How To Prevent Payment Redirection Fraud At Your Conveyancing Practice
Posted: Monday, Aug 02

i 3 Table of Contents

How To Prevent Payment Redirection Fraud At Your Conveyancing Practice
From KBI

Enforcing Two-factor Authentication (2FA) on your email service is a robust security measure that can prevent payment redirection fraud. In the following article, we demonstrate how you can enable this powerful security feature on your corporate email accounts hosted on Office 365 or G Suite. By making this simple change, you can reduce the chances of your conveyancing firm or your clients becoming a victim of cyber fraud.

What Two-Factor Authentication (2FA) Is and Why You Need It?

You may have read aboutย the highly publicised PEXA conveyancing fraud, whereby a Melbourne family was left homeless. As it transpired, the familyโ€™s conveyancer had their email hijacked by a cybercriminal. This lead to the conveyancerโ€™s PEXA account being compromised and ultimately the theft of $250,000 by the criminal redirecting settlement funds. Although the funds were eventually recovered, the damage to the conveyancerโ€™s practice is permanent. The conveyancerโ€™s business name is now associated with the fraud in the Google search results due to the large-scale media coverage.

The recent conveyancing scandal is nothing new to cybersecurity experts. This cyber attack is a well-known class of cybercrime known asย BEC (Business Email Compromise), whereby cybercriminals hijack corporate email accounts โ€“ typically by phishing โ€“ to commit fraud by redirecting payments by changing payment instructions in emails either between:

  • a client and the conveyancer; or
  • the conveyancer and a supplier.

The good news is that you can protect your firm from similar attacks by enabling Two-factor Authentication (2FA). This simple, yet effective change makes it more difficult for the cybercriminals to commit payment misdirection fraud against your conveyancing practice. Theย recent statement of the Office of the Registrar Generalย also suggests legal practices implementing a handful of security measures including 2FA. PEXA will also beย implementing some new security measuresย on its platform, which includes 2FA.

The following configuration guide is written with conveyancing practices in mind. It provides you (or your IT staff or your IT service provider) an illustrated step-by-step guide on how to enable 2FA for Office 365 or G Suite.

Enabling Two-Factor Authentication on Office 365

To enable SMS-based Two-Factor Authentication on your Office 365, you must be an Office 365 Global Administrator. If you are not then, ask your IT staff or IT service provider to perform these steps for you.

Login into theย Office 365 Admin centerย onย https://portal.office.com/

Click on theย Active usersย label.

Chooseย Moreย >ย Setup Azure multi-factor auth. If you don’t see theย Moreย option, then you are not a global admin.

A new browser tab should open listing all of your Office 365 users associated with your subscription. Select the checkbox next to the people for whom you want to enable Two-Factor Authentication.

On the right-hand side under theย quick stepsย section, click onย Enable.

Acknowledge the pop-up information box.A second pop-up should inform you that Two-Factor Authentication is now enabled for the chosen user account.

Done! The associated users can now enrol their mobile phone upon the next login to Outlook Web Access (OWA).

For a user to enable 2FA for email, log out first and then log back into Outlook Web Access onย https://outlook.office365.com/owa/

This Is How Your Employees Can Enrol to 2FA

Log in with your username as usual.

A new prompt should inform you that your Office 365 account must be enrolled to 2FA now. Click onย Next.Chooseย Authentication phoneย as the 2FA method and enter your phone number. Chooseย Send me a copy by text messageย to receive the verification code. Clickย Next.

Enter the six-digit code you just received in a text message.

Save theย app passwordย to a secure location like a password wallet that is now displayed on the screen. If you use Microsoft Outlook, Apple Mail or another third-party email application, you have to use this as a password from now on to log into from these applications.

When you log into Outlook Web Access again, you will be prompted for the six-digit code as shown below. Just enter the code from the text message and you are set.

To keep these additional security prompts on a minimum, clickย Yesย to stay signed in.

Congratulations, your user account is now enrolled to 2FA!

Should you need more help with setting up Two-Factor Authentication, please refer to the relevant tech support article at Microsoft.

Enabling Two-Factor Authentication on G Suite

Visit yourย Google Admin Consoleย atย admin.google.comย and click onย Security.

Under Security, click expand theย Basic settingsย section.

Scroll down and tick the box next toย Allow users to turn on 2-step verification.

Then click on theย Go to advanced settings to enforce 2-step verification โ€บโ€บย to open the advanced security settings.

Under theย Enforcementย section, click onย Turn on enforcement from dateย and pick a day reasonably close enough to start enforcing 2FA at your business.

New G Suite users should have either one day or one week of grace period before they get locked out for not enrolling to 2FA. Pick 1 day or 1 week under theย New user enforcement period. Theย Allowed 2-step verification methodsย should be left onย Any.

Clickย Save.

Congratulations! Two-factor authentication is now enabled on your G Suite accounts. All your users have to do is log back in again and enrol their mobile phones to receive the six-digit codes.

This Is How Your Employees Can Enrol to 2FA

The following example demonstrates what steps are required from your employees to enrol themselves to 2FA on G Suite.

First of all, they need to log in with their username and password as usual.

Then a new message box should inform your employees that the user account needs to be enrolled to 2FA. Click onย Enroll.

Enter your phone number and pickย Text messageย as the security code delivery method.

Now enter the six-digit code that just arrived in a text message.

Click on theย Turn onย label to finish the setup.

From now on, Google will ask for the six-digit code when a login attempt is made by a previously unseen browser or from a new location. If you tick the checkbox next toย Donโ€™t ask me again on this computer, known web browsers will be asked to re-authenticate with the six-digit code only every 30 days.

Once the correct six-digit code is entered, your employees should be able to continue their work as usual. For more information and support, please refer to theย relevant G Suite knowledge-base article.

Conclusion

A growing number of cybercriminals are targeting the conveyancing profession with cyber attacks such as payment redirection fraud. These cybercriminals are more likely to scam practitioners with poor cybersecurity practices. To commit payment redirection fraud, criminals hijack corporate email accounts first by phishing and other methods which they then use to tamper with payment instructions sent to or received from others. Conveyancers without 2FA protecting their email accounts are low-hanging fruits and may become a victim of fraud. By applying simple changes like turning on 2FA on your email platform, you can reduce the chances of your conveyancing business becoming a target.

Gabor Szathmariย is a cybersecurity expert with over ten years experience, having worked in both private and public sectors. He has helped numerous big-name clients with data breach investigations and security incident management. In his professional life, Gabor helps businesses โ€“ including many small and mid-size legal practices โ€“ improve their cybersecurity atย Iron Bastion.

This article was first published in theย AICNSW Weekly News Alert and Iron Bastion Security Blog. The article was co-written with Nicholas Kavadias.

The Production Team
The KBI Production Team is a staff of specialist technology professionals with a detailed understanding across much of cybersecurity and emerging technology. With many decades of collective industry experience, as well as expertise in marketing & communications, we bring news and analysis of the cybersecurity industry.
Share This