Avoiding Real Estate Wire Fraud

If you’re in the process of buying a home, or plan to be, you need to be aware of real estate wire fraud.

The goal of this scam is to convince the victim to move the money for a down payment—usually tens, if not hundreds, of thousands of dollars—into an account controlled by the scammer, via wire transfer. And the problem with money sent by wire transfer is that it’s effectively impossible to retrieve. You could lose your down payment and the house.

In some cases, the thieves will use phishing techniques or malicious software to gain access to a realtor’s email accounts, then monitor communications for pending sales. In others, they may use publicly available online tools to identify pending sales, then set up a fake email account that will appear to come from the actual realtor (if the victim doesn’t examine it too closely).

When a sale is approaching its closing date, the thief will send an urgent email to the victim informing them that the instructions for making the down payment have changed—either a check is no longer acceptable and the victim will have to wire the funds, or if the payment was originally going to be made via wire, that they need it to be sent to a different account.

Either way, the message will include wiring instructions that lead to an account held by the scammer, not the realtor.

Losses from real estate wire fraud are growing, with hundreds of millions lost (and that number may be far lower than the actual total—many cases go unreported due to the potential for reputation damage). If you’re buying a house, know that you may very well be targeted. If you receive any new wiring information via email, or a message instructing you to e-sign documents or log in to a website, verify that with a call to the realtor to make sure it’s legit. Double-check everything in that email—is it coming from the correct email address; has the realtor’s command of English grammar suddenly changed?—and slow down instead of reacting quickly in the moment.

Going through extra steps can be a pain, but nothing compared to the pain of sending your entire down payment to a criminal.

Who is at Greatest Risk for Identity Theft?

Identity theft is a ubiquitous crime that comes in many forms and can affect anyone, but some groups of people are at an increased risk.

Children

Children who are too young to have a credit history established are targeted by identity thieves for several reasons. With no history (and therefore no negative history), children represent a ‘clean slate’ for thieves to work with. Also, unless the parents are checking their child’s credit report—essentially to make sure there isn’t one yet—the theft may go unnoticed for years, at least until the victim becomes an adult and begins applying for student loans, credit cards or housing. If you’re a parent, be sure to check your kids’ credit reports whenever you check your own.

Seniors

Seniors are often targeted for identity theft (and scams in general) over the phone and through online phishing attacks. Seniors are perceived to be most trusting, less savvy and wealthier, making them attractive targets for identity thieves. Some are also reluctant to report that they have been victimized, whether out of pride or shame, or fear that family members will think they are incapable of taking care of themselves.

College Students

College students are at higher risk for identity theft, especially theft is carried out by someone they know. Many are applying for credit cards for the first time, so their credit histories are relatively clean, plus they may not yet be aware of how important it is to keep personal information safe.

Military Personnel

Military service can include significant stretches of time away from home, where collection calls from creditors doesn’t actually owe anything to (one of the warning signs of identity theft) go unanswered, bills from credit cards the victim never applied for go unseen (another red flag), and where the nature of the job can push things like checking a credit report for discrepancies to the back burner.

Higher Income Households

Identity theft takes many forms, but it’s usually financial in nature, so it makes sense that members of higher-income households would be at increased risk. The promise of larger account balances and higher credit ratings makes them a tempting target.

However…

You probably knew this part was coming: even if none of the above categories apply to you, you don’t get to coast. Everyone is a potential victim, and some of your information is almost certainly already out there being bought and sold. Check your credit reports, don’t ignore unexpected collections calls or bills, place credit freezes, and stay informed so you know what to watch out for.

How to Avoid Fake Coupons

Have you ever heard of a little company called Walmart?

What about Costco? Amazon? Target?

Of course you have. They’re all huge corporations. A couple are beyond huge.

But with all the fake coupons circulating over social networks, you’d think they were obscure little startups in need of a gimmick—somethin’ real splashy!—to get people to notice them.

The pitch usually involves taking a short survey to get a coupon for 50% off your entire purchase, or a large discount—often $100 or more—from some large retail chain. What actually happens is that you’ll take an anything-but-short (and usually pretty-darned-long) survey that harvests personal information, including your email address so you can get plenty of spam sent to you, and then a fake coupon that you will be unable to redeem at whichever retailer the scammers have decided to use. In the most egregious cases, the survey website will make you install a program or app to get the fake coupon, which will turn out to be malicious software.

