Editor in Chief Sarah Wheeler sat down with Tom Cronkright, co-founder and executive chairman of CertifID and CEO of Sun Title, to talk about battling the latest frauds and scams as bad actors leverage a new arsenal of tech tools to wreak havoc on buyers and sellers of real estate.
Sarah Wheeler: Can you give us a quick overview of where we are on fraud?
Thomas Cronkright: Fraud continues to be one of the biggest challenge in real estate, along with the macroeconomic challenges — interest rates and low inventory — and the current litigation around commissions. An additional step-up this year in wire fraud in social engineering and business email compromise, and it’s coming in several new ways.
So, fraudsters are still focusing on buyer cash-to-close payments. They’ve been focused on mortgage payoffs, although they’re getting more sophisticated on mortgage payoff payment diversion. And the seller net proceeds continue to be a target.
One of the advancements this year has been the adoption of new technology platforms like chatGPT, using AI to mimic somebody’s voice to spoof phone numbers. So the bad actors are becoming more tech-enabled and that’s making their social engineering strategies that much more believable.
SW: How are they using generative AI?
TC: We’ve had instances where generative AI has been used to spoof somebody’s voice to write emails that otherwise may have been easier to detect. With unit volume down but home prices increasing, we’ve seen that the bad actors are patient, they’re more disciplined and that leads to just more believability in the scam.
So, let’s pull this string one layer deeper. It’s causing us in the industry — title settlement, real estate, mortgage lending, the attorneys — to rethink, can you even trust a voicemail? So you have a client that appears to have left a voicemail: ‘Hey, I’m traveling. I know I said I was going to be able to attend the closing and pick up a cashier’s check. But now I need to send you some payment information for a wire and I need you to just note this for the file.’ So it’s causing the industry to take a step back because even some of thosealmost immutable layers of security, cornerstones in the process, can get compromised or at least questioned now.
There are programs where I could take 10 seconds of your voice, put it into a program and I could regenerate that to say anything that I want you to say and it would take less than three minutes to do it. And that’s all publicly available technology now.
Sarah Wheeler: What else are you seeing?
TC: Seller impersonation fraud. What we’ve learned about scammers is that they never retire a successful scam. So nothing went away, but now a new vector of risk showed up in a big way this year and that was seller impersonation fraud. This typically focuses on vacant or unimproved property where the scammers don’t even have to compromise an email account — they don’t even have to fish. They don’t have to do the account take over and the rule changes and all that stuff. They just simply go into the register of deeds and they look for properties that are listed as either vacant or unimproved. And then they will impersonate the property owner.
They’ll create a fake, government-issued document like a driver’s license or a passport that has all the credentials of the real property owner except for the bad actor’s picture on. And they solicit a listing to a brokerage: the real estate agent takes the listing and asks for an ID, which checks out. And it goes all the way through closing. The “seller” will request a remote closing, so a notary out of state, and the bad actor will show up with the fake ID and sign the paperwork in front of the notary.
Those documents go back to the title company and it funds to an account in the hands of the bad actor. And then months and even years later, the real property owner learns of it. There’s a high-profile case right now on the east coast going on where somebody bought a lot, started to build an almost $1.5 million house. The property owner shows up a year later and files a lawsuit, saying tear the house — I never sold this.
SW: How widespread is this?
TW: Well, I’m in West Michigan, and just in our market, CertifID and also our title agency have seen 35 confirmed cases of seller impersonation since March. And I was made aware of another two today. So aside from generative AI making us question even voicemails or who I’m talking to, if someone else is initiating the conversation, now we have to really think about physical documentation. Am I trying to validate that this is a valid identification document, or do I really need to make sure that the identity of the individual is who they say they are, so I can confirm I’m actually dealing with the right person no matter what they’re putting in front of me.
SW: What you’re talking about is the stuff of nightmares, and it was actually your own nightmare that spurred you to found CertifID. And one of the most distressing parts is there’s not a lot you can do afterwards.
TW: Yes, the pendulum unfortunately is swinging towards the prevention side because it’s getting harder to do the cure side after an incident. With so much technology, this is almost a borderless crime now which runs around the clock. It starts with education, and the question for all of us is: Does the consumer understand that their life savings. their liquidity could be at risk? And further, the parties involved might not know it because somebody’s going to be spoofed.
