Borrower Fraud in Private Lending: Red Flags, Remedies, and Recovery

Steven E. Ernest, Esq.:

We are delighted to have you here. My name is Steve Ernest. I am one of the partners at the Fortra Law Firm. I am also the director of litigation and bankruptcy there here. Today, it's my high honor and unique pleasure to have such a distinguished and smart guest, Thane Boren from Katie is here and he's going to tell us lots of great things about fraud and private lending and what to look for and what you can do in the unfortunate and remote chance that you fall victim to some sort of fraud. And we're going to talk about ways that we can recover when fraud might befall one of your loans or your business. We did this a few years ago. We decided to brush it up because fraud is never changing world. Fraudsters, sadly to say, are ever clever. There is the contact information in the unlikely event that every question you have in your mind right now is not answered in the next 45 minutes or an hour.

You're welcome to get in contact directly with either me or Thane at one of those two places. And we will take Q&A at the end. I forget whether I've mentioned that already. If you have questions, put them in the Q&A, not in the chat. You can put them in the chat if you want, but we're not going to review that. We are going to review the Q&A. The A being answers, the Q being questions. So you put in the questions. Thane is going to supply all of the answers and that will be wonderful. So fraud, what is going on with my computer? Fraud. When people talk about fraud, usually they start with just saying it's a misrepresentation, and then they put a period after it and say every lie is fraud, and it's not. But it always starts with a misrepresentation. So somebody needs to tell you or communicate something to you, which isn't true and that starts the inquiry.

It doesn't end it. So there's more. It has to be a misrepresentation of what's called a material fact. And that means they can't just lie about the temperature in Nashville today unless that for some reason is a salient part of your loan. They have to misrepresent something's important. So their wherewithal inability to repay you, whether they're alive or not, whether they really are the person that is ostensibly making this loan arrangement with you, something that's important. So misrepresentation of a material fact and the inquiry isn't over, you have to rely on it. So if they tell you an important lie and you don't believe them anyway, and so it doesn't become sort of the basis of the arrangement or the bargain that you're making with them, it doesn't matter. But if it's a lie about something important and it's something that you rely upon, doesn't have to be the only thing that you rely upon, but it needs to be something that you did rely upon, then we can move on.

And it's something that caused you detriment. So in ordinary circumstances means you lost money. Either the property wasn't worth what they said it was or they didn't pay you, you didn't get your money back. Usually those are the detriments that befall lenders. But if you can satisfy each of those elements of fraud, congratulations, you have befallen, become a victim of what's sort of ordinary fraud, sadly. But that's what fraud means. It's certainly more than just a misrepresentation. It's more than just somebody lying to you, which is what a lot of people think. So I thought I would roll through the elements for you at the beginning. I am a lawyer after all. Here is a lot of ways that fraud manefits itself in private lending asset inflation. So the prospective borrower finds out that you issue loans at a 60 / 40 LTV, say, and they want to get $600,000.

So they're going to tell you that or try to convince you somehow that their property is worth a million bucks. Sometimes, sadly, we find out that this million dollar property is actually a $120,000 parcel of dirt out in Barstow and it really isn't worth anything or it's worth $120,000, but not nearly as much as they indicated it was. So asset inflation is the most prevalent. How do you defend yourself from those? We're going to get to in a minute. Another way is appraisal fraud. So if someone calls you with their prospective borrower and they want a loan, or it's a broker trying to place a loan, and I've got some good news for you, I'm going to save you $700. I already have the appraisal and I'll just send that to you and you can use it. You don't have to buy another appraisal. Hopefully your antenay will be raised at that point because people bringing appraisals to you are almost always fraudulent.

If the appraiser is the brother of the broker or the cousin of the borrower, probably it has some corners cut on it and it's worth investigating. It's much better to you. Well, I'm getting into the remedy. It's much better to use a panel appraiser that you are familiar with and don't ever take someone's word for it when they just bring an appraisal to you because everything else about it may be fine and they just have some clever computer operators that could change a few of the values and make it look better than it really is. So loan stacking, that's somebody who's applied for loans with several different lenders at the same time. They close them all on the same day. So you thought you were going to be a second and it turns out you were a fifth because they got three other loans and they stack them up without you knowing.

