June 9: Robo-calls, travel scams, phishing, spearphishing, bitcoins, blockchain – it’s a tech jungle out there!

“I can’t tell if people who wear pajamas in public have given up on life, or are living life to the fullest.” Regardless, plenty of people in pajamas are on their computers, using technology, planning trips, etc., so let’s see what is going on with IT out there.

Bitcoins & blockchain

Part of an experiment in using the blockchain technology, Bitcoin is transforming the New York housing market. In real estate deals blockchain can reduce paperwork and the need for lawyers and other third parties by allowing people to buy and sell portions of buildings more efficiently than by crowdfunding or creating LLCs.

The risk of data breaches continues to grow as more information is stored online and as software becomes more complex. Lawyer Andrew Rossow details what organizations can do to prepare, including using artificial intelligence, creating or updating incident-response plans and utilizing blockchain.

Commerzbank has used blockchain to replicate a foreign exchange forward trade with thyssenkrupp, a German industrial group. Reconciliation is costly and time consuming for banks trading FX, and this experiment shows how blockchain can “digitalize the processes in this space”, says Nikolaus Giesbert of Commerzbank.

Distributed-ledger technology can strengthen financial infrastructure by protecting against attacks, De Nederlandsche Bank says, but blockchain is not yet cost- and energy-efficient and cannot take on a mass number of transactions. These conclusions are based on a three-year research project that tested DLT prototypes.

Phishing & spearphishing

Phishing: In a blink of an eye, an employee or customer can download malware and do great damage. It never hurts to keep this on top of mind bank-wide through your regular communications. These attacks are still done since they are valuable to hackers. Verizon notes that more than 75% of these attacks were financially motivated last year.

But FBI agents will often tell you that the #1 threat to financial institutions today is spearphishing. Huh? Spearphishing is the practice of sending fraudulent and spoof emails to a company’s employees seeking to deploy malware or ransomware or some other form of monitoring or intrusion software as soon as someone clicks on the otherwise legit looking email.

Lenders and banks must “stay dynamic” and continue to evolve with the threats, train, train and train your staff, engage in email monitoring and install email protection type software, and implement system segmentation (where it’s not easy to get from the system that opens/operates email to the systems that house key data). Everyone is under the same level of threat, and everyone is in the same boat. There are no easy answers and no inexpensive solutions. Financial services companies must remain active, vigilant and aggressive to protect ourselves and our customers.

Mitch Tanenbaum recently contributed, “It is an epidemic and that is being polite. One industry executive friend of mine says that his national title company receives 300,000 phishing attempts every single day! We have multiple mortgage clients that have fallen for phishing attacks. The result is that one or more user’s credentials are compromised.

“Once a user’s credentials are compromised, the attacker can log in remotely, say from Ukraine. One way they can exploit this is to log in only one time and during that very brief login they add a rule to forward all inbound mail, whether it comes from an internal user or an external user (such as a client) to the hacker’s Gmail account. Once the hacker has done this, he or she never has to log in to the compromised account again. This attack will continue to work even if the user changes his or her password. Once the hacker has copies of all your emails, he or she can peruse them at his or her convenience, using them to create attacks against your customers and against your employees. At his or her leisure. Forever. There are tools that you can use to protect from these attacks, but most companies have not implemented them.

“Another use of compromised credentials is to use them as a safe launching pad for sending out spam to the spammer’s list of email contacts. This attack is usually relatively short lived because eventually, someone will contact your company and complain that you are sending out spam. Alternatively, your entire company’s email can get blacklisted (and this is not that hard) and all your company’s email from all employees will be rejected by any recipient that subscribes to one of the blacklists that you are one. Getting yourself off some of these blacklists can take multiple days, in which time all your email will be rejected.

“There are many things that you should do to mitigate this risk and one of them is phishing your own employees. We have seen mortgage companies where the percentage of people who fall for the phishing emails is very high (say in the 40% range) and very low (less than 5%), but even at the very low range, there is significant risk. Remember that compromised credentials mean at least an investigation and likely it means notifying regulators in multiple states that a breach has occurred. This generates reputational damage and the potential for lawsuits – all from one compromised account.

