The Florida Bar

Florida Bar Journal

Trends, Prevention, and Loss Recovery for Victims of Real Estate Wire Fraud and Other Cybercrimes

Featured Article
Trends, Prevention, and Loss Recovery for Victims of Real Estate Wire Fraud and Other Cybercrimes

With closing just days away, a first-time home buyer receives an email from the closing agent attaching loan documents and wire instructions for his “cash to close.” His lawyer and his real estate agent, who are copied on the email, each respond confirming that these documents are correct and that the buyer should initiate a wire transfer as soon as possible to avoid any delays. Nervous but excited to become a homeowner, the buyer goes to his bank and obediently initiates the wire transfer. The closing agent sends a follow-up email verifying receipt of the funds and confirming the date and time of the closing. Everything appears to be on track for the big day.

A few days later, like a scene in the movie “Groundhog Day,” the buyer receives another email from the closing agent, again attaching wire instructions and requesting that the buyer initiate his wire transfer. The puzzled buyer kindly reminds the closing agent that they have already completed this exercise, but the closing agent has no idea what the buyer is talking about and no record of receiving any wire. The buyer forwards copies of the previous email exchanges to help resolve the apparent confusion. Only then, upon a closer inspection, does the horrifying truth come to light: The earlier emails came from “spoof” email accounts and attached fraudulent wire instructions. The now panic-stricken buyer realizes he has just been conned into delivering his money into the hands of cybercriminals who, somehow, managed to infiltrate his transaction.

In a state of hysteria, the buyer turns to his bank begging for help, but the bank is unable to retrieve the stolen funds. He calls the recipient bank, too, but his money has already been transferred overseas. Frantic pleas to federal and local law enforcement yield nothing but expressions of sympathy and lukewarm promises to investigate the matter. No one involved in the transaction takes any responsibility and none offer any explanation as to how this catastrophe could have possibly happened. The buyer no longer has the available cash needed to complete his purchase, cannot close, and will forfeit his deposit. He has seen his hard-earned savings evaporate in the blink of an eye. With his existing lease about to expire and his worldly possessions packed in boxes awaiting movers, he does not know where he will live next week, much less when he will be able to replenish his savings and buy his first home. In short, the sky has fallen.

Harrowing accounts like this are all too real and all too common. Nameless, faceless cybercriminals hiding behind computer screens prey upon our complacency and leverage our reliance on emails, the internet, and computer and mobile technology in the handling of our affairs. As the 11th Circuit Court of Appeals noted in 2012: “In this digital age, our personal information is increasingly becoming susceptible to attack. People with nefarious interests are taking advantage of the plethora of opportunities to gain access to our private information and use it in ways that cause real harm.”[1]

Innocent consumers and laypersons are not the only targets of their malicious designs. Sophisticated businesses and licensed professionals, including attorneys, often find themselves in the crosshairs, too. Despite evolving efforts by law enforcement and the private sector to investigate cybercrime, prevent loss, and spread awareness, recent government data reveals that both the frequency and the financial impact of cybercrime are increasing at alarming rates.

The IC3

In May 2000, the Federal Bureau of Investigation (FBI) established the Internet Crime Complaint Center, known commonly as the “IC3.”[2] Operating within the FBI’s Cyber Division, the IC3 maintains an online portal (www.ic3.gov) for the general public to report suspected internet-facilitated criminal activity.[3] The IC3 analyzes and disseminates information from the portal to law enforcement for investigative and intelligence purposes. The IC3 also seeks to increase awareness by issuing periodic public service announcements, posting cybercrime prevention tips, and publishing annual internet crime reports featuring data and trends derived from the online portal.[4]

Statistics contained in the IC3’s internet crime reports illustrate how the prevalence and financial impact of cybercrime have increased dramatically in recent years. In 2017, the IC3 received 301,580 complaints of cybercrime with reported losses exceeding $1.4 billion.[5] In 2018, complaints rose to 351,936 while losses nearly doubled to more than $2.7 billion.[6] In 2019, complaints grew to 467,361 while losses ballooned to over $3.5 billion.[7] From 2015 to 2019, the IC3 received a total of 1,707,618 complaints reporting losses of $10.2 billion.[8]

Floridians are among the most frequent and hard-hit victims of cybercrime in America. According to the IC3, in 2019, Florida was tied with Texas for the second-highest number of reported victims among all U.S. states and territories, and Florida also ranked second in total reported losses, trailing only California in both categories.[9]