Oh, we're not moving on. Yeah. Occupancy fraud. So these are DSCR loans, apartment buildings, things like that where they produce to you 16 leases which say the place is fully occupied and all the tenants are paying $3,500 a month. Then they default and you find out that half the place is empty and it's really Section eight housing and the people who are there are only paying $1,200 a month, things like that. So the other sort of obvious one is in business purpose lending. The people are taking a loan from you to pay off their student loans or renovate their bathroom, but they tell you it's a business purpose loan and they really live there and it's an SFR. So those are some things to look out for as well. Straub buyer fraud. We did a whole webinar on that about six months ago, but there's usually someone lurking in the shadows who's the fraudster who couldn't qualify for a loan to get a used Toyota Corolla, but he's taking out loans to get hundreds of thousands, if not millions of dollars, but he finds somebody of his that is going to take title to the property and otherwise qualify for the loan but doesn't know anything really about the purpose for the funds.

You see that a lot with construction loans. That's where that one is most often rears its head. Title fraud, you always buy title insurance. My firm recommends title insurance 120% of the value of the loan because when you have title problems, the expenses, costs, et cetera, that are going to be concomitant with you settling the losses that you've incurred are going to exceed the value of the policy. So you want to be overinsured in that regard. Identity fraud, this is the classic one that's been around since the '90s or before, where somebody has some sort of a catfishing scheme and they have stolen the identity of poor mode kittle and they've got their social security numbers and their driving license numbers and all sorts of information suggesting that they really are people who they actually are not. And you make a loan collateralized by Mompaw Kittle's house and then a year later when you go to foreclose, the real Monpaw kittles say, "What are you talking about?

I never got any of this money." And you find out that it's been wired to someplace in India and it makes a big mess. Title insurance usually going to help you quite a lot in that circumstance, but that's what identity fraud is. All right Defenses, what do you do? So on the front end, the best way to deal with fraud is not get involved in it. So rigorous due diligence, education and training. Part of that education you're getting today, if you implement it, that will be the training part. 87% of driver's license matches were for valid loans. So that sounds pretty good, right? That's a B+, except the flip side of that means 13% of them were not. And that's a lot. I don't think anybody, I hope anyway, that anybody watching this doesn't want 13% of their loans to be fraudulent. 48% of fraudulent loans had VOIP phone numbers.

So I happen to have a VI voiceover internet protocol phone sitting right on my desk here in the office. So not everyone who uses those is a fraudster, but most fraudsters use exclusively those. These are all things to look out for. There wasn't a single synthetic identity which was registered to vote. So figuring out who your customer is and digging into them. So this firm Fortra there offers many paths at various expense levels to verify who your borrower actually is and to make sure they are who they say they are. And there are ways and one of them is, do they have voter registration? So appraisals with integrity, I talked about that before. You always want to use your appraiser. You never want to use the one that they bring with them. And if somebody is bringing a person who they say is going to go out and do the appraisal, that's something to pay attention to, not necessarily a disqualifying characteristic.

I wouldn't use their appraiser in any event, but I wouldn't deny the loan just because they suggested an appraiser. If they bring with them a paper copy of an appraisal that they want to PDF to you, that's almost definitely a no. I would strongly recommend closing the book on that loan if somebody wants to do that because they're probably lying to you and trying to trick you out of your money. Verifying occupation, that's that one, the occupancy fraud. Thank you. So you just want to verify who actually lives there and what they actually pay. Sometimes it's phone calls to the person who's on the lease. Ask them if they actually live there and if they actually pay $3,500 a month in rent, whatever it is, because for a DSCR loan, it makes a lot of difference what the occupancy is and what the rent role is.

Reputable allies, get some friends as long as you have a trusted team both in your house and a trusted team of vendors who you use pre-closing who have a good reputation or people you're familiar with, you'll certainly do much better and cut down these odds of 87 and 48% quite a lot. Know your customer enhanced verification. So most of what I was talking about just a few moments ago are ways to verify that your customer is actually who your customer says that they are. Don't wire money to India. Don't take an email on the day before closing that says, "I want you to send the money here and not there." Verify all of those things really carefully. Don't make rash decisions and be careful, I think is sort of the guiding principle of today. So guarantor failure, this is a straw buyer thing mostly because you've got a single purpose entity as your borrower.

