The recent media reports of fraud against conveyancing practices suggest that professionals should be taking measures for protecting their businesses from cyber attacks. Cybercriminals primarily rely on an email-based attack known as phishing to help commit payment redirection fraud. A recent Telstra Security Report found that the most common cybersecurity threat in Australia is phishing, with reports of phishing attacks increasing by 1,178% in 2017 over the previous year.
In this article, we explain how cybercriminals operate, and what you can do to prevent your conveyancing practice from becoming a victim of payment redirection fraud.
How Cyber Crime Affects Conveyancing Practices
A cyber attack can mean you are defrauded, have your data held to a ransom, have you and your clients’ confidential information stolen and sold on the dark web, or have all of your emails and documents maliciously deleted, permanently encrypted, or made public.
The immediate damage to your conveyancing practice of a cyber attack is:
- hackers misdirecting trust money or settlement funds;
- hackers impersonating you and your practice to your clients and emailing them fake invoices, or fake payment directions;
- interruptions to your business operations;
- unexpected expenses related to remediation of your systems, such as hiring high-paid security consultants, performing expensive data-recovery, or repairing/replacing systems post-breach; and
- compliance with Notifiable Data Breaches (NDB) Scheme legislation meaning data-breaches may need to be reported publicly or being fined for failing to comply with NDB obligations.
The long-term damage from a cyber attack includes:
- the loss of your practice’s reputation;
- the loss of existing and future clients;
- unwanted media attention;
- legal action against you from your clients for professional negligence and other lawsuits.
How Phishing Works and Why It Is a Major Threat
Phishing is a cyber-attack typically carried out over email. Cybercriminals aim to trick their victims into clicking a link or attachment, giving away their password, or asking them for money by pretending to be a legitimate online service, client, friend or colleague.
Victims of phishing may unwittingly open file attachments containing malware, viruses or ransomware, hand over their passwords to fake websites which look genuine or transfer money to fraudsters believing someone trusted they know has asked them to do so. Industry reports show that 4% of people on average will always click on links in a phishing email. Any interaction with a phishing email may enable the attacker to steal sensitive information from your practice such as your clients’ records, confidential files and your passwords.
The stolen information often ends up on the dark web, typically sold for a few dollars per record. In addition to data theft, cyber-criminals will gain access to your emails and may attempt to impersonate you or your employees. They can then tamper with email payment directions so that payments either to or from your practice go to the fraudster instead.
Why Phishing Works
While email is an essential communication channel for conveyancing practices, the vast majority of phishing attacks also arrive in emails containing malicious hyperlinks and file attachments.
As cyber attacks get more and more sophisticated, the chances are that your staff may overlook the subtle differences between phishing emails and legitimate emails.
Outdated pieces of advice like “never open emails written in poor English” will not protect your practice. If these common-sense anti-phishing tips were genuinely effective, phishing attacks would not continuously be on the rise since 2006.
It only takes one accidental click by any of your employees to compromise the security of computers, tablets and smartphones of your entire office, and become a victim of fraud.
You may not even be aware it has happened. As Verizon reports, victims of phishing often discover the data breach only years after the initial compromise. Cybercriminals are opportunistic and can sit and wait for a significant transaction to occur that they can redirect.
Protecting Your Conveyancing Practice From Phishing Threats
“Get your mail filtered by an expert third-party security service that’s monitoring for new threats around the clock”, suggests Financial Review columnist, Peter Moon, as a response to the tragic case of a Melbourne-based family who lost their life savings in a cyber attack targeting their conveyancer.
At Iron Bastion we offer services specifically designed to protect your email from phishing threats. No matter if your email service is running on Office 365, G Suite or self-hosted, our cloud-based anti-phishing services can screen your incoming email messages for phishing attempts, and block suspicious emails before they hit your mailboxes.
Why Outdated Technology Will Not Protect You
Anti-phishing technologies are different from traditional anti-virus software and email anti-spam filtering. Neither built-in spam filters (Office 365, G Suite) nor previous generation anti-spam services feature advanced anti-phishing techniques. Hence these technologies will leave your practice unprotected from today’s cyber-threats.
Modern anti-phishing services feature Machine Learning and Artificial Intelligence (AI) algorithms to identify phishing attempts. It looks for the specific red flags, such as:
- typical wording and text semantics;
- invalid digital signatures;
- poor sender reputation.
File attachments are also analysed in safe environments for known and unknown threats, and embedded hyperlinks are modified to perform real-time analysis and blocking of malicious URLs when the recipient clicks on them.
This technology is only available in anti-phishing services specifically designed to protect organisations from phishing threats. We suggest you to do some research to find out which IT or security service providers offer anti-phishing services for small businesses.
Where to Go Next
We have recently published a series of practical cybersecurity tips with conveyancers in mind. Learn how you can improve your cybersecurity at your conveyancing practice, and help prevent payment redirection fraud by turning on two-factor authentication on your email service. Finally, make sure to complete our simple cybersecurity health assessment to see if your cybersecurity is ready for eConveyancing.
This post has first appeared on the Iron Bastion Security Blog – Australia’s anti-phishing experts and was co-written with Nicholas Kavadias.