Wire fraud is a source of significant harm to financial institutions, with an estimated $1.77 billion stolen in 2019, according to the FBI. For mortgage companies, the vulnerabilities surrounding the closing table constitute an especially big risk. Excited and anxious about closing, borrowers are vulnerable to email scams from criminals posing as lenders or title companies, resulting in a financial disaster if they direct their banks to wire money to the wrong place.
So what happens after that devastating event? Is the borrower just out the money, or does the lender or title company bear some of the responsibility for the loss? It’s an important question that is still being worked out in the legal system, but several experts say financial companies and other parties in closing have more liability than they might imagine.
WHO’S LIABLE?
Thomas Cronkright is CEO of Sun Title Agency in Grand Rapids, Michigan. He’s also the cofounder and CEO of CertifID, a real-time solution that verifies identities and documents in financial transactions, which he started with Lawrence Duthler in 2017 after they became victims of wire fraud.
Besides being a plaintiff in that case, working with CertifID clients gives Cronkright a front-row seat to the ways financial institutions and title companies are being defrauded — and how companies are dealing with the aftermath.
Cronkright said the most frequent party named in a suit after money has been stolen is the title and settlement provider that was responsible for sharing the wiring information. The second most frequent is the financial institution the buyer is using to wire the money, and the third is the financial institution which allowed the receipt of the money.
However, Cronkright said you don’t have to handle the money to be on the hook if something goes wrong. The title companies and banks are the ones actually physically moving the money, but attorneys, real estate agents and even developers have some liability in the case of wire fraud.
“What we’re seeing more of now, are title and settlement providers, attorneys, but frankly, any transaction participant being on the other end of that when a consumer loses their money.”
Thomas Cronkright
“We started to look at what was an evolving standard of care that was being developed in the courts almost decision by decision,” he said. “One thing to know about civil litigation, especially when you have insurance companies that may be providing coverage under an E&O or a cyber event, is that a lot of these will not go to trial. You won’t get a decision.”
That means that there isn’t a framework to look at well-established case precedent. One of the obstacles to establishing more precedent in determining liability is that these claims are going to be determined in state-level courts, according to Steven Snyder, an attorney at Bradley who specializes in cybersecurity and privacy as well as financial services litigation. “Even if it was in federal court, they would be applying state law, so you’re not going to really have a broad precedent.”
The number of parties involved and the way fraudsters insert themselves into the process make it difficult to assess liability, Snyder said.
“There’s real ambiguity as to how did this third party find out about the transaction? Where did they get information? It’s not clear,” he said. “They’ve hacked into one or the other’s email accounts and so all those different factual issues make it really difficult to understand exactly who’s at fault. Even if it’s clearly coming from one party, there’s still a potential argument that there’s contributory liability on the other party, typically as well.”
And ultimately, the cost of litigation in these cases is so expensive that it tends to be more cost-effective to settle, rather than take parties to court.
“It’s such an intensive factual question as to if there was negligence and who it was – that costs a lot of money to even figure out that question, and there’s a lot of uncertainty as to how it will be resolved,” Snyder said. “So whenever you have expensive litigation that is really difficult to predict, you get a lot less of it because it’s more cost-effective for the entities involved to settle,” Snyder said.
Cases of real estate wire fraud will require technical analysis from experts to understand what took place, and even that analysis is not always exact or certain, Snyder said. To have that analysis done and present expert testimony in court would be expensive.
“If there’s an insurance aspect to the type of business email compromise, that’s more likely to be litigated just because you might have an insurance company with more resources and more incentive, but when you’re talking about private parties, the likelihood of litigating is really low,” Snyder said. “It almost takes somebody behaving irrationally, because they’re going to spend more money than they’re going to get back, probably.”
A STANDARD, IF NOT A PRECEDENT
Despite the difficulties of litigating liability in cases of wire fraud, there are a few cases that are considered important.
One such case is Bain v Platinum Realty, LLC, which was filed in a Kansas Federal District Court in May 2016, with plaintiffs Jerry and Jennifer Bain versus defendants Kathryn Sylvia Cole, a Realtor, and her realty agency Platinum Realty.
The Bains were buying a home and Cole represented the seller. According to the filing, the Bains lost the home purchase price of $196,622.67 by following fake wiring instructions that were supposedly sent to them by Cole.