That's what SPE is for those not in the club. Your guarantor typically has limited assets. So you want to find out what is really the value of the guarantee that I'm getting. Does your guarantor own a single family residence that he's had for 15 years that he lives in with his family in Kentucky? Well, that seems like a pretty good guarantor. Does he have a steady job somewhere? He's worked for the government, things like that.

The straw buyer circumstance, usually the guarantor has pretty limited, if any, assets, limited if any, income, so nominal income and no real estate in the project. I mentioned that these straw buyers are usually in construction loans. So there's a project. We're building an apartment building, we're building a strip mall, we're building something. Ask your guarantor what's his involvement. And if he doesn't know how to pour cement, he doesn't know anything about retail space, something like that. Probably want to question him, well, why would you want to guarantee this loan then? And if he says, "Well, I've got this friend, Brad, and he asked me to, that might be a bad one for you. " If you've got a guy who doesn't know or care about the project, doesn't have any assets, I think that's probably a guarantor that's going to file bankruptcy on you as soon as you try to collect from him so you haven't done yourself a lot of favors there.

Many of the assets promoted during the underwriting have evaporated. So they're going to show you a deposit account with $85,000 in it. Well, how long has the $85,000 been there? How are you going to assure yourself that the $85,000 is going to be there after default? And the guy will say, "Well, I inherited it or I went to a riverboat in Missouri and I hit it big on Blackjack," whatever he says. But I'll tell you this, the only way, this is law that's on my bookshelf right over there, the only way to get a perfected security interest in a deposit account, which is what that checking account is. The only way to do it is possession or control. So you're going to need to be on that account yourself and you're going to need to be the only entity authorized to withdraw funds. And it's pretty unlikely that your guarantor is going to let you to do that because probably what they're planning to do is transfer the money right back out to the fraudster as soon as the loan closes.

So there you go. What do you do when you find out a fraudulent loan is in your portfolio? We talked a little bit about title claims. You definitely want to do that. You want to have title insurance and you want to let the title insurance company know right away. We've had pretty good results of overwhelmingly good results getting title insurance to cover the problems that you have with straw buyers and fraud. So it's a good thing to have. All is not lost. It's what you buy insurance for. Don't want to use it very often, but if the circumstance arises, certainly you want to pursue a title insurance claim. Legal resources, that's this guy. Get your attorney on the phone sooner than later. Yes, we bill by the hour, but we have a little bit of knowledge in this field that the casual observer does not have and you don't want to sit on your rights for too long because there's fraudsters stealing your money and disappearing into the forest and you've got burning limits on the time period that you can make your title claims and we can help you.

Damage control is kind of what we do in that regard. We try to get our arms around whatever assets there are remaining between your collateral and your guarantors or your borrowers and hopefully Marshall as much of that as we can for you. And then after all of that has occurred, you just want to review and reflect what went wrong, how can we make this so it never goes wrong again and we never have to talk to Steve again. And there are processes that you can put in place that will hopefully prevent a second occurrence of a fraudulent loan in your portfolio. So now is the time where you really start to learn because there's this man, Thane Boren, who I am sharing the screen with today and he knows lots and lots about these things. And this is slide number 10 and he is a 10 as far as knowledge goes and really in every other capacity.

So Thane Boren, slide number 10, take it away, my friend.

Thayne Boren:

Thanks. Far too kind as always, Steve, but I will take the compliments. Thank you very much. Just a little bit about Skatie. We are a construction finance management platform handling draws inspections and we also are a payment processor and that's really what I want to focus on today is we've been making payments and been in business since about 2015. We have quite the experience in payment processing and best practices as it relates to fraud and fraud prevention. And so again, little background context on who we are and what we do, but let's dive into some of the different areas in which you can be jeopardized in fraud and some of the more prevalent cases of fraud. So the first would be, Steve, if you want to hit the next slide there. The first and most prevalent is going to be wire fraud is certainly prevalent here.

