Escrow Account Takeovers Continue to Escalate
Escrow account takeover attempts are accelerating and becoming more sophisticated.
Criminals are no longer relying solely on fake wire instructions or simple phishing emails. Instead, they are deploying layered attacks designed to compromise internal systems, capture banking credentials, alter security settings and ultimately steal funds directly from escrow accounts.
In addition to the tactics reported in December, criminals are sending emails that appear to come from trusted parties with attachments posing as payoff or transaction documents. The attachments contain keystroke-logging malware—often introduced through a previously compromised transaction party—that, once opened, captures the company’s online banking credentials.
Using those credentials, the criminals change online banking profiles, security protocols and add their own device for MFA codes. This allows the criminals to initiate and approve the fraudulent wires.
This tactic has resulted in losses of more than $5 million over the past two months.
This scheme is particularly concerning because it defeats traditional protections because it does not rely solely on tricking staff into wiring money, exploits legitimate system access, neutralizes MFA by enrolling a new device and allows criminals to both initiate and approve wires internally. In other words, once credentials are compromised, attackers can reconfigure the bank environment itself.
To protect against these threats, title and settlement agents must use multiple layers of security, not just single-user login protection.
Protection Tips
Require both multi-factor authentication (MFA) and multi-party authorization for:
- Any changes to account profiles or security settings
- All wire initiations and approvals
- Device enrollment for MFA codes or calls
Require dual controls for:
- Any changes to account profiles or security settings
- All wire initiations and approvals
- Device enrollment for MFA codes or authentication calls
If one user’s credentials are compromised, a second authorized user can prevent unilateral control.
Consider implementing a dedicated banking device:
- Used only for online banking
- Not used for email, document downloads or web browsing
- Connected to the internet only when performing banking tasks
- Disconnected immediately afterward
Even when emails appear to come from trusted parties:
- Verify unexpected attachments by calling a known, trusted number
- Avoid opening files on machines used for banking
- Use endpoint detection and advanced antivirus tools
- Train staff to recognize urgency-based manipulation tactics
What to Do If an Incident Occurs
If a settlement company or law firm believes it has been targeted—or has already experienced unauthorized account activity—take these immediate steps:
- Follow ALTA’s Wire Fraud Incident Response Protocol, available through ALTA’s Rapid Response Worksheet, and contact appropriate parties
- Preserve all communications, including call logs, texts and emails related to the incident
Fast response is critical. In some cases, prompt action may help limit losses or improve the chances of recovering funds.
____________________________________________________________________________________________
Contact ALTA at 202-296-3671 or communications@alta.org.