And then it goes from education to engagement, and how we keep engagement active during this long transaction cycle — making sure that on day 42, 43, that same level of awareness is still top of mind. We also have to educate buyers and sellers around the movement of money. And candidly, we as an industry don’t talk about the movement of money near enough.
SW: Let’s talk about the identity validation piece.
TC: With CertifID, we take a layered approach to how we’re proofing and how we’re creating that degree of confidence in someone’s identity. In my title company, we are using CertifID to validate the identity of all sellers right at the time that we open up a title order. Before we search the public record, we say, ‘Hey why don’t we just take a second and let’s make sure that they are who they say they are.’ And we’re catching these bad actors on a daily basis. Two years ago, I would have told you it’s maybe once every month or every other month and now it just seems to be a daily occurrence.
SW: You’re the executive at a company that many other companies rely on to keep them safe. What keeps you up at night when you think about what’s happening and what could happen?
TC: All of it does! It’s wire transfer fraud but more importantly I would say it’s the social engineering because we look at wire transfer now as the monetization of social engineering. So our mission now and will continue to be all about validating identity. And there isn’t a team or leadership structure that obsesses more about this particular issue than my team.
We’re really hyper-focused on how the new advancements in technology have enabled actors to step their game up, then we have to make sure that our technology — the way we’re speaking to the threat and even where we sit in the workflow — has to continue to adapt and adjust to those new threats.
The other thing that keeps me up at night is that there’s still a large optimism bias that drives behavior around a lot of things in our industry. People think, that’s not my risk. I’ve heard about it, but that’s not going to happen to me — I’m sitting in some rural area in Northern Michigan and no one is going to pick on a $40,000 lot. Let me tell you: they absolutely will.
The scams are always evolving. And we’ve had significant data breaches so bad actors have more information relative to bank accounts and Social Security numbers. The industry now has additional vulnerabilities.
SW: How do you make sure your team is evolving faster than the new fraud threats?
TC: I think you do it through culture and you do it through transparency. And I mean you just have to obsess about it. We had a very successful Series B raise and the idea there was that it’s going to be a product and security lead raise. We are going to come up with just a simple identity verification tool outside of the need for us to secure wiring information. This is one of the things we were piloting around the country it worked beautifully. So that’s an example an ID validation only tool that would allow somebody at the initiation of a relationship to confirm identity — not when money is about to transfer funds.
A win in this landscape is somebody raising their hands saying I think something’s off and I better check in with somebody before I send this wire transfer.
We strategically made the decision from a talent perspective that we want of the best unapologetically and we have gone after that. And you get that group together on a mission like we’re on right now and you breathe culture into that and you breathe the proof. We were called to do this and I’m just grateful that. we have a team around us that can take this vision and take this passion and play it out every day.
There’s never a sliver of daylight — not with what’s going on in the market. I’ve resolved myself that this is going to be a continual challenge for years to come.
One reason is the number of purchase transactions now that are all cash. There are fewer transactions in the cycle and there are higher amounts, so the real estate transaction represents a huge pot for scammers. The other thing is the movement of money. In the past, once we were notified, even if it was on day 3 or 4 after the transaction went through, we’ve got a pretty good chance that there could be money left in the account where the funds were diverted. Now that has shrunk to one day or two. The money is moving so quickly between crypto wallets and tumblers and then other wallets and then ultimately into fiat currency or into banks overseas.
SW: As you see the fraud battle increasing, what makes you optimistic?
TC: I have a ton of optimism because we have shown in our platform and with our customers that when you get true adoption — when your employees and your customers are trained — you can eliminate this at scale. My pocket got picked for $180,000 in 2015 and it has not happened on our watch ever since and we are one of the largest title agencies in the state of Michigan. So it can be done and we have seen examples of companies large and small that when they put in the work and they do what’s needed to be done. It’s just a matter of how do we reach and train those people who don’t identify with the risk or those that think ‘I don’t handle money, I’m just a real estate agent, this is somebody else’s problem.’ Until they get slapped with a lawsuit because their customer lost their life savings or they just listed and sold a piece of property not knowing that they got completely duped by somebody impersonating the actual owner.
I’m incredibly optimistic because there’s a road map here.I t’s not just CertifID as a silver bullet. It’s a significant layer in this, but it’s education, engagement, technology and just taking and creating a community. That’s just more secure because you’re more engaged.