If you see a coupon being shared on a social network like Facebook, right away you should be suspicious. Be even more suspicious if it promises a significant discount from a large, universally-known retailer—newer companies that are trying to build a brand usually offer 10% off (listen to just about any podcast popular enough to have sponsors and you’ll hear at least one such offer). What could Walmart possibly hope to accomplish by giving millions of people (most of whom already shop at Walmart anyway) half off their entire bill, except to make less money? There would be zero upside. The same goes for Target and Amazon, and Costco isn’t going to give anybody a coupon worth more than the membership costs.

When you recognize a fake coupon offer, let whoever shared it know that it’s a scam and a potential security threat, and to delete their post. If the fake coupon originated from a page (such as a Facebook business profile), you can report the page as a scam and hopefully get it removed. The most important thing is to not click the link and to not follow through with any surveys or requests for personal information.

Should You Worry About Writing Out “2020” on Documents?

The warnings are dire and deadly-serious, and by now, you’ve heard it at least once: make sure you write out the year “2020” when you date checks and legal documents, because if you just write the year as “20,” some scammer is going to change it to “2019” or “2018” or “2021” and…do something or other to you.

The primary anxiety seems to be that someone could backdate a loan agreement and make it look as though you initiated the loan in 2017 (for example) instead of 2020, and then sue you for payments and interest, using the signed document as evidence that you didn’t pay for three years.

However, mainstream, trustworthy lenders aren’t going to resort to this kind of thing because getting caught could result in the entire financial institution being shut down for fraud, plus the growing trend of electronic applications and e-signatures renders the point moot anyway.

(Also, you’re not going to borrow from any shady, greasy, fly-by-night under-the-table lenders in the first place, are you? “If it sounds too good to be true…”)

The scenario for writing out the full year on checks usually goes like this: if you just write “20,” but the check never gets cashed, some scammer is going to find it a year later, change the date to “2021,” then cash it.

Okay. And how likely is it that all these circumstances will line up in exactly this way? Most people don’t even write that many paper checks anymore, and very few of those go uncashed. Most payees want to be paid. Of course, anything is possible but even so, now this theoretical-scammer-from-a-year-from-now has a non-staledated check…made out to someone else. At some point, it would be easier to earn his own money, especially since any check that did remain unused long enough to go stale is probably not for an amount large enough to be worth the hassle.

I can’t think of an obvious benefit to this theoretical scam in any other scenario. If you give someone a check dated 2/13/20 and they change it to 2/13/2019, they have now rendered the check void because most financial institutions won’t honor a check past 180 days. And if they change it to 2/13/2021, all they’ve done is make themselves wait another year to cash it. Not exactly the work of a criminal mastermind.

fAll that said, go ahead and write out “2020” on checks and documents anyway. And next year, write “2021,” and after that “2022.” Why? It takes zero effort and it’s more accurate. It’s always good to strive for accuracy. And it eliminates the (ludicrously unlikely) situations above.

Do You Need to Change Your Passwords Regularly?

For years, the conventional data security wisdom has been to change all your passwords every three months. Or sometimes you would hear six months. At least once a year, they would tell you.

But is this necessary in every case?

The short answer is: it depends.

If you know or suspect a password has been compromised (examples: a major data breach has happened, or you fell victim to a phishing scheme), log in to the affected site immediately and change your password.

If you have been using a weak password (a single word, or a word-plus-a-number, or “password” or “abc123”), go change that immediately because that type of password is far too easy to crack. You don’t have to change your password to a string of gibberish (like “iu3r54!#hr3uHCE&@Eibi84f87*^CE” or whatever), but make them long. A long password constructed from random words, such as “vinestumpaxelclownboat,” is more secure than a short one made of uppercase and lowercase letters, digits and special characters, like “hJe4j#x.”

If you’ve been reusing one password for multiple accounts, go ahead and change those. When a database is compromised, cybercriminals will try the hacked email/password combinations at other sites. Example: you’re a member of some online discussion forum you’re not too serious about. If that database gets hacked (or simply downloaded…plenty of websites have been revealed to be keeping member login information in plain text) you can be sure that the people who did it aren’t interested in disrupting discussions about methods for making D.I.Y. tofu (or whatever your hobby is). They’re going to try that email/password at every major credit card, bank, retailer, and social network app. If you’ve reused it anywhere important, nothing good will come of it.