Available data also indicates that older age groups are generally more susceptible to cybercrime and suffer disproportionate losses compared to younger age groups.[10] Individuals under the age of 30 represented approximately 20% of reported victims and 20% of total losses in 2019.[11] In contrast, individuals 30 to 59 years of age accounted for more than 55% of victims and over 50% of total losses, while individuals 60 years of age and older accounted for nearly 25% of victims and nearly 29% of total losses.[12] The IC3 concludes that elderly victims are often targeted by cybercriminals because they are believed to have more substantial financial resources.[13]

Prevalent Types of Cybercrime

According to the IC3, the categories of cybercrime that were most frequently reported to the online portal in 2019 were:[14]

Phishing/Vishing/Smishing/Pharming — defined as “[u]nsolicited email, text messages, and telephone calls purportedly from a legitimate company requesting personal, financial, and/or login credentials.”[15]

Non-Payment/Non-Delivery — defined as when “goods and services are shipped, but payment is never rendered” or when “payment is sent, but goods and services are never received.”[16]

Extortion — defined as the “[u]nlawful extraction of money or property through intimidation or undue exercise of authority. It may include threats of physical harm, criminal prosecution, or public exposure.”[17]

Personal Data Breach — defined as a “leak or spill of personal data that is released from a secure location to an untrusted environment. It may also refer to a security incident in which an individual’s sensitive, protected, or confidential data is copied, transmitted, viewed, stolen or used by an unauthorized individual.”[18]

In contrast, the following categories of cybercrime resulted in the highest reported losses:[19]

Business Email Compromise (BEC) — defined as “a scam targeting businesses working with foreign suppliers and/or businesses regularly performing wire transfer payments ….These sophisticated scams are carried out by fraudsters compromising email accounts through social engineering or computer intrusion techniques to conduct unauthorized transfer of funds.”[20]

Confidence/Romance Fraud — defined as when “[a] perpetrator deceives a victim into believing the perpetrator and the victim have a trust relationship, whether family, friendly, or romantic. As a result of that belief, the victim is persuaded to send money, personal and financial information, or items of value to the perpetrator or to launder money on behalf of the perpetrator. Some variations of this scheme are romance/dating scams or the grandparent scam.”[21]

Spoofing — defined as when “[c]ontact information (phone number, email, and website) is deliberately falsified to mislead and appear to be from a legitimate source. For example, spoofed phone numbers making mass robo-calls; spoofed emails sending mass spam; forged websites used to mislead and gather personal information. Spoofing is often used in connection with other crime types.”[22]

Cybercrimes, in their many forms, are highly sophisticated in their planning and execution. Schemes can be multifaceted, for example, involving both BEC and spoofing elements operating in tandem.[23] They sometimes involve a confluence of seemingly separate plots working simultaneously — for instance, one scam to separate a consumer from her money in the U.S. and another scam to have that money subsequently laundered overseas.

Florida attorneys are routinely targeted by cybercriminals, with recent noteworthy examples including:

1) The registration of a phony account on the Florida Courts E-Filing Portal under an attorney’s name and Bar number, used to obtain an order disbursing over $130,000 in surplus foreclosure proceeds from a court registry;[24]

2) spoofed emails purporting to be sent by the executive director[25] or other staff[26] of The Florida Bar, believed to launch malware attacks;

3) the compromise of a paralegal’s email account and ensuing attempts to initiate a wire transfer out of a law firm’s trust account;[27]

4) fraudulent emails branded with the logo of the Tax Section of The Florida Bar to solicit crowdfunding donations, purportedly intended to help a member whose child had a rare disease and needed $18,000 for an operation;[28]

5) an email-based cashier’s check scam in which a “client” sought an attorney’s help collecting a $125,000 discrimination settlement from CVS;[29] and

6) a phishing scam targeting members of The Florida Bar with malware through emails containing the subject line: “Your recent Chase payment notification.”[30]

During a webinar in April 2020, Tonya Ugoretz, deputy assistant director for the FBI’s Cyber Division, cited increased opportunity for cybercriminals and nation-states to leverage the COVID-19 pandemic.[31] Ugoretz noted that the IC3, which typically receives approximately 1,000 complaints per day, was then receiving in the range of 3,000 to 4,000 complaints per day, with a “good number” of those related to COVID-19.[32] The FBI has issued several alerts concerning elevated cyberthreat levels amidst the COVID-19 pandemic and recent stay-at-home orders, including online extortion scams,[33] money mule schemes,[34] fraudulent COVID-19 testing and treatment schemes,[35] and advance fee and BEC schemes involving personal protective equipment (PPE) and medical equipment, such as ventilators.[36]

Real Estate Wire Fraud

Real estate transactions are uniquely fertile grounds for cybercrime due to the frequency of large cash wire transfers and the routine use of unsecured email communications by buyers, sellers, real estate agents, lenders, mortgage brokers, closing agents, and attorneys to rapidly exchange sensitive information and documentation in connection with pending transactions.

