Conveyancing Money Transfer System hacked
I have received phone calls and emails from several law firms following the interception and illegal transfer of clients’ money (I understand there have been at least two incidences). Thieves have managed to hack into the software system PEXA (Property Exchange Australia), the nation’s new online property transfer system. The fraudsters had gained access via the conveyancer’s email account, and diverted the money into their bank account.
With property prices the way they are, this can result in a significant monetary loss to the purchasers, not forgetting the unbelievable stress this causes the victims and the conveyancing firms.
The question put to me is whether the conveyancer’s professional indemnity insurance is going to cover the loss? Without reading the actual policies, my first reaction has been, I doubt it. While I set about reading the policies today, I have suggested to the firms to speak to their broker about cyber insurance.
Meanwhile, there is now talk that PEXA should have the same type of guarantee in place to protect users and their client’s money in cases of proved cyber fraud/hacking as the major big banks do. As I understand it, PEXA is owned by the governments of NSW, Victoria, Queensland and Western Australia, the big four banks, the Macquarie Group, Link Group and a Melbourne based individual.
If, as has been mooted, this system of e-conveyancing is to become compulsory for all property settlements as of October in Victoria and WA and as soon as 1 July for NSW. This means if you are buying or selling a property you will not have a choice but to use this platform. Therefore, with such large sums of money being transferred, it does seem obvious that the system will have a huge bulls eye on it as a target for cyber criminals.
From the news reports it appears that what the cyber fraudsters did in at least one of the instances was a two-step process. The first step would have been to hijack the business email of the conveyancer.
Hackers took over business mailboxes by crafting a specially designed email with a hyperlink pointing to a password-stealing fake login page, or a malicious file attachment. The attacker emails the victim in a variety of ways to try to trick them into clicking the link. I am sure just about everyone has now received at least one of those emails. I get them virtually on a daily basis.
Once the victim clicks, the email password is in the hacker’s hands. This technique is what is known as phishing.
What is not clear is whether the real conveyancer had a chance to verify that the recipient’s name and bank account details were correct and failed to do this step correctly.
As I have repeatedly warned in my posts, cyber crime is one of the biggest risks facing businesses and individuals in Australia today. The research firm of Frost & Sullivan who were commissioned by Microsoft found that that more than half (55%) of organisations in Australia have experienced at least one cyber security incident in the past five months.
The report revealed that the potential direct economic loss of cyber security incidents on Australian businesses could possibly hit a staggering AUD29 billion per year, the equivalent of almost 2% (1.9%) of Australia’s GDP. This amount is based on tangible losses in revenue, decreased profitability and fines, lawsuits and remediation. It does not factor into the equation the reputational damage that also arises.
To put this into perspective, this is around the same amount as the Insurance Industry pays out in general insurance claims (all classes) in a non-catastrophe year.
The same study suggests that the potential economic loss across Asia Pacific due to cyber security breaches could reach a staggering USD1.745 trillion — more than 7% of the region’s total GDP of USD24.33 trillion.
So, what are the lessons we can draw from this?
- Review your cyber security systems and training. My belief is that losses are more often than not caused by human error than through a failing of the security system.
- The best advice is, if you do not have the expertise in-house, consult an expert as you would for physical security.
- In the meantime, you should look at a conducting regular checks to ensure there are no key loggers in any computer.
- That those handling money do not use wireless keyboards. Some equipment can pick up the signals from up to 15 meters away.
- Think before you click anything
- Make sure people change their passwords regularly
- Speak to your insurance broker about cyber insurance and business continuity planning.