But what if you’re already using a strong password, there hasn’t been a data breach or a hack, and you haven’t fallen victim to phishing or any other tricks? The current advice is to just let that password ride. If it’s impossible for a human to guess and would take a computer script a trillion years to crack, changing it every three or six or twelve months doesn’t really do anything to provide any additional protection.

Of course, you can change any password any time if it helps you feel safer, but make sure to keep them strong, and don’t get into the habit of just changing one digit at the end (changing “vinestumpaxelclownboat1” to “vinestumpaxelclownboat2” for example); this could make your new password guessable if thieves obtained an old database and figured out your pattern.

Another Way They Can Get Your Personal Information

If somebody made a pie chart of every article I’ve ever written about fraud prevention, a very large slice of that pie would be “how to avoid giving away your own personal information to people who shouldn’t have it.”

But victims revealing their data directly isn’t the only way this information falls into the wrong hands. “Of course!” you might say. “There are those big data breaches.”

And that’s true. But there is yet another route that doesn’t get talked about as often: other people being tricked into revealing your data on an individual basis.

Let’s say you’ve got a non-private Instagram account under your actual name, where you post photos of the things you do and the places you go. You go on vacation and post a “check-in” at the hotel at which you are staying.

Eventually, somebody you don’t know sees this post and decides you look like you might have some extra money sitting around. So they call the hotel after you’ve gone home and start asking for details about your stay, pretending to be you. Maybe they’ll say, “I was there on business, so I need to know what card I used, and what email address the information was sent to because I can’t find it,” or maybe they’ll concoct some other way to find out where you bank and harvest some contact information.

Now, maybe the person answering the phone knows about social engineering and cares about keeping people’s information safe. But then again: have you ever checked into a hotel and had to deal with a front desk person whose name might as well have been Yeah Whatever? What if that eyeroll-come-to-life answers the phone? They might not be too bothered about whether or not the person they’re talking to is really you, and just answer the questions to get the caller to go away faster.

Armed with your name (from your Instagram account) and some information about where you bank (and perhaps the last four digits of a card number) and how to contact you, the scammer can then call or email you, pretending to be your financial institution. The premise of this contact? Easy. “There were some charges made in [wherever you just vacationed], and we wanted to make sure it was you,” and from there he or she can attempt to gain access to your account.

Granted, this kind of multi-level, personalized social engineering isn’t extremely common, but it illustrates an important lesson: that you’re not the only potential target for people trying to obtain your personal information. It is vital to watch for the signs of unauthorized access, to be aware of social engineering tactics, and to be extremely wary of any contact that appears to come from your financial institution, even if they seem to already have some of your personal data.

The Pigeon Drop Scam

I’ve been trying for a while to figure out a clear, concise way to explain the Pigeon Drop Scam, but I’ve had trouble keeping the article length reasonable. There are a lot of variations on this very old scam.

The basics are pretty much the same across the board. A stranger approaches you, claiming to have found a large sum of money. Sometimes the money is in a bag, or a box, or a duffel. Sometimes it’s made to look like evidence of a crime, with a note or some other indicator (so the victim thinks whoever it belonged to isn’t likely to come looking for it through legal means). Some scammers work alone, some use an accomplice. At some point, you will be asked to hand over some of your own cash. But there are so many variables to the scheme that it’s hard to even identify what the “classic pigeon drop” scam would look like, to use as an example to write about.

Therefore, it’s probably best to just point you to a video where somebody shows you instead of tells you how this thing works. I found a couple decent ones where a couple pigeon drop scenarios are acted out (in one case on an unsuspecting “victim” who is later let in on the scam and has his cash returned by the crew making the video):

The common thread: a stranger who claims to find money, then asks you to give him or her some of your own for some reason.

The point is this: as soon as a stranger approaches you claiming to have found cash, regardless of how many people you find yourself talking to, regardless of the pitch (whether it’s “hey let’s divvy it up!” or “hold this while I report it” or something else entirely), you are not going to end up a winner if you go along with what that person asks you to do.

Given that this is an in-person scam, I would not recommend letting on that you’re suspicious. Politely suggest they report the find to the police, then walk away. As soon as it is safe to do so, call the police yourself with as good a description of the crook as you can give. You might help someone else avoid being a victim, and you might even help a terrible person run headlong into some well-deserved terrible luck.

The Nuclear Option: (Almost) Never Answering the Phone

There are a few scams that happen in-person (the fake utility worker being one of the most common), but the majority rely on some sort of communications technology.