The real estate sector has not been immune from the sharp upward trend in cybercrime. In 2017, the IC3 received a total of 9,645 “real estate/rental” complaints[37] with reported losses exceeding $56.2 million.[38] In 2018, those complaints increased to 11,300 while reported losses surged to nearly $150 million.[39] In 2019, complaints increased slightly to 11,677, but reported losses swelled to more than $221 million.[40] From 2015 to 2019, the IC3 received a total of 56,758 real estate/rental complaints reporting losses of more than $516 million.[41]

Wire fraud is a recurring cybercrime disrupting the real estate sector. The scheme often involves the compromise of a real estate professional’s email account, the interception and manipulation of electronic communications using spoof email accounts, and the delivery of fraudulent wire instructions to an unsuspecting purchaser at the opportune moment. The following is offered as just one of countless examples to describe how cybercriminals might conceptually execute a wire fraud in connection with a pending real estate transaction:

Step 1: Cybercriminals send a phishing email to a real estate professional (Professional 1), which contains a hyperlink to a website requiring the entry of Professional 1’s email address and the associated password.

Step 2: Believing the phishing email to be authentic, Professional 1 clicks on the hyperlink and types in her email address and the associated password.

Step 3: Armed with the password that has just been provided, the cybercriminals gain direct access to Professional 1’s email account and freely examine troves of confidential information pertaining to pending real estate transactions, including the identities of buyers, sellers, and other real estate professionals, the contract terms, the loan documents, and the scheduling of closings. They carefully select their victim (Buyer X), who they have learned is expected to pay a large sum of cash in connection with an upcoming closing. They silently monitor all of the incoming and outgoing emails concerning Buyer X’s transaction and intercept key documents along the way, such as closing disclosures, in order to build an informational advantage.

Step 4: The cybercriminals create a series of spoof email accounts that closely resemble the actual email addresses of Professional 1, Buyer X, and other real estate professionals involved in the transaction, including Buyer X’s attorney. In some instances, they simply swap a single letter in an email address (e.g., jonh[email protected] instead of john[email protected]). Other times, they use popular email hosts that are available to the public to imitate private email domains (e.g., [email protected] instead of [email protected]).

Step 5: The cybercriminals use their spoof email accounts to impersonate Professional 1, Buyer X, and the other real estate professionals involved in the transaction. Everyone is now unwittingly communicating with the cybercriminals under the mistaken belief that they are communicating with each other in the ordinary course, including intended attorney-client privileged communications to and from Buyer X’s attorney. Emails from the spoof accounts reflect the actual names or nicknames of the persons being impersonated in the “To” and “From” and “CC” lines of the email headers (e.g., “John Doe” instead of jonh[email protected]). Thus, only a keen eye closely examining the underlying email addresses or detecting “red flags” from the context, substance, or formatting of emails, will realize that anything is amiss.

Step 6: The cybercriminals install a “rule” in Professional 1’s email account that automatically re-routes all emails from Buyer X away from the inbox and into a hidden subfolder. When Buyer X sends an email to Professional 1, Professional 1 never even sees it. Only the cybercriminals see it arrive in the hidden subfolder. They copy and re-send that same message to Professional 1 from a spoof email address impersonating Buyer X, so that it now arrives in Professional 1’s inbox. When Professional 1 responds, she is, thus, unwittingly responding to the cybercriminals instead of Buyer X. The cybercriminals then copy and re-send her response to Buyer X from a spoof email address impersonating Professional 1. Through this carefully orchestrated subterfuge, the cybercriminals re-route and control circuits of communication between Buyer X and Professional 1 without either of them realizing it — often making impromptu changes to the intended messages in order to facilitate the execution of their scheme.

Step 7: At the opportune moment before closing, the cybercriminals use a spoof email account to impersonate the closing agent and send fraudulent wire instructions to Buyer X, along with intercepted closing documents to enhance the appearance of legitimacy, instructing Buyer X to initiate a wire transfer as soon as possible. They separately confirm the authenticity of these materials using spoof email addresses to impersonate the other real estate professionals, including Buyer X’s attorney, in order to engender Buyer X’s confidence.

