not been for an eagle-eyed manager at the credit union.
Something was off about the email, the manager noticed. While the sender's name matched the Sun Title employee who had been working with the homebuyer, the message came from an account @suntitie.com, with an "i" where the "l" should have been.
So the credit union manager and homebuyer called Sun Title to confirm the details. They quickly discovered the wire instructions hadn't actually come from Sun Title, but rather from a fraudster attempting an elaborate con known as a business email compromise scheme.
"It never should have been caught," said Sun Title CEO Tom Cronkright. "We should have been hit really hard for that one."
Digital processes have revolutionized the entire home buying experience by making it faster, cheaper and more transparent. But it's also opened the door to new types of fraud that exploit the increasingly virtual nature of these transactions.
The industry has worked tirelessly to stamp out fraud committed by nefarious borrowers and rogue employees. Underwriting tools that rely on independent data have replaced paper-based verifications, making it harder for misrepresentations to slip past lenders.
But business email compromise and similar schemes stand apart from more traditional forms of mortgage fraud because the perpetrators don't typically have a connection to the subject property or parties involved in a transaction. It's a distinction that's largely caught the industry off guard, even among professionals actively on the lookout for it.
"Mortgage fraud is always there. There is a significant potential for fraud in a real estate transaction because that's where the money is," said Rebecca Walzak, president of rjbWalzak Consulting. But the "percentage of those committing fraud is shifting towards outsiders. Outsiders are interested in the money more than the property."
Mortgage lenders focused on the traditional fraud scams in originations, said Ann Fulmer, president of Paladin Advisory Services. People still misrepresent their intent to occupy and their source of funds. But the industry wasn't prepared to deal with outsiders diverting money with business email compromise schemes.
All told, the thwarted incident involved less than an hour of real-time communication between the fraudster and the transaction's legitimate parties, but the scheme had been put in motion months before the situation came to a head in the lobby of the credit union.
It began with a successful phishing scam targeted at the real estate agent who would go on to represent the Grand Haven homebuyer. That let the fraudster tap into the agent's email account and monitor communications with clients.
Using information gleaned from the email surveillance, the fraudster set about creating fake email accounts for both the homebuyer and Sun Title.
The fraudster laid low until the morning of Oct. 17, when a message was sent using the real estate agent's email account to Sun Title's escrow officer, Cronkright said. It asked that Sun Title send wire instructions to the homebuyer for the next day's closing.
The "percentage of those committing fraud is shifting towards outsiders. Outsiders are interested in the money more than the property."
— Rebecca Walzak, president of rjbWalzak
However, the fraudster provided a fake email for the buyer; after the information was sent, the fraudster sent a confirmation that it was received, which gave Sun Title comfort it was dealing with the right party, he said. Meanwhile, the scammers sent their own instructions to the buyer using the "Suntitie.com" email address.
Thankfully, no funds were lost to the fraudulent scheme and the buyer still finalized his purchase, using a cashier's check to pay the closing costs. But just a year earlier, Cronkright and his Grand Rapids, Mich.-based company were not so lucky when they were the targets of a less sophisticated scheme.
In the spring of 2015, Cronkright's partner, Lawrence Duthler, received what looked like a normal business email containing wiring instructions for the earnest money deposit on a commercial property sale.
As part of the scam, the buyer gave Sun Title a cashier's check for $185,000 to deposit into the settlement agency's escrow account. A clause in the sales contract called for the seller to receive the earnest money before the closing, after the buyer had completed a due diligence review on the property.
The provision was uncommon, as funds are normally held until closing. But it wasn't radically unusual and since it was contained in the sales contract, Sun Title obliged with the request.
The check was deposited in Sun Title's escrow account, and the initial indication was that it had cleared. Sun Title moved forward with the wire transfer to the property seller.
A few days later, Cronkright and Duthler discovered the check, issued by an out of state financial institution, had bounced and Sun Title had lost $180,000.
"After the fraud took place, we learned the buyer's identity had been stolen and the perpetrators were using that to defraud us," said Cronkright.
A subsequent investigation revealed a similar scam using the same stolen identity in five other states. Cronkright now suspects the seller — who legitimately owned the property, but had borrowed heavily against it — was in cahoots with the buyer on the fraudulent scheme. "They did a really good job — even back in 2015 — to convince us we were dealing with the right people all along," Cronkright said.
The property has since been seized by authorities, Cronkright said. The partners contributed $90,000 each to replace the stolen funds. It took them two years of effort to track down the missing funds, starting with the email trail.