And let's talk about how folks are going to gain access to your sensitive information or potentially your client's sensitive information. And so the primary method in one of the top 10 areas that the FBI actually tracks as it relates to cybercrime is business email compromise. So we're going to see a lot of acronyms on these slides. There's a lot of information. I will try to cover all those, but we will have quite the marathon of three letter acronyms today. The first again is business email compromise and email account compromise. And what that does is it allows folks to gain or these individuals, these fraudsters to perform their nefarious activities. It allows them to get access to sensitive information such as dates, account numbers, going as far as what is called account takeover. And so they would see that there's a closing, perhaps that there's going to be a half million dollars sent to certain parties.

They're going to gain access to the party's information that further gain access through this account takeover process and then send fraudulent wire instructions. So Steve used the example, okay, this should go to this account, this routing number, this information. All of a sudden that information changes and now you've sent a half million dollars to somebody that's going to disappear. And so again, primary methods of access is going to be business email compromise. And just for reference, we've got some stats on the slide here, $3 billion in losses reported by the FBI on this. So that makes it the second most costly cyber crime that is tracked, seventh most reported, second most costly. Unfortunately for us in the real estate space, these are large transactions. Fraudsters have found this. It's still a pretty archaic industry in terms of checks being written, wires being sent, papers being printed, things of that nature.

So it's wrought for human error and opportunity for these folks to come in and gain access to very sensitive information. And go ahead, next slide there, Steve. So just an anatomy of a payment diversion. So we talked about the entry, the surveillance they watch, they see what's happening, the substitution of the instructions and then the exit. So the funds move to an account, they move those funds out of that account and then they disappear. So we talked about this a little bit, but sudden bank changes, urgent tones, different emails but look very similar to the domains that you may be interacting with reluctant to go through some of the processes. We all know that folks are pretty hard to get ahold of. They may be adverse to sending additional information. Those are all red flags in terms of what you should be looking out for as you're going through your processes and establishing best practices around this.

And so we have up there control, require verification for first time payees, banking changes, or any requests that appear to be from a known person that have some sense or some sense of change or urgency and things of that nature. And so as it lists here on the slide, most wire fraud is not a hack of the bank, so don't misunderstand that. That is very, very rare occurrence that that happens with data leakage and things of that nature at the banking institution. It happens before it gets to the bank. And so what is happening in the industry? Well, as you can see here, the numbers speak for themselves. They just continue to grow exponentially. As I mentioned, the transactions, the dollar amounts, they're high ticket items, so the numbers are just growing exponentially and it's not going to stop. And furthermore, AI is only enhancing their ability to replicate documents to generate information more quickly, more accurately, including synthetic ID and things of that nature.

So things I want to point out is title. We touched on title, very important. I would echo Steve's comments around title and title insurance. However, I would also encourage you to take a look at your partners in this industry and ensuring that they have best practices, whether it's a technology vendor, whether it's a title and insurance company, that they have your best interest, that they're doing all that they can to protect your sensitive information. And so title seller identification fraud is up, fraud in complaints is up. You can see the average dollar amounts are 22,000 and above. And so this is not going away. It is incredibly prevalent and is going to continue to grow and so just be hypervigilant in everything that you do.

So let's touch on some more best practices and private lenders not regulated like banks, but I think we can all agree that banks have some great practices in terms of how they go about identity, fraud, mitigation, things of that nature. So let's touch on some of the three letter acronyms, OFAC, so Office of Foreign Asset Control, KYC, Know Your Customer, KYB, Know Your Business, FinSend, BSA, AML, and suspicious activity. These are all things that your companies move massive amounts of dollars every single day in and out of your bank accounts. It would behoove you to go through and look at these practices as well as the Finsen site. They have a lot of really good information, they have a lot of good trends, things of that nature, and we'll go more into this, but really encourage everybody to start if they have not already done so in establishing a KYC, KYB process, which is part of an overarching Bank Secrecy Act, Anti-Money Laundering Act program in which banks are regulated.