Step 8: Buyer X complies with the fraudulent instructions and wires her “cash-to-close” to a domestic bank account that is, in fact, not owned or controlled by the closing agent.

Step 9: In fact, that bank account is owned by a completely unrelated company (Company A) on the other side of the country. Company A had previously received a series of emails from the same cybercriminals, who were then purporting to write on behalf of a foreign business seeking a local “collection agent” to receive money from U.S. “customers” and transfer the funds overseas in exchange for a commission. Looking to make a quick and easy profit, Company A unwittingly signed up to be a “money mule” for the cybercriminals.

Step 10: Company A retains a small amount of Buyer X’s money as an agreed commission and wires the remainder to an overseas account pursuant to wire instructions received from the “foreign business.” By the time that Buyer X, Professional 1, and the other real estate professionals realize there has been a cyberattack, it is simply too late to undo the damage. Buyer X’s money has already been laundered through criminally controlled accounts at financial institutions around the world and has been effectively placed beyond the reach of law enforcement.

Recovery of Stolen Funds

The avenues available for pursuing the direct recovery of fraudulent wire transfers are extremely limited, and when they do exist, time is very much of the essence. Upon realizing that a cybercrime involving a fraudulent wire has taken place, a victim should immediately 1) contact the victim’s bank and ask the bank to immediately issue a recall notice; 2) contact the recipient bank and ask for an immediate freeze on the recipient account; 3) report the cybercrime to the IC3 at www.ic3.gov; and 4) contact the nearest regional FBI field office.[42]

One important tool that can be effective to secure a direct recovery is known as a financial fraud kill chain (FFKC), a process that the FBI can use to assist in recovering large international wire transfers stolen from U.S. bank accounts.[43] The IC3’s Recovery Asset Team (RAT) can execute a FFKC to recover 1) an international wire transfer 2) that occurred within the last 72 hours, and 3) that is $50,000 or higher, 4) where a SWIFT recall notice has been initiated.[44] FFKCs cannot be used to recover wire transfers that do not meet all of these criteria.[45] 
 For victims who are unable to directly recover stolen funds with assistance from banks or law enforcement, the only other recourse may be the pursuit of civil claims for damages against other transactional participants for any culpable acts or omissions — for instance, opening the door to the cybercriminals by failing to secure an email account, or engaging and sharing confidential information with the cybercriminals, or failing to detect obvious red flags that should have been indicative of fraud to a professional, or failing to warn the consumer about the risks of cyberattack at the outset.[46] Civil liability could conceptually extend to attorneys,[47] closing agents,[48] real estate agents,[49] and a variety of other professionals.

Each case of cybercrime is factually and legally unique and requires substantial investigation, including forensic analysis of native email files from all parties concerned, to determine how the cybercriminals gained entry into the transaction, how they perpetrated their crime, and who may have enabled, or failed to prevent, their artifice. As such, it is imperative that all parties involved in an affected transaction preserve all relevant evidence, including native emails and computer files with metadata that can be used to recreate the crime.

Recommended Protective Measures

Alongside the IC3’s efforts to raise public awareness of cybercrime and preventative measures,[50] real estate industry groups have also begun mobilizing to publish their own advisories, recommendations, and personal accounts of victims, including the Coalition to Stop Real Estate Wire Fraud,[51] the National Association of Realtors,[52] and the Practice Resource Center of The Florida Bar, known as “LegalFuel.”[53] Commonly recommended safeguards include:

1) Using unique, complex, randomly generated passwords for email accounts that are not also used for other accounts, and that are not stored in unsecure locations, such as on a physical paper or in a text file saved to a local workstation or network. There are many free or inexpensive commercial applications that can be used to securely generate, store, and retrieve such passwords.

2) Using multi-factor authentication for accessing email accounts. Multi-factor authentication ensures that even when a password is compromised, access can only be granted after entering additional unique information, such as a constantly changing numerical code from a mobile phone application or text message. There are many free or inexpensive multi-factor authentication applications.

3) Generally, maintaining a high level of suspicion and scrutiny with respect to emails, hyperlinks, and wire instructions, including a) the authenticity of email addresses and web addresses; b) strange variations in email formatting (such as improperly formatted email signatures and previous messages that have suddenly disappeared from ongoing email threads); c) discrepancies or oddities that are apparent from the language or substance of an email message; d) emails and websites that request the entry of a password; e) emails that emphasize the urgency of a wire transfer or the authenticity of wire instructions; and f) last-minute changes to previously received wire instructions.