“Modern phishing training tools are affordable and easy to use. The tools must be able to phish users automatically with limited work on the administrator’s part, with different phishing emails for different users and delivery of the training phishing emails at different times of the week for different users. Executives MUST be included in the phishing tests and optimally, they should tell the entire company if they fall for one. This removes the stigma of falling and lets people know that this is sufficiently important to the company that even the executives are participating. Please contact us if you need help with phishing training or protecting your email.”

Travel scams

Lots of people will be traveling this summer, and Experian advised that Americans should be particularly wary of these six travel scams.

1. Third-Party “Discount Travel” Scams

Travelers may be tempted to reach for discounted vacation offers from third-party firms. Such companies offer “instant” travel discounts designed to lure consumers to make impulse decisions on hotels, airlines, cruise lines, and other travel packages. Consumers will provide a credit card or debit card number, and these discount firms will pocket the charges, and all too often not provide the services promised or skimp on the offerings.

2. Free Vacation Offers

Travel scammers also often offer free vacations that are more about stealing money from your bank account that providing a dream trip that’s “on the house.” Travelers wondering if free travel vacations are on the level are onto something—free vacations from companies you’ve never heard of before just don’t happen, not unless there’s a major catch involved in the deal. To recognize a fraudulent deal, know the warning signs, which include offers of gorgeous locales with no specific mention of hotels, resorts, or airlines.

Additionally, the free travel offer doesn’t list any specific dates or any fees attached to the offer. If you’re considering such an offer, read the fine print included in the offer (especially on fees included), check the listing companies’ track records on websites like Trip Advisor, and review the listed record of the company on the Better Business Bureau website.

3. High-Pressure Booking Tactics

Unscrupulous travel services firms will often try to put the pressure on to close a toxic travel deal. They do so for a reason: Travel consumers who book a travel package well in advance often do so with a credit card payment. The fact is, according to the FTC there’s a 60-day limit on disputing a credit card purchase (you must dispute it 60 days after receiving the first bill with the charge on it). By the time the consumer figures out the travel company is ripping him or her off, it’s often too late to get their money back.

4. Rental Fraud

With the rise of Airbnb and other private residential home rentals, vacation rental scams involving apartment dwellers or homeowners who offer deep discounts on travel rentals are growing more pervasive. Here, consumers looking to book a place to stay will search for a good deal and dig up a home with a great rental price and contact the “owner.” In reality, the owner is a scammer who insists on an immediate down payment on the property rental.

Often, the scam artists will insist on a bank wire payment, which can be transacted in a day or two, and goes directly into the scammer’s account. When the traveler shows up at the property they find the property in a deteriorated state, or they find that the property is owned by some else and isn’t available for rent at all.

The good news? Online rental companies are now offering built-in protection against such scams. Airbnb, for instance, doesn’t release payment to the homeowner until 24 hours after the renter checks in. HomeAway provides secure payments and money-back guarantees, as well. Also, read reviews to get the scoop on a property. Past travelers can tip you off to something shady. Be cautious on sites like Craigslist where you don’t have guarantees and reviews aren’t available.

5. Bait-and-Switch Scams

Another form of rental fraud comes in the form of bait-and-switch rental scams. In this instance, unscrupulous rental providers list a highly desirable, but unavailable, rental property. When a travel consumer signs off on the rental, upon arrival, the renter is told the original listing is unavailable and is steered to a much-less desirable property.

6. Fraudulent Currency Exchange Scams

Americans traveling overseas may use street-based storefront currency exchanges, which bill themselves as accessible and user-friendly. Travelers who use storefront currency exchanges should take caution. Such exchanges can charge onerous fees and provide the wrong amounts on currency exchanges, always in favor of the storefront currency exchange.