Instead, an unknown criminal had inserted himself into the transaction, including using accounts that spoofed the names of accounts used by other participants in the transaction. The Bains alleged that Cole had emailed those instructions to the fraudster, misrepresenting that those instructions were correct.
In April 2018, Bain was granted judgement against the defendants, “jointly and severally, on his claim for negligent misrepresentation in the amount of $167,129.27,” which equals 85% of the Bains’ losses. Because the judgment was joint and several, both of the defendants remain liable for the full amount of the judgement until it’s satisfied.
The significance of the Bain case, Cronkright said, is that while the title company and the bank settled out, the agent and the broker chose not to. The case also highlighted the “duty to educate,” he said.
“One of the issues that seemed apparent in that case was that the information [about wire fraud] was simply not disseminated to the buyers, and if it was, it could have resulted in them not wiring funds and being more aware and [having] more acuity around this threat,” Cronkright said.
Even in instances where there is no official court case or decision, Cronkright and his team will examine pleadings in wire fraud cases. They work to find the common denominators of how the plaintiff’s counsel was positioning their arguments against the transaction participants; cases where, had they done certain things, they could have seen different results.
Cronkright identified four legal theories that are often used in arguments when litigating wire fraud liability: negligence, breach of contract, breach of fiduciary duty and breach of consumer protection.
“The most common by far is your simple claim of negligence,” he said. In layman’s terms, he described it as, “We might not have a contract written out, but you do have a duty to me in some fashion. You breached that duty, and because you breached that duty, it led to a loss – and I can point to what that loss is.”
Breach of contract can encompass express contracts, where there is a document that can be referenced, or an implied contract, which isn’t in writing but could involve applying the industry standard for a service to determine whether that standard was met.
Breach of fiduciary duties involves the standards that come into play when someone is entrusted to hold money that belongs to someone else.
“[Fiduciary duties] typically apply to companies or professionals that are in a unique situation because of the responsibility that they’re taking on and the impact it could have to third parties,” Cronkright said. “Very similar to negligence, but a heightened sense of negligence for professionals.”
Breach of consumer protection would apply under the consumer protection laws that states have in place.
“The way we’ve seen these expressed in pleadings is that a plaintiff’s lawyer will look at a website, will look at marketing material, will look at social media, and they’ll look at these claims,” Cronkright said. “So what they did in Bain, they said, ‘Wait you hold yourself out to be best-practice compliant. You hold yourself out to have a safe and secure closing experience. You’re holding yourself out to the general public as this type of company or this type of professional. And that’s misleading, and because it’s misleading it could cause harm to others and therefore it’s a breach of consumer protection.’”
“That’s super broad,” he continued. “And that’s why this whole area is so challenging, is that by their nature, the way these are structured, the theories, or the statutes they’re relying on are broader rather than narrower in nature from a legal perspective.”
The irony of trying to assign blame for wire fraud is that both consumers and financial institutions are victims, Cronkright said. “The escrow officer, the agent, the attorney — they didn’t take the money. You can point to criminal intent or gross negligence or something like that, but the fact is: someone got tricked. Yes, they used some type of a cyber-related entry point, either a hacked email or somebody got phished or whatever it is, but ultimately, somebody simply got tricked.”
“And here’s the kicker of it: Typically the company that would be sued, or named in the litigation isn’t even aware that the fraud’s taking place when it’s taking place,” he continued. “Let’s say I had money in a vault, and I saw somebody that was, you know, torching it, stealing money out of the vault. I might be able to prevent them from leaving the parking lot, for example, or I could call the police and say, ‘Wait a second. I think they just took money out of the vault.’ I can physically see this. But wire fraud doesn’t materialize until after the money’s gone. And that’s the hard part of it.”
It remains to be seen whether more precedent-setting cases will go to court and provide guidance for future litigation. Cronkright pointed out that real estate wire fraud is a specific subcategory of diverted payment fraud, and there are cases taking place in industries like the services sector or manufacturing that could inform wire fraud.
“We’re seeing an acceleration of them being filed, but I think it’s going to take years” to see more instances of landmark cases, Cronkright said.
In the meantime, Cronkright stressed the importance of insurance protection.