4) Responding to emails by hitting “forward” instead of “reply,” and then manually typing in an independently verified email address for each intended recipient, in order to avoid inadvertently responding to a message from a spoof email address.

5) Educating clients on the process for using an independently verified telephone number to securely authenticate wire instructions and confirm the receipt of wire transfers, instead of relying solely on unsecured email communications.

6) Warning clients, as early and as often as possible, about the lurking dangers of real estate wire fraud and recommended preventative measures, including clear and thorough disclosures in retainer agreements, standalone notices, correspondence, and email signature blocks.

7) Creating, maintaining, and updating a formal plan of action setting forth the steps to quickly remediate instances of wire fraud.

8) Exploring the availability of specialized cyber insurance products, including options for coverage on existing malpractice or errors and omissions policies.

Given the practical difficulties in effectively combatting fraudsters whose identities are shrouded by the very tools they wield, there is sound reason to believe that cybercrime will continue to worsen in the foreseeable future, both in terms of the number of victims and the total losses stolen from them. The rising tide of sophisticated, adaptive, and determined cybercriminals merits the utmost caution by all Florida attorneys — and everyone else, too.

 

[1] Resnick v. AvMed, Inc., 693 F.3d 1317, 1329 (11th Cir. 2012).

[2] Federal Bureau of Investigation National Press Office, The FBI’s Internet Crime Complaint Center (IC3) Marks Its 20th Year (May 8, 2020), available at https://www.fbi.gov/news/pressrel/press-releases/the-fbis-internet-crime-complaint-center-ic3-marks-its-20th-year. The IC3 was originally named the Internet Fraud Complaint Center, but was renamed the Internet Crime Complaint Center in October 2003 “to better reflect the broad character of. . . matters having an [i]nternet, or cyber, nexus” and “to minimize the need for one to distinguish ‘Internet Fraud’ from other potentially overlapping cyber crimes,” such as “Intellectual Property Rights (IPR) matters, Computer Intrusions (hacking), Economic Espionage (Theft of Trade Secrets), Online Extortion, International Money Laundering, Identity Theft, and a growing list of Internet-facilitated crimes.” FBI, Internet Crime Complaint Center, Mission Statement and About Us, https://www.ic3.gov/about/default.aspx.

[3] FBI News, IC3 a Virtual Complaint Desk for Online Fraud (Nov. 21, 2017), https://www.fbi.gov/news/stories/ic3-virtual-complaint-desk-for-online-fraud.

[4] FBI, Internet Crime Complaint Center, Mission Statement and About Us.

[5] FBI, Internet Crime Complaint Center, 2017 Internet Crime Report 3, available at https://pdf.ic3.gov/2017_IC3Report.pdf (2017 IC3 Report).

[6] FBI, Internet Crime Complaint Center, 2018 Internet Crime Report 3, available at https://pdf.ic3.gov/2018_IC3Report.pdf (2018 IC3 Report).

[7] FBI, Internet Crime Complaint Center, 2019 Internet Crime Report 3, available at https://pdf.ic3.gov/2019_IC3Report.pdf (2019 IC3 Report).

[8] Id. at 5.

[9] Id. at 21-22.

[10] Id. at 16. Age is not a required reporting field on the IC3 online portal, and as such, not all complaints submitted to the online portal include an associated age range. Complaints that omitted an age range were excluded from the IC3’s age-based data.

[11] Id.

[12] Id.

[13] Id. at 12. The IC3 notes that scams commonly employed against the elderly include, “advance fee schemes, investment fraud schemes, romance scams, tech support scams, grandparent scams, government impersonation scams, sweepstakes/charity/lottery scams, home repair scams, tv/radio scams, and family/caregiver scams.”

[14] Id. at 3 and 19.

[15] Id. at 27

[16] Id. at 26.

[17] Id. at 25.

[18] Id. at 27.

[19] Id. at 3 and 20.

[20] Id. at 25. The IC3 highlighted BEC as one of the “hot topics for 2019,” noting that the scheme is “constantly evolving as scammers become more sophisticated” and has evolved over the years “to include compromise of personal emails, compromise of vendor emails, spoofed lawyer email accounts, requests for W-2 information, the targeting of the real estate sector, and fraudulent requests for large amounts of gift cards.” Id. at 9.

