cyber theif

Gone in 15 seconds

As the New Payments Platform launches, real estate agents and landlords should be on the alert for cyber fraud.

Financial institutions across Australia have begun rolling out the New Payments Platform (NPP), which will see people sending each other money in ‘real time’. With the introduction of NPP, Australia joins 19 other countries around the globe that offer real-time payments, with the UK, Switzerland, Denmark, Singapore and India leading the way.

Customers of 13 financial institutions – including the big four banks and a number of smaller credit unions and mutuals associated with those banks – can create a ‘PayID’ using their phone number, email or an ABN to quickly transfer money to any bank account in Australia.

But while the $1 billion RBA-managed NPP promises greater convenience for customers and businesses – with transactions between banks and bank accounts to happen almost instantaneously instead of taking up to three days for money to transfer – switching to real-time payments could also see a rise in cyber fraud. The Bank of International Settlements has warned that real-time payments “may be a more attractive target for fraud than traditional retail payments”.

With the instant payment platform (where funds settle instantly), banks will have less time to check for fraudulent transactions and stop those payments that appear suspicious. Instead of taking up to three days to settle, money will move from one bank account to another within 15 seconds, so it can easily be moved into dummy accounts and disappear before victims even know they’ve been taken for a ride.

This was the experience in the UK when the real-time payments platform, Faster Payments, was introduced in 2008. What followed was a series of frauds, with Financial Fraud Action UK reporting online banking fraud jumped 132 per cent the year faster payments was introduced. In the first half of 2017 alone, 19,000 victims lost £100 million in scams using the ‘authorised push payments’ (APP) platform.

Under the terms and conditions issued by one of the NPP-participating financial institutions, banks are not liable for losses that are a result of you giving the wrong account information and once you have given a transfer instruction and it is accepted by your bank, the transfer is irrevocable. This also applies if you were fraudulently induced to make a transfer via the NPP and while your bank might be able to help you recover the monies, the recipient of the funds will have to consent to repay your money – highly unlikely if the account belongs to a fraudster.

Like their counterparts in the UK, the Australian real estate industry may be a target for fraudsters. Given the high value of transactions, a successful fraud is likely to offer a very big pay day.

This was the case for a home buyer in the UK who lost almost £300,000 through an APP scam when she thought she was transferring money to the right account but it was in fact an account controlled by a fraudster.

“Everything had gone very smoothly,” Kate Blakely told the BBC. “Our conveyancing solicitor provided details by email of the bank accounts to make money transfers on the day of completion. We transferred just under £300,000 on the day and within about three hours we realised the money had gone missing. The moment of realising the money hadn’t arrived as intended with the bank account we sent it to, or thought we’d sent it to, was just sheer terror.” Ms Blakely did get all of the money back eventually, but lost thousands in solicitors’ fees.

The NPP has learned from the real-time payment experiences in other countries and has introduced a number of safeguards in the system to lower the risk of fraudulent or accidental payments (such as enabling the sender to confirm the name of the recipient before finalising payment) but it warns that most fraud is the result of “old-fashioned trickery to deceive people into parting with their money”.

The security risks to the NPP are concentrated around the ability of fraudsters to steal login details and break into accounts (as the payments come from an actual bank account, the fraudster would need to obtain the customer’s login credentials so they can log in to internet banking and authorise a payment to a third party) – so look out for emails, texts and phone calls trying to wrangle online banking login credentials out of you or trick you into making a payment.

The best way to protect your business is to watch out for scams (particularly phishing emails) and focus on login and password security.

Depending on the circumstances surrounding a loss from fraud or an incorrect transfer of funds (including the extent to which you or an employee were culpable), you may have some protection through a Cyber Liability or Professional Indemnity policy. But the best course of action is to be vigilant when it comes to money transfers.