“If you’re a transaction participant — a professional that’s helping in any facet of the real estate transaction, make sure that you check in with your insurance company, and that you ask specific questions around social engineering and wire fraud and what may or may not be covered,” he said. “While we want to do everything to mitigate the risk, make sure that your insurance carrier understands your process so that, God forbid that that something does happen, you have the ability to have insurance coverage to allocate that risk through.”
MOVING FOWARD
Of course, the ultimate goal is to avoid cases of wire fraud altogether, but several market realities complicate that goal.
For one thing, the lack of housing inventory in many markets means borrowers feel a sense of desperation as they get close to closing on a house, especially if this is the first time they’ve been through the mortgage process.
“The fatigue that most first-time homebuyers are feeling by the time they’re under contract is intense. They do not want to lose that contract,” Cronkright said. “So, it’s this even heightened sense of, ‘I’ll do whatever it takes to get to the table at this point. You tell me to wire the money — here it is.’”
“And again, it’s all those dynamics that lead to the social engineering that’s so successful because they’ve learned this, unfortunately,” he continued. “[Fraudsters] threaten consumers that they’re going to lose the deal. They’ll threaten or do whatever they need to get this person to hit send.”
And with many people working remotely during the coronavirus pandemic, cybercrime will likely increase during this period. Not only are workers using less secure home networks, they are spending more time online.
And there’s the stress of being in lockdown during a pandemic — a very human element that cyber criminals know how to exploit.
Wire fraud and regulatory compliance violations rose by an additional 62% within just 10 business days of the pandemic during the rise of work-from-home policies, according to data from FundingShield. This increase included wire instruction errors; transaction data mismatches such as property, bank, borrower, lender and closing/title agent; perpetuated fraud attempts; incorrect/altered wire instructions; phishing attempts; and requests to fund unauthorized/unrelated third party accounts.
While many in the industry have taken significant steps to mitigate wire fraud, Snyder sees a lot of room for growth. “If you find an entity with really solid procedures, wire fraud really shouldn’t happen. I work with private equity funds that have to move millions of dollars within 24 hours, and so they’ve figured out ways to make sure that that they’re not having somebody interject fraudulent instructions. It always involves voice communication and confirming orally — not relying on anything that is received electronically, particularly when it comes to changing information that you haven’t used before, or that you have used before, to something new.”
And Cronkright offers a very practical incentive. “I’ll speak for title and settlement: Most companies couldn’t withstand a loss with just the average size wire transfer — that could be a quarter-million dollar loss. That’s just not how you want your life’s work to go down, in a wire that ends up in some bad person’s hand.”
Wire fraud – An ounce of prevention
We asked Sun Title Agency CEO Thomas Cronkright about some of the precautions financial institutions can take to prevent wire fraud. He emphasized that education on the issue has to start at the very beginning of the relationship with the borrower, whether that’s between lender and borrower, attorney and client or real estate professional and either buyer or seller.
“Everyone needs to do their part to educate the borrower from the minute those relationships are formed. And then everyone else needs to say, ‘Okay we’re going to participate in backfilling or updating and reminding them that this is how it’s going to work. Here’s how you get wiring information. It’s not going to change. I’m not going to call you with new account information. I’m not going to send you to some email address.’ However your process works, clearly articulate it and you just can’t change. And then remind them of that.
“I think the other thing that needs to happen is that if you’re asking somebody to wire funds to you, you have to confirm you know who they are and confirm acknowledgement that they’ve received the correct wiring information and that they’ve agreed to follow that.
“I say that because we’ve seen instances where the buyer’s email was compromised. The title and settlement company thinks that they’ve received the wiring information, but the fraudster redirected that and then inserted wrong information. So, electronically they received it. But they never saw it. And then they follow the wrong instructions that they thought were coming from the provider in that way. That’s kind of the inbound side. If you’re wiring funds out, you have to have a mechanism to confirm identity and validate bank credentials before money gets dispersed. This includes title and settlement, and now includes lenders that are doing cash-out refinances.
“The No. 1 thing companies can do — at the very least — is to start early and give clear communication around the risk of wire fraud. Everyone has a duty to notify borrowers early in the process that the risk is there. A lot of companies make the mistake, or the assumption, that once they get final numbers and the lender signs off, then they’ll let borrowers know how to send the money and then they’ll alert them to wire fraud. But borrowers may have wired the money two weeks ago because the fraudster impersonated you and you didn’t get to them first.”