So once money starts to move, and Steve did a great job of talking through all the various ways in which you could be susceptible to fraud. And once you get to the point where you're ready to transact money, you should be hypervigilant in terms of how you're looking at this. And furthermore, really think about how you're going to identify that payee or payor in some regards, where the money's coming from, how it's coming into your accounts, is it good funds? What are the different banking rails in which you're interacting with and how can you better understand those banking rails and how they can impact your business? So why are super straightforward, fast, its final dollar, or sorry, final in terms of its settlement, it's irrevocable, you can have high dollar amounts that you can transact through that banking rail and really if you want to think about it simply once that is initiated and that money has left your account, it's very, very, very nearly impossible to get that revoked ACH, it's batch-based, it's rule-based on returns.

So there's a whole slew of codes and things that go into ACHs, but it is more recoverable.

And so there are some opportunities there in terms of looking at, again, what's the transaction type, what money and what funds methods should you be looking at? And then perhaps if it's not super urgent or not immediate good funds, ACH is certainly a great opportunity to look at that within your business. Check, honestly, I'm just shocked at why people still write checks. Over 50% of checks have some form of fraud attached to them. I understand that there's safeguards in terms of positive pay and things of that nature, but it's just such a significant opportunity for fraud to happen, but understand also it's still considered good funds in real estate. What I'm hopeful for and optimistic is the RTP and FedNow payment rail. We will touch more on this, but it's effectively the best of ACH and wire combined. And so the question that I have for everybody is, are approvals designed for payment rail you use?

So go back to those, like I said, is it needed? Is immediate irrevocable funds needed or is there some opportunity to potentially look at giving yourself a window of recovery in the event that something catastrophic or fraudulent happens within your business?

So best practices on payment control, certainly there's secure wire instructions. We actually do this within a platform that we have called Title Money. We're in the process of migrating the service over Endora Secadi platform in which it provides different verification steps and tools that allows you to send an exchange through secure portals, wire instructions. As I mentioned, working with partners that understand wire instructions, whether it's through title and escrow agencies and things of that nature, ability to claw back funds is really important for you all to take into consideration and know your bank recall steps, who you'd have to contact and things of that nature. One of the things I didn't touch on is the IC3 reporting procedures. So the Internet Crime Complaint Center is something that everybody should jot down the better that we can track down these fraudulent events as they happen if unfortunately you happen to become a victim of this, really important to know that center and where you can go and report issues when and if they happen.

I will spend time on talking about account and entity verification. This is all part of the KYC/KYB process. So validating account ownership, entity legitimacy, account status before the money leaves your account, then putting in controls within your own organization, transaction limits, dual authority approvals, things of that nature, always best practices as it relates to looking at funds before they actually exit your business.

Furthermore, governance around, this is more perhaps for a company like ours where we're audited, not like a bank but similar to a bank, but just giving you guys some ideas around best practices, having a secure Security officer or chief information officer, Anti-Money Laundering Act compliance owner, somebody within your company that understands the KYC/KYB process, that understands the Bank Secrecy Act processes where they can have some form of oversight within your organization to help you assess where risk is access. So multifactor authentication, single sign on privilege, segregation of duties, access reviews for banking, customer retention, relationship management tools, loan origination tools, draw, and accounting systems, so on and so forth. So there's a multitude of different entry points in which nefarious activity can happen. Make sure you understand where those systems are, who has access, what privileges they have, things of that nature. I cannot emphasize this enough.

Training is the most paramount thing that you can do within your organization. Unfortunately, when fraud happens, it's one of those situations where the toothpaste can't be put back in the tube and really you start entering into a phase of damage control and as part of your recovery. And I cannot emphasize training enough. I will tell you, I've sat within organizations where folks have said, no, it's fine. I sent this out over a secure email, and I'm like, oh, you send it out encrypted? No, my email's secure. Well, that means somebody can't hack into your email. That doesn't necessarily mean that once you send that email out into the ether, that someone can't access that and gain access to that information. Penetration testing, vulnerability scans, there are a multitude of companies that can help you with this. If you're unfamiliar with this process, we're happy to help you as well.