This gives the people running the schemes the advantages of a physical buffer (less likely to be identified, or slugged upside the skull by an enraged victim), global reach (not limited to immediate local surroundings) and scalability (the ability to scam hundreds of people simultaneously, instead of one at a time).

According to FTC statistics, the telephone was the contact method for 69% of scams reported to the agency in 2018. By comparison, in 2008 phone calls only accounted for 7% of that total (email was the king back then, at 52%). If it seems like you’re getting more and more fraudulent phone calls over the past decade, it’s because you are.

Of course, there are various techniques for spotting a scam phone call in the moment, and one tried-and-true method of responding (hanging up without saying anything), but while I’m not a big fan of scorched-earth responses to daily irritations, there is one option that isn’t brought up often enough: simply (almost) never answering the phone. Basically, if the phone rings, you let it go to voicemail.

It can be hard to get used to. You don’t have to be all that old to remember a time when a ringing telephone was kind of an event. People would race each other to the kitchen to answer it. “The phone is ringing! It could be anybody!” And that’s exactly why you should consider letting everything go to voicemail now—it could be anybody.

The next step is to not automatically go through your missed calls and call back every number. If a legitimate caller has something important to tell you, they will leave a message. Sometimes a scam that sounds convincing if you pick up the call can sound completely unbelievable when you hear it as a voicemail. Like the prerecorded robocall that started playing as soon as your voicemail picked up, so the pitch starts mid-word about 20 seconds in. It destroys the credibility. It also gives you time to think about how to respond (which is to NOT respond, at all).

You probably don’t even have to ignore every call. While you can’t trust caller ID, the chances that a scammer is going use the name and number of a friend or family member is low. Besides, you’ll know right away if it really is who you think. You’re not going to mistake a friend for a prerecorded “press 1 to lower your rate” scheme. If you’re expecting a call from a business, it is reasonably safe to answer. Again, you’re not going to think, “Well, my dentist usually only calls to remind me that I’ve got an appointment, but today they’re telling me I owe unpaid taxes. Better go buy some iTunes gift cards.”

The real issue with caller ID is when it says things like “Microsoft” or “Social Security” or “Internal Revenue Service,” or when it shows some random local phone number. Unexpected calls that are not in response to something you yourself initiated? Ignore.

How Much Should You Worry About RFID Card Skimming?

At some point you’ve either heard warnings that high-tech crooks are remotely reading people’s debit and credit cards using handheld RFID readers, or you’ve seen a wallet advertised as having built-in RFID-blocking features. More than likely, you’ve seen both. But is there really anything to worry about?

But before we get into that, what is an RFID chip?

RFID chips are embedded in some credit and debit cards, and are designed to let you pay by holding the card near an RFID-enabled card reader, instead of swiping or inserting the card into the machine. Contactless payment, in other words. U.S. Passport covers issued since 2007 also have this type of chip, and you can set up a “virtual wallet” on most smartphones that can be used for contactless payments, even if the cards you add to it don’t have the chip).

The RFID chip is not the same as the EMV chip that is embedded in nearly every credit or debit card these days.

Your card will tell you if it has RFID technology embedded. The big four credit card companies each have their own name for this feature:

  • ExpressPay (American Express)
  • PayPass (MasterCard)
  • PayWave (Visa)
  • Zip (Discover)

An RFID-enabled card will also either say “RFID” or have an icon that looks like radiating waves (similar to a WiFi signal), or both. Tap-and-go is promoted as a desirable feature of these cards—they want you know you can use it.

But, along with RFID cards came the usual anxiety about new technology: with your credit card just throwing out this radio signal containing all of your personal information all the time, it was going to be a cinch for some wily hacker to sit back in a shopping mall and just collect the data from every single card in every purse and wallet that happened to pass within 50 feet, right? And, right on cue, “security experts” emerged on websites and in online videos showing how it could, in theory, be done, under ideal circumstances. “Electronic pickpocketing” was the anxiety du jour.

Immediately, wallets and passport covers and other items (fanny packs, anyone? RFID-blocking jeans?) appeared on the market that claimed to block these frequencies, and they sold like hotcakes. Interestingly, a lot of those same experts who could demonstrate how this crime could be carried out also happened to be selling wallets, or at least promoting a paid affiliate link to buy one from somebody else.

There are a few things to know about electronic pickpocketing before you seek out (and spend money on) an item that is supposed to prevent this type of fraud.

