Cyber Risk Management

Given the amount of money and sensitive information being exchanged in the sale or purchase of a home, the conveyancing industry is one of the most targeted areas of electronic crime or fraud, sometimes termed cyber-crime.

 

As a conveyancer you should be aware of the cyber threats in the industry, how you can safeguard against them and what you can do to ensure a secure process when transacting with clients, banks and other parties.

Please refer to the following links for further information: 

 

Leaders Forum: AIC VIC says cybersecurity immediate focus for conveyancers – triSearch Professional Duties and Email Security for Conveyancers 31.07.2019

Professional Duties and Email Security for Conveyancers – Australian Institute of Conveyancers – NSW Division Limited (aicnsw.com.au) AICNSW Cyber Triage Service: A Case Study 27.10.2022

 
Case Study – September 2022

 

Incident background

A AIC NSW Member (the Member) experienced a phishing incident from an unknown caller (the Threat Actor), claiming to be an Optus contact. (NB. This threat occurred before the recent Optus breach and was unrelated to that event).  The Threat Actor referred to confidential information to validate their identity.

Subsequently, the Member disclosed their personal information, however, did not disclose any client information.  As soon as the Member became suspicious of the call, they terminated the conversation and called a legitimate Optus contact to verify the call.

Optus confirmed that they did not make the call nor had any reasons for doing so.

 

The Risk

The risk with providing personal information to a stranger, is that the Threat Actor could have had obtained further access to the Member’s mailbox.  Further, given that the Member’s mailbox had contained client data and personal information, there was a risk of the Threat Actor viewing and / or misusing the data contained in the mailbox to cause harm to an individual (i.e. commit identity theft or financial fraud).

From our experience, threat actors typically gain unauthorised access to mailboxes via several ways, including social engineering (tricking someone into believing they are legitimate), with the primary objective of misdirecting funds or committing financial fraud.  There is often a secondary objective at play, including retaining copies of emails for future phishing, or retaining personal information for financial gain.

 

Incident response process

The Insured contacted Clyde & Co’s Incident Response team to assist further. Clyde & Co is a law firm, but they aren’t your traditional lawyers.  Their cyber incident response team is focused on one mission: facing down cyber risk. AIC NSW is in partnership with Clyde & Co to provide a free 2-hour triage service to its members.

 

Hidden cybersecurity risks in the property market – what should Members look out for?

While many types of cyber trends can occur, proactively ensuring employee training against phishing scams / links (aimed at harvesting log-in credentials) reduces the likelihood of BEC and subsequent misdirected funds incidents significantly.

The real estate industry and its conveyancers play a central role in transacting property transfer / handling funds, with mailboxes likely storing high-risk data (personal and / or client information).

This makes members prime targets for cyber criminals and increases the need to be particularly vigilant of any phishing scams or suspicious emails.

 

Please see links to articles for further information on these risks:

 

Business Owner Members:  If you suffer a cyber incident, contact the Clyde & Co, Cyber Triage Service.  Details are provided on AICNSW Clyde & Co Triage Service.
 
Scam email warning

The following scam email warning was issued from AIC NSW this year:

‘’Members are warned to treat a seemingly innocent email enquiry from Antonia Fodor <afodor@phiillps com > with caution.

Firstly, if you look carefully at the email domain you will see that “phillips” is spelt “phiillps” (two i’s followed by two l’s) – not to mention that the content just doesn’t make sense.

There is no attachment or link, but it is likely that the email is the first of many intended to lull the practitioner into a false sense of security leading to an email with attachment or link (so that the practitioner downloads viruses onto its system).’’

 
Phishing email warning

The following scam email warning was issued from AIC NSW last year:

We have received a couple of calls about an email from one Matthew (Matt) Reynolds who, with his wife Anna, are first home buyers and will be purchasing a property for cash but to be put in his name only. 

Sound normal? 

Well yes, possibly, except although Matt gives a mobile number, he never answers his phone, never returns calls and doesn’t respond directly to emails to answer any questions asked. 

Further, the street address does not appear to exist (at least not in NSW) and Matt’s email address appears to be from a real estate agency in Victoria.

The clincher of course is that the follow up email contains a link, purportedly to an “executed contract with pest and building report inclusive”. 

There is also a note (in red) that Attachment is sensitive and cannot be shared over a non-encrypted server.  Please follow login instructions as the document is secured and designed to ensure it is only accessible by the right person.

 
If you receive or have received an email from “Matthew (Matt) Reynolds” please delete it off your system thoroughly and as soon as possible.  27.10.2022