And then just making sure that you have retention of documents, any exception management and logging that you're doing, vendor due diligence. Again, this is something we can help folks with if they're interested and then any control testing. So standardization around this, of course, is like SOC two, but keep in mind human risk is your most vulnerable part of any business. You can put whatever moat you want around your business in terms of technology and services, but it only takes one person to leave the front door open and somebody to walk through that door.

Moving back to RTP and FedNow, I'd like to think that this is the silver bullet that the industry needs, but unfortunately recovery times and prevention, you've got to really start that upstream. And so Realtime Payments Network and the FedNow Payment Network are very interesting and intriguing. Most industries, I can't see a better use case than ours as it relates to industry needing a payment rail like this. Unfortunately, most institutions are only enabling the send function, not the receive function, but that is something to keep in mind as the RFP or request for payment is enabled and they enable B2B transactions that you get the ability to send out payments twenty four seven, 365. So closing times for wires and cutoffs and things of that nature should reduce the friction of that, give you a little bit more opportunity to go through your KYC process. But I think this is a really interesting element as it relates to the industry and how it can shape and impact the industry, but it's also new and it's new for your banking institutions and your banking partners too.

So as you start to engage in the RTP, FedNow and eventually RFP proces, you should really consider and understand what those payment rails are, how they can impact your business, who can approve what an RFP even looks like, how to handle those kinds of things. So within that smaller detection window in terms of the funds leaving, make sure you're doing that due diligence on the front end for sure.

And next slide, Steve. So let's get into more tactical side of this as it relates to construction loans. Most people that I engage with for the most part think that if they have the right LTC, LTB on a project and they've underwritten their borrower, that the project is going to be pretty safe. But anytime that there is a draw, you are effectively managing risk. And so best practices around this, match draws to budgets, scopes, inspections, make sure you're collecting lien waivers. We know a lot of folks don't collect lien waivers out there. Understand that that can be burdensome, but there are digital processes in which you can streamline that. Payee identification, making sure you're paying to the right folks on the project, look for duplicate invoices, interesting dollar amounts, different invoice gaps, things of that nature. Require photographic evidence, site inspection, progress inspection, make sure that those draw amounts that are being requested match the actual progress of that project and then monitoring draw velocity is critically important.

And so understanding that we live in a day and age where things can be digitized and process can happen very quickly, your borrower needs money so they can continue moving on that project and moving it forward. But keep in mind every single draw has inherent risk with it. So knowing who and what you're paying for and an observation that we've had is level of detail within budgets is also very important. It can cause confusion as it relates to the budget itself. So the more granular you can get in the budget process and understanding truly the scope of work will give you better cost control around that particular construction project, specifically as it relates to the progress of that. We've heard unfortunate stories where entire budget items were missed, which obviously can impact the appraised value of that particular project, your ability to build out of that project, things of that nature.

So just some best practices around job management and knowing who and what you are paying for on those construction loans that you're all originating.

Know your customer, know your business. This does not have to be overly complex and this doesn't have to be overly burdensome to your organization. So identify who you're dealing with, how to do. This is pretty simple for individuals, some high level recommendations, government ID, looking at secretary of state information, physical address, not a PO box or things of that nature, looking at the EIN or TIN or SSN, depending on if they're a sole prop, things of that nature, W9 and making sure that the TIN matches. If you want to go as deep as a OFAC screening certainly doesn't hurt. There are lots of services, including folks like us that do this process for you. Going a little bit more extreme, some banks would recommend a PIP, not a performance improvement plan, but a politically exposed person. And we typically don't go to that extreme, but that is certainly something that is becoming more prevalent.

Looking at bylaws, certificate of the organization, articles about the corporation, I think Steve did a great job touching on this too, but there's a way to identify who you are doing business with and it's a balance of not making that so burdensome that they don't want to engage or interact with you, but also having the best practices internally within your organization to ensure that you are comfortable in a position of being able to release funds to the appropriate party at the appropriate time and furthermore, monitoring. Don't make this an event but make it a part of your everyday process.

