Open Forum

Yesterday I sent a message to our Sun Title team members reminding them of two cyber trends that continue to grow in frequency and sophistication.  I thought I would share the message to encourage others to alert their teams to be on the lookout.  No pride in authorship or content here, just an example :-).  Here's the message:

Hello Team,

Thank you for your continued vigilance in protecting our clients and the company from wire fraud, last weekend was another active one for scammers. 

There are two cyber fraud trends that I wanted to highlight so that you do not fall victim either personally or professionally.  They are token or MFA hijacking and AI-enable spoofing.  Please read and immediately report anything suspicious.

Token and MFA Hijacking:

Attackers are increasingly trying to steal one-time passcodes or session tokens to gain access to accounts that are protected by one-time tokens.  Scammers trick people into sharing these unique tokens (think your Microsoft Authenticator token for email access) in the following way:

• "Prompt bombing": repeated push notifications asking you to approve a sign-in you didn't initiate.  This is a wear-you-down tactic that has proven successful over time.
• Fake MFA reset links/QR codes: webpages that look real but intercept your password and code.
• Adversary-in-the-middle pages: convincing clones of Microsoft/Google/Title Production Software/Banking portals etc. that capture your session cookie/token.
• Phone or text pressure: "IT" or a "vendor" urgently asking you to read them a code to "restore access."
• Help Desk or Fraud Desk Spoofing: A vendor such as a bank being spoofed and receiving a call from their "fraud department" looking into a suspicious wire transfer only to request the token to login to their platform.

REMINDER:  No trusted party will ask you to share MFA codes, authenticator app digits, recovery codes, or to approve a sign-in you didn't start – NEVER SHARE THEM. If you receive an unexpected MFA prompt or any communication requesting you to share an MFA code or token, do not share it and report it immediately. 

Advanced Spoofing with Generative AI:

Fraudsters are leveraging generative AI to create and deploy advanced spoofing campaigns to trick people into clicking links and disclosing private information like login and password credentials in the following ways:

• Writing polished, personalized emails that mimic our tone as well as that of our buyers, sellers, and referral partners.
• Creating voice clones and deepfake videos to approve "urgent changes" and/or updated wire instructions to fraudulent accounts.
• Communicating in real time on fake support sites, guiding victims through ID "verification" or token hijacking (as referenced above).
• Creating up look-alike websites, email domains and near-perfect invoices, payoff statements, or closing docs.

REMINDER: it's harder to tell legitimate messages from scams. Never open an attachment or click a link you weren't expecting or that seems even slightly suspicious. When in doubt, verify with the sender via a known, separate channel and loop in our IT immediately.

If anything feels off:

In general, if your gut is signaling something to you, trust it.  Here's a reminder of what to do when something just feels off:

1. Stop and do not click links, open attachments, share an MFA code or send funds.
2. Verify out-of-band that you are communicating with a trusted party on a legitimate transaction or issue - use a known phone number or find a trusted phone number via an internet search.  Do not trust the contact information provided in the communication that seems suspicious.
3. Report suspicious messages right away so we can block them and protect others.

All of these scams and reminders apply as much to you and your families personally as they do professionally.  Thank you in advance for staying focused and alert to keep everyone safe from fraud.

------------------------------
Thomas Cronkright Esq.
CEO
Sun Title Agency of Michigan, LLC
Grand Rapids MI
+1 (616) 317-4221
------------------------------

Thanks Tom.  As always, all good reminders.  

------------------------------
Ellen Albrecht NTP
Senior Underwriter
Security 1st Title LLC
Wichita KS
+1 (316) 267-8371
------------------------------

Original Message:
Sent: 09-03-2025 07:41
From: Thomas Cronkright
Subject: Email to employees regarding token hijacking and AI-enabled spoofing

Yesterday I sent a message to our Sun Title team members reminding them of two cyber trends that continue to grow in frequency and sophistication.  I thought I would share the message to encourage others to alert their teams to be on the lookout.  No pride in authorship or content here, just an example :-).  Here's the message:

Hello Team,

Thank you for your continued vigilance in protecting our clients and the company from wire fraud, last weekend was another active one for scammers. 

There are two cyber fraud trends that I wanted to highlight so that you do not fall victim either personally or professionally.  They are token or MFA hijacking and AI-enable spoofing.  Please read and immediately report anything suspicious.

Token and MFA Hijacking:

Attackers are increasingly trying to steal one-time passcodes or session tokens to gain access to accounts that are protected by one-time tokens.  Scammers trick people into sharing these unique tokens (think your Microsoft Authenticator token for email access) in the following way:

• "Prompt bombing": repeated push notifications asking you to approve a sign-in you didn't initiate.  This is a wear-you-down tactic that has proven successful over time.
• Fake MFA reset links/QR codes: webpages that look real but intercept your password and code.
• Adversary-in-the-middle pages: convincing clones of Microsoft/Google/Title Production Software/Banking portals etc. that capture your session cookie/token.
• Phone or text pressure: "IT" or a "vendor" urgently asking you to read them a code to "restore access."
• Help Desk or Fraud Desk Spoofing: A vendor such as a bank being spoofed and receiving a call from their "fraud department" looking into a suspicious wire transfer only to request the token to login to their platform.

REMINDER:  No trusted party will ask you to share MFA codes, authenticator app digits, recovery codes, or to approve a sign-in you didn't start – NEVER SHARE THEM. If you receive an unexpected MFA prompt or any communication requesting you to share an MFA code or token, do not share it and report it immediately. 

Advanced Spoofing with Generative AI:

Fraudsters are leveraging generative AI to create and deploy advanced spoofing campaigns to trick people into clicking links and disclosing private information like login and password credentials in the following ways:

• Writing polished, personalized emails that mimic our tone as well as that of our buyers, sellers, and referral partners.
• Creating voice clones and deepfake videos to approve "urgent changes" and/or updated wire instructions to fraudulent accounts.
• Communicating in real time on fake support sites, guiding victims through ID "verification" or token hijacking (as referenced above).
• Creating up look-alike websites, email domains and near-perfect invoices, payoff statements, or closing docs.

REMINDER: it's harder to tell legitimate messages from scams. Never open an attachment or click a link you weren't expecting or that seems even slightly suspicious. When in doubt, verify with the sender via a known, separate channel and loop in our IT immediately.

If anything feels off:

In general, if your gut is signaling something to you, trust it.  Here's a reminder of what to do when something just feels off:

1. Stop and do not click links, open attachments, share an MFA code or send funds.
2. Verify out-of-band that you are communicating with a trusted party on a legitimate transaction or issue - use a known phone number or find a trusted phone number via an internet search.  Do not trust the contact information provided in the communication that seems suspicious.
3. Report suspicious messages right away so we can block them and protect others.

All of these scams and reminders apply as much to you and your families personally as they do professionally.  Thank you in advance for staying focused and alert to keep everyone safe from fraud.

------------------------------
Thomas Cronkright Esq.
CEO
Sun Title Agency of Michigan, LLC
Grand Rapids MI
+1 (616) 317-4221
------------------------------