A cyberattack is a malicious and deliberate attempt by and individual or an organization to breach the information system of another individual or company, seeking benefit from the disruption, ransom, or theft of data.

This electronic threat is increasing in frequency and complexity and has become very expensive to remediate or to recover from.

Here鈥檚 the surprise 鈥� almost 90 percent of cyberattacks are caused or allowed by human error from the internal staff of the entity attacked.

This includes failure to follow security rules and protocols, sharing passwords, using weak or default settings, and falling victim to social engineering.

Even the large events such as the hacking at Equifax and Target, were caused by failure to follow the rules regarding administrative password settings, human error.

So whether your business is large or small, you need ongoing, strong training and testing to counter the threats.

Recent survey results of a survey of title insurance professionals by the American Land Title Association show a surprisingly small amount of agents are conducting ongoing staff training, and most do it once when they hire an employee.

This is a recipe for eventually becoming a victim of electronic fraud.

There are simple yet effective steps to take to counter the increasing threats by taking a strong defense, and it starts with regular training and testing to remove or reduce the human error element.

Here is what to do to put a training and test plan into action:

• Ensure new hires are introduced to and educated on information and data security policies and procedures as well as how to protect nonpublic personal information (NPI) and sensitive information. Emphasize to them the 鈥渨hy鈥� so they fully understand the shared responsibility nature. This should be a core part of their orientation and on-boarding.
• Set and schedule ongoing training for all employees at every level commensurate with the size of the staff and complexity of your business. This should be monthly, quarterly or semiannually.
• At a minimum, cover controls over access (passwords; pass phrases; multi-factor authentication), network and data distribution (including never using non-secured networks for conducting business such as those in cafes/hotels/airports), phishing and spear-phishing, and never use a general email service like Yahoo or Gmail when sending NPI or sensitive information; social media and social engineering.
• Require security measures for smart devices (smart phones, and in particular Androids, account for a large percentage of data breaches).
• Explain the implications of data loss, which includes reputational hits and potential fines and penalties and law suits.
• Focus on all media forms 鈥� hardcopy as well as electronic 鈥� and include proper handling and protection from receipt through handling to secured destruction.  
• Training may be done with internal documents or you may use a third party to conduct the training (i.e. Data Shield; KnowBe4).
  
• After the training, use a quiz to gauge how well your employees understood the material.
• Develop or use a third party to conduct ongoing, regular internal testing such as phishing or spear phishing testing (i.e. KnowBe4 is one vendor who can provide you this tool). Depending on the results, you may then make appropriate changes and re-focus your training to deal with any weak or weaker topics or areas.
• Provide a single point of contact the employee may turn to with questions or to report any suspected suspicious attempts to obtain information or data (electronic or by phone).
• Keep records of the training and attendees and testing results. This will be needed to demonstrate good faith, to meet many state requirements 鈥� and it鈥檚 a best practice.

Last, keep up-to-date on emerging threats and vulnerabilities and provide updated training to employees to be sure they understand new risks or new controls and why they are important; employees must know how to recognize and report threats to stay vigilant.

This will keep your training and testing current and fresh and serve as a continual reminder to your staff. Remember, this is a marathon, not a sprint. Threats are constantly evolving and your training and testing must also evolve to counter these threats and keep your defense robust.

The post Increased Risk Means We Need to Increase Training appeared first on 星空传媒 星空传媒 Title Insurance Co..

See what you think of this one:

A young woman is selling a property and her father is the real estate agent on the deal. The father and daughter hand deliver wire instructions to the title agency.

Ten minutes after they leave, the processor at the title agency receives an email that looks like it鈥檚 from the daughter. The email says 鈥淢y daddy鈥� wants to change the wire instructions so the seller proceeds will go to a different account.

The processor doesn鈥檛 want to bother the daughter and feels comfortable that the email is legit given that it mentions the woman鈥檚 father. The processor marks the changed instructions as 鈥渧erified鈥� and sends them to the wire department.

The email was fraudulent. The wire was for nearly $300,000. In this case, the title agency was able to retrieve all the money thanks to quick action and more than a little luck.

Freaky, right?

The details always get our attention, but they can also distract us and make it hard to get ours hands around the basic ways escrow fraud tends to work.

Escrow fraud schemes tend to follow common patterns. Often, fraudsters hack the email account of the real estate agent or another party and monitor the account for upcoming closings.

As a closing date approaches, the fraudsters 鈥� posing as one of the parties to the transaction 鈥� interject themselves into the communications chain and seek to change wire instructions. Fraudulent communications usually come via email but also can be made via telephone or fax.

7 COMMON SCAMS WE鈥橵E HEARD ABOUT FROM OUR AGENTS

• 1. THE SELLER SPOOF: A classic. Fraudsters, posing as the seller, email the settlement agent using an email address that looks like the seller鈥檚, or even uses the seller鈥檚 actual email address. The criminals attempt to divert seller proceeds to a fraudulent account.
• 2. THE LATE SWITCHEROO: The settlement agent receives instructions from the seller regarding where to wire the seller鈥檚 sale proceeds. Then, before the closing, the settlement agent receives a message from an email address that looks like it is from the real estate agent instructing the settlement agent to wire the sale proceeds to a different, fraudulent account.
• 3. EARNEST MONEY HUSTLE: The settlement agent receives an email from an address that appears to be the real estate agent鈥檚. The fraudster instructs the settlement agent to release the earnest money deposit back to the alleged client. The instructions direct funds to a fraudulent account.
• 4. THE BUYER BEWARE: Fraudsters pose as the settlement agent or real estate agent using an email address that looks like it is from one of them and instruct the buyer to wire his or her down payment funds to a fraudulent bank account.
• 5. THIRD-PARTY POOPER: In a transaction involving a third-party investor who is to receive seller proceeds: The fraudsters, impersonating the investor, using an email address that looks like the investor鈥檚, provide fraudulent wire instructions to the seller. The seller conveys these instructions to the settlement agent who wires proceeds to the fraudulent account.

In addition, some frauds may not involve the buyer, seller or real estate agent. Here are some examples:

• 6. BUSINESS EXECUTIVE SCAM: Fraudsters, posing as the CEO or CFO of a title company, email an employee whose job includes transferring funds. The email requests an urgent payment to be made outside of normal procedures, often giving a pressing reason. The account to which payment is made is fraudulent. 7. THE VENDOR BENDER: Fraudsters, posing as a vendor of the title company, email the title company directing payment of an invoice to a fraudulent account.
• We鈥檝e developed an infographic outlining these 7 Deadly Scams, and we hope that by familiarizing yourself with these basic patterns, you and your team will be better positioned to sniff out escrow fraud. You may also want to discuss common scams, like the Buyer Beware and the Third-Party Pooper, with your consumers.

On that note, 星空传媒 星空传媒 recently produced a white paper on escrow fraud as part of our ongoing effort to inform agents about the threats we all face. The paper provides real-life tips and strategies for keeping consumers informed about the important role they can play in helping to keep escrow funds safe.

I鈥檒l be back next week with a post exploring some of those strategies.

The post Escrow Fraud Schemes Follow a Common Pattern appeared first on 星空传媒 星空传媒 Title Insurance Co..