Do you understand transaction amounts and the geography of the transactions and do they make sense and things of that nature? And then when something does happen or when something does become suspicious, what do you do with that? Who do you take that? Do you have somebody within your organization that's identified that can help remediate any of these issues or help go through screening of potential suspicious activities, things of that nature? And then when there is something that's potentially fraudulent, what do you do with it? Where do you go within your organization and how do you handle those things? Those would all be, again, best practices, but know your customer, know your business. That is all part of fraud prevention at its core, especially as it relates to moving money.

So elements of a good BSA/AML program, and again, keep in mind, KYC, KYB are part of a Bank Secrecy Act, Anti-Money Laundering Act program. So policies, procedures. If you have the ability to have some sort of a compliance officer, somebody that you can appoint to have ownership and steward this program throughout your organization, it doesn't have to be on ceremony. I mean, certainly just if you're a smaller shop, identifying somebody that can go through CAMS training, which is a great program where you can get a little bit more familiar with some of the best practices around BSA AML or KYC, KYB work and just broken record, but emphasize training, training, training.

Independent testing and customer due diligence and monitoring monitoring is tying that back to that hygiene of your transactions, perhaps bank account changes, urgency and tone. If they normally are requesting certain dollar amounts and all of a sudden you see a significant spike and $200,000 request is a normal thing, whereas a $400,000 request jumps up or all of a sudden it's Friday at two o'clock and they're saying, "Oh, don't wire it to this bank account, wire it to this bank account." All of those things should send up your antennas on being hyper alert on just interesting items that you'd want to monitor as it relates to behavioral things that we've seen certainly across our 15 plus years of processing payments.

The fraud prevention operating model, for a lack of better way to say this, assign owners, verify outside emails, go through your KYC, KYB process, providing those callbacks. Steve touched on VoIP, but what are the verified numbers? How do you know how to contact that person? Going through the account and entity verification. So account and entity verification, a distinction there is, is this account open? Is this bank account open and is it active and does it have a health score? And then verifying additionally, does that account belong to Steve and can I prove that he has ownership of that? And then can I believe that Steve is a partner at Fortra Law and does he exist and is he a part of that organization? Is he truly who he says he is? Train and test your team. You'll be shocked at what some of those results might be.

I would suggest a few companies that would help your teams. We use KnowBe4. It's a great program. There are other companies out there like Phish and Titan HQ and some other teams and companies that will help you with some of the ,,different fraudulent trainings and exercises and testing programs that you can implement. It is not a heavy lift. Performing audit controls, even if you don't have a SOC two attestation, we certainly recommend taking a look at some of the best practices from SOC two because it is systems and organizational control. So it gives you a good look at your internal systems processes as well as your operational controls and then be prepared to respond fast, calling your banks, filing an IC3, holding onto that evidence and then working through those remediation efforts. This is not something that is going away. It is something that you should be implementing in your businesses today.

It doesn't have to be something that happens overnight. Best programs are always refined and enhanced and grow over time. We grow our program every single day. And like I said, we've been doing this for nearly a couple decades, it is not something that is static and is ever evolving.

Steven E. Ernest, Esq.:

Alright then! Extraordinarily well done as expected. Here is a shameless plug. The Fortra Conferences is hoping to see you in Newport Beach here in about a month or so. It's going to be wonderful. So if you want to sign up and get a discount today through July 1st, you can using that web 100 discount code. Dane, are we going to see you in Newport? We'll

Thayne Boren:

Be there.

Steven E. Ernest, Esq.:

Outstanding. Outstanding. Well, here's a way to save some money and you can web 100 it and get a discount. If you didn't write that down, it is okay. One of the questions I saw was, is there a replay available of this? Not really a replay. We don't run it again at midnight and every third day like I love Lucy or something, but it will be available the recording of this and you can watch it at your leisure. We're touched that you would want to see it again. You'll be able to find that on my firm's website. You'll be able to find it on my LinkedIn page. I'm going to anticipate that this Katie marketing folks are going to probably put it on Than's marketing page and LinkedIn in all sorts of ways. So you're going to be overwhelmed with opportunities to rewatch this. If you don't want to rewatch it, you just want to see the slides because you don't want to listen to me, perfectly understandable.

