Alert: Hackers take aim at home buyers
If you’re a home buyer, you should be aware that you are a very popular and relatively easy target for hackers. In order to purchase a home, you have to disclose all your most closely held personal information, especially if you are financing your purchase. All this information is shared among a plethora of individuals in multiple offices around the country because there are so many moving parts and interested parties involved in the purchase of property.
And, of course, huge sums of money are being exchanged during the process. Why wouldn’t hackers target you?
There are two hacking schemes being used recently that are pretty scary, so please read on if you or anyone you know is in the process of buying a house now or in the near future.
Regardless of which scheme the hackers are using, the route to your information is either via your realtor or your lender. Once they hack into one of our email accounts, they do nothing to let us know they are in; but rather watch for information about buyers and sellers.
Scheme 1 has been around about a year now, and this one is definitely targeting your money.
As your sale closing approaches, your title company or attorney will send you instructions that includes what you need to take to your closing. In addition to a photo ID you will also be told the amount of funds required, and where and how to wire funds to close the transaction.
At very close to the same time, the hacker will also send you what appears to be an official looking email from the “title company” with “updated instructions” on where to wire funds. (Remember that your agent and escrow officer have been communicating frequently during your purchase, so hackers have the official signatures each has been using, and these are easy enough to copy to make your email with updated escrow instructions look legit.) Some hackers may even include other information about your transaction to make the email look even more like it has come from a trusted source.
Generally speaking, this will not impact the majority of buyers who hand carry a cashiers’ check for down payments and closing costs to the title company at closing. But, for out of state buyers and cash buyers, it is not uncommon for funds required for settlement to be wired to the title company. Cash buyers, this can be hundreds of thousands of dollars that you could be wiring directly into the hacker’s bank account.
Scheme 2 is an attempt at ID theft and comes to you in the form of an email that appears to be from docusign.
If you’re like most buyers these days, you sign your offer to purchase documents via electronic signature. Docusign is just one of the businesses that offer this service, and so far as we know, it’s the only one that is being used in the recent hacks. Unfortunately, you might get documents to sign from either your realtor or your lender, and the emails you receive are just ambiguous enough to fool you into thinking they are official documents that you have already signed.
Here’s a sample of such an email that was recently received from a home buyer:
As you can see, this email isn’t even from docusign but from an Eden Guthrie, and apparently Google knows about this scheme because a warning is attached as well; so please do NOT click on the ACCESS DOCUMENT button.
However, Google also uses this warning on legitimate documents from other e-signature providers, so be sure to check with your lender or realtor to make sure that whatever you have received is legit.
How can you protect yourself from hackers?
- Make sure that your realtor, lender and title company are all taking every step possible to keep hackers out of their email. Personally my email is encrypted and I use strong passwords that I change frequently which makes watching my email much more difficult for hackers.
- Ask those involved in your transaction to always alert you when any document has been sent to you for electronic signature. I always send a text to make sure you’re watching for email from me or whoever the email will come from.
- Be aware that it is very uncommon for a real estate agent to request sensitive information from buyers, especially via email. We don’t need your bank statements (unless you are a cash buyer) or any information with your social security number. That type of information should always be handled by your lender. When we do require proof of funds for a cash transaction, buyers should always redact most of your account number (leaving only the last 4 digits), and should send proof of only enough funds required to settle the purchase. If you are able to encrypt the email, that would be even better.
- Before wiring funds, always double check with your title company or attorney to make sure that you have the correct wiring information for your bank.
- Be sure to keep and check old emails you have received from the title company to make sure you are calling or emailing the correct person, because hackers will include their contact information in case you are looking for more information.
- Don’t click on any links in the email, giving the hacker access to your email (if they don’t already have it).
- Remember that all final loan documents must be signed in person. Electronic signatures are never used.
It’s an Internet world out there, but there are always steps you can and should take to protect yourself. Unfortunately, if you’re a potential victim of scheme #1, once your bank wires funds, even if to an incorrect account, the money is gone. And if you’re a potential victim of scheme #2, once a hacker has all your most sensitive information, you become an ID theft victim and have to deal with all the hassles of getting that squared away. Your bank accounts can be locked, your credit will be flagged, and so on.
The good news is that banks, title companies, lenders and realtors are all aware of these threats and are all taking whatever steps we can take to tighten security on your behalf. But at the end of the day, responsibility for protecting your money and your ID is still yours. So, be careful out there. Check and double check with whoever you’re working with just to make sure that whatever you are receiving is legitimate, and proceed from there.