[21] Id. at 25.

[22] Id. at 27.

[23] According to the 2019 IC3 Report, “[e]ach complaint is reviewed by an IC3 analyst. The analyst categorizes the complaint according to the crime type(s) that are appropriate….One complaint may have multiple crime types.” Id. at 28 (Appendix B).

[24] Mark D. Killian, Scam Artist Creates Fake E-Filing Account in Real Lawyer’s Name, The Florida Bar News, March 1, 2018, available at https://www.floridabar.org/the-florida-bar-news/scam-artist-creates-fake-e-filing-account-in-real-lawyers-name/.

[25] Scam Alert: Fake Emails Claim To Be From The Bar’s Executive Director, The Florida Bar News, Nov. 5, 2019, available at https://www.floridabar.org/the-florida-bar-news/scam-alert-fake-emails-claim-to-be-from-the-bars-executive-director/.

[26] The Florida Bar Blog, Fraudulent Email Alert (May 7, 2018), https://www.floridabar.org/news/blog/fraudulent-email-alert-may2018/.

[27] Jim Ash, Email Hack Scam Alert!, The Florida Bar News, Feb. 15, 2018, available at https://www.floridabar.org/the-florida-bar-news/email-hack-scam-alert/.

[28] Scam Alert: Fraudulent Email Uses Tax Section’s Logo in an Attempt to Steal Money, The Florida Bar News, Oct. 21, 2019, available at https://www.floridabar.org/the-florida-bar-news/410860/.

[29] Jim Ash, Beware, the Cashier’s Check Scam Is Still Out There, The Florida Bar News, Nov. 13, 2019, available at https://www.floridabar.org/the-florida-bar-news/beware-the-cashiers-check-scam-is-still-out-there/.

[30] The Florida Bar Practice Resource Center, Beware Phishing Email With Subject: Your Recent Chase Payment Notification, Sept. 12, 2017, https://www.legalfuel.com/beware-phishing-email-with-subject-your-recent-chase-payment-notification/.

[31] Tonya Ugoretz, Fight Back: How to Stop Cyber Criminals During the Pandemic, The Aspen Institute at 8:56 to 10:26 (Apr. 16, 2020), https://www.aspeninstitute.org/events/fight-back-how-to-stop-cyber-criminals-during-the-pandemic/ (“I think we’re seeing really the collision between highly-motivated cyberthreat actors and an increase in opportunities that they can take advantage of….When we’re talking about threat actors, we’re talking about cybercriminals, those who are looking to conduct cyber intrusions, theft of information, a variety of cybercrimes, usually for personal profit. But then we also have nation-states, which have a variety of other motivations, including theft of information and a desire to gain insight into how other countries, how medical institutions are responding to the COVID threat, so that they can have that information to inform their own response. And when I talk about the growth in opportunities that both those sets of threat actors can take advantage of, it really ties to…what we’ve all experienced in the past month or so, the rapid and really unplanned shift to moving our entire lives online which, you can imagine, just creates a host of opportunities for professional cybercriminals and highly sophisticated countries that want to take advantage of that.”).

[32] Id. at 13:53 to 14:37 (“The FBI has an internet crime complaint center, the IC3, which is our main ingest point when members of the public or companies want to report having been the victim of internet-related crime or fraud, and sadly, the IC3 has been incredibly busy over the past few months. Whereas they might typically receive 1,000 complaints a day through their internet portal, they’re now receiving something like 3,000 to 4,000 complaints a day. Not all of those are COVID-related, but a good number of those are.”).

[33] FBI, Online Extortion Scams Increasing During the COVID-19 Crisis, I-042020-PSA (Apr. 20, 2020), available at https://www.ic3.gov/media/2020/200420.aspx (“The Internet Crime Complaint Center (IC3) has seen an increase in reports of online extortion scams during the current ‘stay-at-home’ orders due to the COVID-19 crisis. Because large swaths of the population are staying at home and likely using the computer more than usual, scammers may use this opportunity to find new victims and pressure them into sending money. The scammers are sending e-mails threatening to release sexually explicit photos or personally compromising videos to the individual’s contacts if they do not pay.”).

[34] FBI National Press Office, FBI Warns of Money Mule Schemes Exploiting the COVID-19 Pandemic (Apr. 6, 2020), available at https://www.fbi.gov/news/pressrel/press-releases/fbi-warns-of-money-mule-schemes-exploiting-the-covid-19-pandemic (warning to watch for money mule schemes involving “online job postings and emails from individuals promising you easy money for little to no effort” and “emails, private messages, and phone calls from individuals you do not know who claim to be located abroad and in need of your financial support.”).