You will be able to find all those slides. Among those slides that will be sent to you will be the one that includes the discount code for our conference in Newport coming up. So please avail yourself of that so that you don't have to call me three days before the event asking if you can have a discount. So you can do it now and then we'll be excited and prepared to have you there. So you'll get the slides. You can watch this again at your leisure as it relates to questions. Here's the first one produced and it's from an anonymous attendee. So challenging when you do a webinar about fraud for how many people we got here, 103 participants. And the first question comes from someone who wants to remain anonymous, but here we go anyway. How do you protect yourself or detect BEC? I believe BEC is business email.

What's the C thing?

Thayne Boren:

Compromise.

Steven E. Ernest, Esq.:

Compromise. So you don't want your business email compromised. And since he knew what the C was, I'm going to let him field this question.

Thayne Boren:

So starting out with just great hygiene around your systems. So ensuring that you have encryption around your sites, your folks can't gain easy access to get into your systems. Also, it sounds very basic, but choosing passwords that cannot be easily compromised or that are also reused over and over again. We actually see oftentimes where hackers will try various password combinations and then gain access through one email and then all of a sudden they have access to your bank account logins and your social media logins and all of the other things because you use the same password across that. And then if you have somebody internally that's helping manage your email systems looking at IP addresses and where those folks are gaining access to your systems is really important. We whitelist or sorry, we block a lot of IP addresses that are outside the US. And so it's one of those that's probably not an easy answer from a one thing that you'd do.

There's a multiple different top pronged approach that you'd take to ensuring that your email isn't compromised and then of course what to do if it has been compromised and monitoring and shutting down those email addresses when and if they are compromised.

Steven E. Ernest, Esq.:

Yeah, those are all fine ideas to keep your information to yourself. And then I suppose the follow on to that is if you find that you clicked the wrong email or text that came to you and you believe that your business email was compromised, don't suffer in silence, don't keep it a secret. You need to report that one up the chain because they have ways and you wouldn't be the first person this has happened to. They have ways to close the gates and solve the problem. Whereas if you don't tell anyone, it's only going to get worse minute by minute, right?

Thayne Boren:

Yeah. Looking at domains is really important and paying attention honestly down to the letter of those domains on those phishing attempts. Again, we leveraged no before they actually do simulated phishing attempts and will give you intelligence back to your organization on who clicked the links, who opened the emails, things of that nature. So it's a great training exercise for BEC for sure.

Steven E. Ernest, Esq.:

Than here's an opportunity for you to confess your crime. Have you ever got one of those, not the what did you just describe them? They're not a real phishing expedition. It's when the IT company is trying to get you to fall for it. Have you ever fallen for one of those?

Thayne Boren:

I personally have not. Oh,

Steven E. Ernest, Esq.:

Yeah. I have

Thayne Boren:

Certainly opened those emails, but thankfully I've not clicked on a link, but they're getting very, very good. As I mentioned, AI used to be really easy to detect. Typically, you'd have something that was maybe poorly worded and broken English perhaps. Now with AI, it's getting very, very interesting and you have to really second guess a lot of the emails that come through.

Steven E. Ernest, Esq.:

I have never fallen for one of the real phishing things, but one time I did click the link on whatever the IT company's follow-on thing was and it immediately paralyzed my screen and there was a fish with a hook in front of its mouth and it said that essentially, didn't you learn anything in the webinar that we gave you yesterday you were supposed to not do this and I only did it once. That's

Thayne Boren:

All it takes.

Steven E. Ernest, Esq.:

There you go. I feel better having got that off my chest now. Everybody knows. All right, those are all of our questions. That is everything in the chat. Thane, it was lovely to see you. Once again, I thank you for your willingness to do this and imparting your intelligence to all of us. We hope of course that none of this fraud ever happens to any of you, but in the event that it does, we hope that you have learned a bit today to either prevent it or remediate it so that the effects, the detriment that we talked about is as minimal as it can possibly be. And Bain and I are each standing by to help you in the unlikely and unfortunate event that something does happen. So thank you all so much. We look forward to seeing you in Newport.