These fraudsters count on the foreign travelers not knowing the currency rates while traveling abroad, and that they’ll embrace the convenience of exchanging currencies right on the street. Travelers should avoid storefront currency exchange services; instead, only use banks and other financial institution currency exchange services, or “currency exchange-only” stores that are accredited and that specialize in currency exchange services. U.S. travelers should always know the current exchange rates between the U.S. dollar and the relevant currency used in the country they’re visiting.

Using a credit card, especially if you don’t have foreign transaction fees when possible helps you avoid carrying around too much cash. And you can use well-known companies’ ATMs as needed, though you’ll want to be aware of any fees from that bank and yours.

Knowing How to Avoid a Travel Scam

The Federal Trade Commission (FTC) offers a handy guide to help you spot and avoid travel fraud scams. The FTC also provides an online complaint form to report travel fraud or travel scams.

In general, consumers planning and booking travel should be on guard against clicking on suspicious emails offering free or deeply discounted vacation packages. The adage that “if it seems too good to be true, it likely is” is a handy rule of thumb when considering such deals. Also, if you do sign on to any vacation package deal, get all the terms in writing, and don’t make any payments until you do. A reputable travel service will have no problem doing so, but a scam artist likely won’t want any record of the deal.

Read the fine print on any travel deal and scour your invoice or contract for any hidden fees and charges that weren’t clear upfront. Common travel fees include processing fees, late booking fees, and international departure and arrival fees. Get an explanation on any fees charged for travel and ask if any can be eliminated or discounted. Traveling these days can be time-consuming enough without worry about getting scammed while on the open road. Watch for the travel scams listed above and make sure you don’t fall victim to any one of them.

(No joke today – but instead a piece on annoying robo-calls which seem to be plaguing everyone.)

The Federal Communications Commission said consumers received an estimated 2.4 billion robocalls per month last year. If your phone is being inundated with such calls, there are steps you can take to try to block them out:

The most simple and effective remedy is to not answer numbers you don’t know.

If you do answer, don’t respond to the invitation to press a number to opt out. That will merely verify that yours is a working number and make you a target for more calls.

List your phones on the National Do Not Call Registry. If your number is on the registry and you do get unwanted calls, report them.

Download apps such as Truecaller, RoboKiller, Mr. Number, Nomorobo and Hiya, which will block the calls. YouMail will stop your phone from ringing with calls from suspected robocallers and deliver a message that your number is out of service.

And then there is the Jolly Roger Telephone Company, which turns the tables on telemarketers. This program allows a customer to put the phone on mute and patch telemarketing calls to a robot, which understands speech patterns and inflections and works to keep the caller engaged. The robots string the callers along with vocal fillers like “Uh-huh” and “O.K., O.K.” After several minutes, some will ask the callers to repeat their sales pitch from the beginning, prompting the telemarketers to have angry meltdowns, according to sample recordings posted on the company’s website.

Watch what you say. One recent scheme involves getting consumers to say “yes” and later using a recording of the response to allow unauthorized charges on the person’s credit card account, the F.C.C. warned in March. When the caller asks, “Can you hear me?” and the consumer answers “yes,” the caller can gain a voice signature that can later be used to authorize fraudulent charges by telephone. Best to answer with “I can hear you.”

Visit www.robchrisman.com for more information on our industry partners, access archived commentaries, or to subscribe to the Daily Mortgage News and Commentary. If you’re interested, visit my periodic blog at the STRATMOR Group web site. The current blog is, “The Plight of the Small Independent Lender.” If you have both the time and inclination, make a comment on what I have written, or on other comments so that folks can learn what’s going on out there from the other readers.


(Market data provided in partnership with MBS Live. For free job postings and to view candidate resumes visit LenderNews. Currently there are over 300 mortgage professionals looking for operations, secondary and management roles. For up-to-date mortgage news visit Mortgage News Daily. For archived commentaries, or to subscribe, go to www.robchrisman.com. Copyright 2018 Chrisman LLC. All rights reserved. Occasional paid job listings do appear. This report or any portion hereof may not be reprinted, sold or redistributed without the written consent of Rob Chrisman.)


Rob Chrisman