[35] FBI National Press Office, FBI Warns of Emerging Health Care Fraud Schemes Related to COVID-19 Pandemic (Apr. 13, 2020), available at https://www.fbi.gov/news/pressrel/press-releases/fbi-warns-of-emerging-health-care-fraud-schemes-related-to-covid-19-pandemic (“Bad actors are selling fake COVID-19 test kits and unapproved treatments through telemarketing calls, social media platforms, and door-to-door visits. Many scammers are promising free care to patients in order to gain access to their personal and health insurance information, including their dates of birth, Social Security numbers, and financial data.”).

[36] FBI National Press Office, FBI Warns of Advance Fee and BEC Schemes Related to Procurement of PPE and Other Supplies During COVID-19 Pandemic (Apr. 13, 2020), available at https://www.fbi.gov/news/pressrel/press-releases/fbi-warns-of-advance-fee-and-bec-schemes-related-to-procurement-of-ppe-and-other-supplies-during-covid-19-pandemic (“The Federal Bureau of Investigation is providing this industry alert to warn government and health care industry buyers of rapidly emerging fraud trends related to procurement of personal protective equipment (PPE), medical equipment such as ventilators, and other supplies or equipment in short supply during the current COVID-19 pandemic. The FBI recently became aware of multiple incidents in which state government agencies, attempting to procure such equipment, wire transferred funds to fraudulent brokers and sellers in advance of receiving the items. The brokers and sellers included both domestic and foreign entities. In one case, an individual claimed to represent an entity with which the purchasing agency had an existing business relationship. By the time the purchasing agencies became suspicious of the transactions, much of the funds had been transferred outside the reach of U.S. law enforcement and were unrecoverable. The current environment, in which demand for PPE and certain medical equipment far outstrips supply, is ripe for fraudulent actors perpetrating advance fee and business email compromise (BEC) schemes, such as those described above.”).

[37] The IC3 defines “real estate/rental” as “[f]raud involving real estate, rental or timeshare property.” 2019 IC3 Report at 27.

[38] 2017 IC3 Report at 20-21.

[39] 2018 IC3 Report at 19-20.

[40] 2019 IC3 Report at 19-20.

[41] Id.; see also FBI, Internet Crime Complaint Center, 2015 Internet Crime Report 15-16, available at https://pdf.ic3.gov/2015_IC3Report.pdf; see also FBI, Internet Crime Complaint Center, 2016 Internet Crime Report 17-18, available at https://pdf.ic3.gov/2016_IC3Report.pdf.

[42] Coalition to Stop Real Estate Wire Fraud, Think You’ve Been Robbed?, https://stopwirefraud.org; see also Tom Cronkright, How to Recover From Wire Fraud, CertifID (Mar. 25, 2019), https://certifid.com/how-to-recover-from-wire-fraud/.

[43] FBI, Financial Fraud Kill Chain (Jan. 11, 2016), available at https://grefpac.org/images/downloads/News_Articles/04.2016_ffkc_bank_outreach.pdf.

[44] Id. The RAT and the Money Mule Team (MMT) share resources and work collaboratively under the umbrella of the IC3 Recovery and Investigative Development Team (RaID). RaID was created in 2019 to assist financial and law enforcement investigators in the dismantling of money mule organizations. RAT focuses on financial recovery, while MMT performs analysis and research on previously unknown targets to develop new investigations. See 2019 IC3 Report at 3-4.

[45] FBI, Financial Fraud Kill Chain (“Any wire transfers that occur outside of these thresholds should still be reported to law enforcement but the FFKC cannot be utilized to return the fraudulent funds.”).

