Bulletin: SLS2015005

Dear Associates:

We have been advised of a sophisticated wire fraud scheme in which the perpetrators simultaneously pose as both the seller and the Issuing Office in order to induce the Issuing Office to wire the sale proceeds to a bogus account.

In this scheme, the perpetrator hacks into the seller’s email account and reads their email correspondence relating to the transaction. Based upon this information, the perpetrator then creates two new email accounts – one designed to look like the seller’s email address and another one designed to look like the Issuing Office’s email address. The fake email addresses are almost identical to the real email addresses. The real person’s name may be displayed in the “From” line. Apparently, the illegitimacy of the email addresses can only be discerned by a careful examination of the entire email address, including the suffixes. For example, an additional email service provider may appear at the end of the bogus email address.

Using these two fake email addresses, the perpetrator interposes itself into the email communications between the seller and the Issuing Office. The perpetrator, impersonating the seller, begins to correspond by email with the Issuing Office, and emails revised wiring instructions to the Issuing Office. These instructions direct the Issuing Office to wire the sale proceeds to the perpetrator’s account, usually at a different bank. Simultaneously, the perpetrator, also impersonating the Issuing Office, begins to correspond by email with the real seller, and sends comforting email communications to the seller, lulling the seller into a false sense of security that the wire funding is proceeding normally. These emails prevent the seller from contacting the real Issuing Office through other communication channels, e.g., by telephone or by emailing the Issuing Office at its real email address.

We have received reports of variations of this scheme. In some cases, there is no dual impersonation in the email communication (i.e., the perpetrator may not impersonate the Issuing Office as well); the perpetrator may only pose as the party providing the fraudulent wiring instructions to the Issuing Office. In some cases, the initial hacking occurred in a realtor's email account or another title company's email account, and the perpetrator impersonates them, rather than the seller.

In one reported case, the fraudulent emails began after the closing took place, and after the real sellers had left the closing with their checks. The fraudulent emails, ostensibly from the realtor but actually sent by the perpetrator impersonating the realtor, instructed the Issuing Office to cancel the sellers' checks and instead wire the funds (to the perpetrator's account). When the closer requested written confirmation of the change, the perpetrator also provided an attachment containing forged signatures of the parties.

You may be able to reduce the likelihood of becoming a victim of this scheme by exercising vigilance if you are asked to change disbursement instructions. One possible method of thwarting the scheme may be to contact the person making such request using a different but previously-established means of communication, e.g., by calling them on a telephone number that was used previously.

If you have any questions relating to this or other bulletins, please contact a Stewart Title Guaranty Company underwriter.

For on-line viewing of this and other bulletins, please log onto www.vuwriter.com.