Cyber criminals have targeted the property sector – but are gearing up for the rest of us
A new scam has triggered alarm bells for the property industry, but all businesses should heed the warning, writes Fran Lawrence.
The property sector is the latest to come under fire from organised cyber criminals, with a new warning that real estate agents could be at heightened risk.
The Australian Cyber Security Centre has urged the industry to be on guard after detecting a growing trend of cyber criminals trying to compromise corporate emails — what is known a business email compromise (BEC) scam.
Under the scam, criminals impersonate parties in a property transaction — such as a real estate agent, conveyancer or party to the sale — and insert illegitimate bank details to intercept settlement or rental payments.
Not only are payments successfully being diverted, the ACSC says, but the interception may go unnoticed for weeks until someone thinks to follow up on a missing amount.
The property sector makes for a prime target given the amount of money moving around, the number of parties in any transaction, and the relatively swift and clear processes that accompany a sale.
But the tricks being honed now will shortly be turned to the rest of the business world, given there are few industries as lucrative and comparatively risk-free as cybercrime.
So what is the immediate threat?
The key to a BEC scam is the ease with which a business email can be compromised.
Despite a decade of trying to teach people to use a new password each time, back up with two-factor authentication, or at least verify their log in when their mail provider flags something odd, an extraordinary number of us just don’t care.
Losing, forgetting, repeating and resetting passwords is part of the normal cycle of work online, so who has time to comprise something more creative than Password123?
Of course, the person doing the hacking probably won’t be doing the theft. They will have pocketed the funds from selling your login online for a fraction of a cent (you are worth a bit more if your password unlocks the security of your corporate email).
If a property party email isn’t available, it’s almost as simple to fake one: registering
domain names that are similar to legitimate companies, swapping letters or adding additional characters.
A legitimate looking email address will usually get past a busy employee.
Conveyancing lawyers and mortgage lenders are the prime target of these attacks, as they can allow you to impersonate someone who is dealing directly with the transfer of funds.
They might also pretend to be a property seller, requesting bank details be updated in PEXA, the secure Property Exchange Australia system supposed to stop diversion of funds.
If the wrong account details are entered, the wrong account gets paid.
What should you do to reduce your risk?
The ACSC urges everyone to be alert to the financial risk and the incredible ease of stealing and scamming money online. It’s a call to vigilance, particularly when you are sending significant sums to an account you don’t own.
If you or your organisation play any part in a property transaction, the ACSC recommends you:
- Verify payment details: If any party notifies you they have updated their bank details, take extreme care to confirm changes by calling the sender’s established phone number or meeting them face-to-face before transferring any funds.
- Training and awareness: Ensure staff are trained to identify suspicious emails, including requests to change bank account details or emails linking to fake websites. The latter may be a phishing attack which could capture passwords and compromise account security.
- Secure your email account: Knowing cybercriminals will attempt to access systems through compromised passwords, it is recommended that individuals and businesses use strong pass-phrases and enable or implement multi-factor authentication on email accounts to help prevent unauthorised access.
But what about the rest of us?
The property sector might be the target of the day, but all Australian businesses are at risk.
Not only can BEC attacks see the diversion of funds, but they can trigger a data breach with customer data released into the wild or open the door for other kinds of attacks like malware.
IBM estimates just 4% of cyber-attacks leading to data breach in the past year were caused by business email compromise (compared to 20% for compromised credentials and a similar proportion for phishing).
But the cost to companies in its survey of a BEC attack was huge given it hands over the keys to the kingdom — an average total cost at $3.5 million.
The FBI calls the threat 64 times worse than ransomware, which tends to dominate the headlines, while the Australian Federal Police says nearly $80 million was stolen from Australian accounts in just the past year.
And yet, compared to the millions that need to be invested in securing other parts of the corporate cyber environment, they are relatively straightforward to prevent.
Using multifactor authentication is the very best way to secure your employee identities, combining a password with a physical token or adding in biometric proof.
If you must use passwords alone, make a password creation and storage app part of your process.
And above all else, encourage a culture where your team are on the lookout for questionable emails, know the red flags to spot, and know how to share and act on their concerns with the rest of your team. If you get this one wrong, the financial and reputational cost to your business — and your clients — could be crippling.
With more than 20 years’ experience in media and communications, Fran is our property specialist and a skilled writer and a highly effective communicator with a proven ability to add value for clients across a range of sectors, including construction, finance, professional services and education.