[46] Several federal court decisions within the 11th Circuit have recognized a duty to take reasonable measures to protect sensitive consumer data from data breach and have held that identity theft victims may properly state causes of action sounding in tort, contract, and/or quasi-contract for breach of that duty. See Resnick v. AvMed, Inc., 693 F.3d 1317, 1330 (11th Cir. 2012) (plaintiffs stated claims for negligence, breach of fiduciary duty, breach of contract, and breach of implied contract, where they “pled a cognizable injury and have pled sufficient facts to allow for a plausible inference that AvMed’s failures in securing their data resulted in their identities being stolen”); In re Brinker Data Incident Litigation, 2020 WL 691848, at *7 (M.D. Fla. Jan. 27, 2020) (plaintiffs stated claims for breach of implied contract and negligence where plaintiffs sufficiently alleged a duty to use reasonable care to protect customer data from theft); Torres v. Wendy’s International, LLC, 2017 WL 8780453, at *4 (M.D. Fla. March 21, 2017) (plaintiffs stated claims for breach of implied contract and negligence where plaintiffs alleged that inadequate systems security created a “foreseeable zone of risk”); see also Brush v. Miami Beach Healthcare Group Ltd., 238 F. Supp. 3d 1359, 1365 (S.D. Fla. 2017) (plaintiff stated claim for negligence, where the court found that it was “well-established that entities that collect sensitive, private data from consumers and store that data on their networks have a duty to protect that information…”). Fla. Stat. §501.171 requires every “covered entity, governmental entity, or third-party agent” that “acquires, maintains, stores, or uses” certain defined items of “personal information” to employ “reasonable measures to protect and secure” such data. The statute also requires reporting of a “breach of security” to affected individuals, the Florida Department of Legal Affairs, and consumer reporting agencies. However, §501.171(1) expressly provides that the statute does not create a private cause of action for a violation. See Owens-Benniefield v. Nationstar Mortgage LLC, 258 F. Supp. 3d 1300, 1322 (M.D. Fla. June 15, 2017) (dismissing claim asserted under §501.171 with prejudice because there is no private cause of action to enforce statute).

[47] Every Florida lawyer owes a professional duty to “provide competent representation to a client,” which includes “safeguarding confidential information relating to the representation, including, but not limited to, electronic transmissions and communications.” Fla. R. P. C. 4-1.1 (including commentary); see also Rule 4-1.6(e) (“A lawyer must make reasonable efforts to prevent the inadvertent or unauthorized disclosure of, or unauthorized access to, information relating to the representation of a client.”). In addition to the ordinary duties of an attorney representing a client in a real estate transaction, such as handling a closing, “an attorney may not disregard matters that arise and reasonably signal potential legal problems….” Atkin v. Tittle & Tittle, 730 So. 2d 376, 378 (Fla. 3d DCA 1999) (citing Maillard v. Dowdell, 528 So. 2d 512, 515 (Fla. 3d DCA 1988), rev. den., 539 So. 2d 475 (Fla. 1988)); see also JBJ Inv. of S. Florida, Inc. v. S. Title Group, Inc., 251 So. 3d 173, 179 (Fla. 4th DCA 2018) (citing Atkin for the same proposition, “even if those matters do not fall precisely within the general rule governing the scope of an attorney’s duties when representing a client in a real estate transaction”).

[48] In Florida, a closing agent owes a duty to supervise a closing in a “reasonably prudent manner.” The Florida Bar v. Hines, 39 So. 3d 1196, 1200 (Fla. 2010); Denton v. Good Way Oil 902 Corp., 48 So. 3d 103, 105 (Fla. 4th DCA 2010); Askew v. Allstate Title & Abstract Co., Inc., 603 So. 2d 29, 31 (Fla. 2d DCA 1992).

[49] In Florida, the duties of a real estate “transaction broker” include, inter alia, “[u]sing skill, care, and diligence in the transaction” and “[a]ny additional duties that are mutually agreed to with a party.” §475.278(2)(c) and (g). The duties of a real estate “single agent” likewise include, inter alia, “[u]sing skill, care, and diligence in the transaction.” Fla. Stat. §475.278(3)(a)(7).

[50] FBI Internet Crime Complaint Center, Internet Crime Prevention Tips, https://www.ic3.gov/preventiontips.aspx.

[51] Coalition to Stop Real Estate Wire Fraud, Protect Your Money, https://stopwirefraud.org/protect-your-money/. The Coalition, formed in June 2019, includes several major real estate industry trade groups, including the American Land Title Association, the American Escrow Association, Community Mortgage Lenders of America, and the Real Estate Services Providers Council.

[52] National Association of Realtors, Wire Fraud, https://www.nar.realtor/wire-fraud#section-180554.

[53] The Florida Bar Practice Resource Center, Cybersecurity, https://www.legalfuel.com/category/technology/cybersecurity/.

 

Joshua FeinbergJoshua B. Feinberg is a partner with the law firm of Malvin Feinberg, P.L., in Ft. Lauderdale. He practices commercial and real estate litigation. Feinberg is a 2008 graduate, magna cum laude, of the University of Miami School of Law.