First, the range of this type of RFID chip is about 10 centimeters (under four inches) and even that’s kind of pushing it. Outside of a vacuum, and with anything less than a NASA-level RFID reader, a thief would have to get extremely close to you to even have a chance of being able to pull this crime off. Like, probably touching you with his or her reader. And even then, circumstances are seldom ideal. What if you have two RFID cards on you? Those signals would be scrambled and worthless. And someone loitering around a crowd of people, holding a device up to every purse and back pocket in the place, is going to attract a lot of attention. “Be seen by literally everyone” is usually the opposite of what most crooks want to happen.

Secondly, any time a crime (however unlikely) has that “high tech” aroma to it, it’s easy to imagine the perpetrator as some kind of super-smart criminal mastermind, and there may have been a time (think: 25 or 30 years ago) when that was the case, but a lot of the “hackers” of today are the same people that would have been snatching purses a few decades ago. They’re not masterminds, and they don’t wait around for “ideal circumstances.” They go for the easiest, surest thing, and RFID skimming is neither. It is far easier, cheaper and faster to install a skimmer on an ATM or gas pump, or to buy a database of cards stolen in a data breach—and the success rate is much higher.

Finally, you’ve probably heard people claim to have been a victim of RFID skimming, but there have been no documented cases of fraud being traced to this activity. Real card fraud happens every day, but these almost always originate either with a skimming device (that captures magnetic stripe data—becoming rarer as the EMV chip becomes the standard), phishing attacks, or from retail data breaches in which millions of consumers are victimized at once. For an individual, it can sometimes be difficult to determine where the fraud happened, and so a lot of people just jump on the last thing they heard about. “RFID skimming? Oh yeah, that happened to me…”

In summary, RFID skimming isn’t something you need to be overly worried about. If a wallet or a passport cover has a feature to block these signals and it doesn’t cost anything extra, go ahead and get it. Or get some RFID-blocking sleeves for passports and individual cards if you want to, but you don’t have to spend much on these. I’ve seen a pack for under $10 that had enough sleeves for multiple cards and passports. But don’t pay a premium price just for the RFID-blocking feature, to prevent a crime that isn’t very likely to happen in the first place.

What a Credit Freeze Does (and Doesn’t Do)

When it comes to preventing identity theft, anything you can do to reduce your risk is generally a wise move, even if no one thing (or combination of things) can make you 100% safe.

One step you can take is to freeze your credit file with each of the three major bureaus (Transunion, Experian and Equifax). This prevents creditors from accessing your credit file without taking additional steps to verify your identity. Since most creditors aren’t going to open a new line of credit without being able to see your file, it prevents one of the more common forms of identity theft, which is to open new fraudulent lines of credit which are then maxed out and never repaid.

However, there are things that a credit freeze won’t do, and it’s important to keep those in mind.

While a credit freeze prevents new credit accounts from being opened in your name (unless the freeze is temporarily lifted before applying), it does not, on the other hand, prevent unauthorized access to existing accounts. So, even if you’ve got a freeze in place, you still have to protect account numbers, passwords, PINs, your Social Security number, etc. That means you still have to watch out for phishing and other schemes designed to convince you to reveal this information to people who shouldn’t have it.

Similarly, if your credit or debit card information is compromised due to a data breach, a credit freeze won’t stop fraudulent charges from being attempted. Your card provider may have security protocols that automatically detect suspicious transactions, but that will happen whether you’ve got a credit freeze in place or not (you’ll also have to get a new card, since your old one is compromised).

A credit freeze also won’t prevent other forms of identity theft, such as using stolen information to obtain employment, medical services, government benefits or tax refunds, or to evade law enforcement.

A credit freeze won’t stop prescreened credit offers (for that, you need to call 888-5OPTOUT or visit https://www.optoutprescreen.com), and it also won’t keep existing creditors from viewing your credit files.

A freeze also won’t stop you from viewing your own credit reports, using your credit cards, or affect your credit score, which are misconceptions some people have about the process.

If you want to place a freeze on your credit files, the easiest way is to visit each of the major credit bureaus online and follow their instructions:

One more thing a credit freeze won’t do: remember its own PIN for you. When you place a freeze at each of the three bureaus, you will end up with a PIN for each one. It is important to keep this number in a secure location where you alone can access it, in case you need to apply for a new line of credit later. If you forget your PIN, you can reset it, but the process is not very convenient in most cases, as it requires providing additional documentation to prove that you are really who you claim to be.