I have received phone calls and emails from several law firms following the interception and illegal transfer of clients' (I understand there have been at least two incidences) where thieves have managed to hack into the software system PEXA (Property Exchange Australia), the nation’s new online property transfer system. The fraudsters had gained accessed via the conveyance'sr email account, and diverted the money into their bank account.
With property prices the way they are this can result in a significant monetary loss to the purchases not forgetting the unbelievable stress this causes the victims and the conveyancing firms.
The question put to me is whether the solicitor's professional indemnity insurance is going to cover the loss and without reading the actual policies my first reaction has been I doubt it. While I set about reading the policies today, I have suggested to the firms that approached me is to speak to their broker about cyber insurance.
Meanwhile there is now talk that PEXA should have the same type of guarantee in place to protect users and their client’s money in cases of proved cyber fraud/hacking as the major big banks do. As I understand it, PEXA is owned by the governments of NSW, Victoria, Queensland and Western Australia, the big four banks, the Macquarie Group, Link Group and a Melbourne based individual.
If, as has been mooted, this system of e-conveyancing is to become compulsory for all property settlements as of October in Victoria and WA and as soon as 1 July for NSW. This means if you are buying or selling a property you will not have a choice but to use this platform. Therefore with such large sums of money being transferred it does seem obvious that the system will have a huge bulls eye on it as a target for cyber criminals.
From the newspaper reports it appears that what the cyber fraudsters did in at least one of the instances was a two-step process. The first step would have been to hijack the business email of the conveyancer.
Hackers took over business mailboxes by crafting a specially designed email with a hyperlink pointing to a password-stealing fake login page, or a malicious file attachment. The attacker emails the victim in a variety of ways to try to trick them into clicking the link. I am sure just about everyone has now received at least one of those emails. I get them virtually on a daily basis.
Once the victim clicks, the email password is in the hacker’s hands. This technique is what is known as phishing.
What is not clear is whether the real conveyencer had a chance to verify that the recipient's name and bank account details were correct and failed to do this step correctly.
As I have repeatedly warned in my posts, cyber crime is one of the biggest risks facing business and individuals in Australia today. The research firm of Frost & Sullivan who were commissioned by Microsoft found that that more than half (55%) of organisations in Australia have experienced at least one cyber security incident in the past five months.
The report revealed that the potential direct economic loss of cyber security incidents on Australian businesses could possibly hit a staggering AUD29 billion per year, the equivalent of almost 2% (1.9%) of Australia’s GDP. This amount is based on tangible losses in revenue, decreased profitability and fines, lawsuits and remediation. It does not factor into the equation the reputational damage that also arises.
To put this into perspective this is around the same amount as the Insurance Industry pays out in general insurance claims (all classes) in a non-catastrophe year.
The same study suggests that the potential economic loss across Asia Pacific due to cyber security breaches could reach a staggering USD1.745 trillion — more than 7% of the region’s total GDP of USD24.33 trillion.
So what are the lessons we can draw from this.
·First, review your cyber security systems and training. My belief is that losses are more often than not caused by human error than through a failing of the security system.
·The best advice is if you do not have the expertise in-house consult an expert as you would for physical security.
·In the meantime, your checking should look at a regular check to ensure there are no key loggers in any computer.
·That those handling money do not use wireless key boards. Some equipment can pick up the signals from up to 15 metres.
·Think before you click anything
·Make sure people change their passwords regularly
·Speak to your insurance broker about cyber insurance and business continuity planning.
Katherine (08) 7919 7019
2/46 Chardon St