hackerGo Phish

With a number of states moving to
e-conveyancing, recent incidents of fraud are putting a spotlight on cyber security for settlement agents.

With state governments in Western Australia, Victoria and New South Wales all moving to mandatory e-conveyancing and Australia converting from the Torrens title paper system to electronic certificates, the recent hacking of the PEXA platform set alarm bells ringing.

The fact is, organisations which act as agents for people and businesses in large financial transactions, such as solicitors, conveyancers and accountants, are lucrative targets for cybercriminals.

When former MasterChef contestant Danni Venn lost $250,000 from the proceeds of the sale of her home, as funds were misdirected into a hacker’s account, the story made national headlines – and called into question the security of the Property Exchange Australia (PEXA) platform, making property owners and conveyancers very nervous.

PEXA is Australia’s first e-conveyancing platform, allowing lawyers, conveyancers and financial institutions to lodge documents with land registries and complete financial settlements online. Owners of PEXA include the governments of New South Wales, Victoria, Queensland and Western Australia, the big four banks and Macquarie Group.

The breach occurred when hackers were able to access the email account of the conveyancer used by Ms Venn and use that account to reset the PEXA security information and add themselves to the PEXA account.

“The party intercepted a change-in-password email sent from the PEXA platform to the subscriber, which in turn allowed this person to access the subscriber’s PEXA account”, said PEXA’s Acting CEO James Ruddock.

Ms Venn’s funds were only misdirected because her conveyancer confirmed false bank account details on the PEXA system, using his digital key and password, advised PEXA.

“The PEXA platform was not compromised – practitioners’ email accounts were compromised,” explained Mr Ruddock, noting that PEXA was not responsible for the loss of funds and saying it was up to conveyancers to check that settlement details were correct before digitally signing an electronic transaction.

“Any payment instruction requires you to digitally sign (or re-sign) the financial settlement schedule confirming the account details that you have entered, allowing settlement to proceed,” he advised users. (The bank involved also denied any liability for the loss.)

Just a few weeks after the Venn incident, a Sydney couple in their 90s saw the $672,000 in proceeds from the sale of their home diverted into three different bank accounts by fraudsters who hacked the emails of their estate agent and conveyancers.

While PEXA has introduced further security to protect against this type of fraud happening again (there have been other incidents where unknown parties have gained access to practitioner email accounts, and settlement agents/conveyancers in several states have raised concerns about ‘near misses’), it serves as a reminder about the need for good cyber security processes amongst real estate professionals.

These cyber frauds took place because the email accounts of the businesses were hijacked. Conveyancing is susceptible to email fraud and intercepted payments, and most cases of this type of fraud appears to rely on compromising an email account. Deloitte Australia has noted that there have been “a number of fraud cases [in recent years] where scammers have intercepted emails between conveyancers and vendors in order to redirect sale funds or sell a property without the vendor being aware”.

Business email compromise (BEC) is a form of email fraud that uses a variety of ways to trick people into sending money or valuable information. One form of BEC is ‘phishing’, where hackers craft specially designed emails with hyperlinks pointing to a password-stealing fake log-in page or which opens a malicious file attachment allowing the cybercriminals to gain access to the system.

So what can you do to limit the risk of falling victim to BEC attacks?

  • Use multifactor authentication for any release of sensitive data or funds. PEXA has undertaken to introduce two-factor authentication. If the conveyancer had enabled this level of security on his email it would have been much harder for the criminals to use the password reset trick.
  • Install anti-spam, anti-virus, anti-phishing, DNS-based web browsing protection and malware detection. Implement software that detects advanced and evasive keylogging and other BEC malware.
  • Confirm any request for payments, transfers etc. directly with the requester and double-check bank account details. Ruddock said “verbally confirming bank account details with clients” was one way that PEXA users could reduce their risk.
  • Use email authentication such as Domain-based Message Authentication, Reporting and Conformance (DMARC) which ensures legitimate emails are properly authenticated against established DomainKeys Identified Mail (DKIM) and Sender Policy Framework (SPF) standards, and that fraudulent activity spoofing domains under your business’s control are blocked.
  • Use an email security solution that can flag certain keywords that are commonly used in BEC attacks, such as “payment” (found in 30 per cent of BEC attacks), “urgent” (21 per cent) or “request” (21 per cent).
  • Analyse the content and context of email messages – subject lines, body copy, sender and receiver reputations and relationship history – to validate the message.
  • Train employees to recognise phishing emails and scams. Remind those paying accounts or transferring money that account credentials and passwords should never be provided by email and should always be entered directly inside bank apps or internet banking websites. Make sure your employees regularly change their passwords and use best-practice for strong passwords.
  • Increase security. Ensure those handling money do not use wireless keyboards or transact using public wireless networks (“free Wi-Fi”). Secure your wireless network (change the default password on your Wi-Fi router and hide the Service Set Identifier). Always install the security updates/patches on all devices. Encrypt all inbound and outbound data.

From an insurance perspective
Real estate transfers are high-value transactions and significant monetary losses can result from cyber breaches.

Settlement agents and solicitors acting as conveyancers may not be able to rely on their Professional Indemnity insurance to cover losses stemming from cyber-crimes. The best course of action is to speak to your broker about Cyber Liability insurance and business continuity planning.

Download a copy of our Data Breach Response Guide; A step-by-step guide to ensuring you’re prepared.