Are you safe from cyber fraud?: Settlement Industry Bulletin Issue 82

4 September 2018

Are you safe from cyber fraud?

Cybercrime is in the spotlight in Australia and you would have likely heard about some attacks recently. Malicious software and fraud attempts are a persistent problem for businesses of all kinds, especially for those that handle large amounts of money such as the settlement industry. Staying one step ahead of scammers online might seem like a daunting task, but you don’t need to be an IT expert. The tips in this article can serve as a starting point for developing a robust office policy and culture around cybersecurity issues.

Scammers use email to trick people into handing over information or downloading malicious code through a dodgy link or attachment. A deceptive or malicious email is often the first step in a more sophisticated scam.
Case study: man-in-the-middle fraud
In September 2017, a settlement agency was the target of two simultaneous man-in-the-middle fraud attacks by email. This is where a scammer deceives two parties that they are communicating with each other, when in fact, they are both communicating with the scammer.

In the first incident, a scammer impersonating the licensee of the settlement agency sent an email to a man who was acting on behalf of his mother in the purchase of a property. The perpetrator attempted to persuade the man into paying settlement funds in excess of $500,000 to a third party account instead of the settlement agent’s trust account.

In the second incident, a scammer impersonating a mortgage broker sent the licensee an email providing false third party bank account details. Settlement fees were then deposited into the third party account.

Email is so common and convenient that it is easy to get complacent about the security risks involved. However, there are some simple steps you can take to help manage the risk:

Use a business grade, hosted email service that includes quality filtering to block dangerous emails, spam, phishing and malicious content or attachments.

When responding to emails, use the forward button instead of reply, and manually type or select the address from your address book. This will help you make sure you're communicating with the right person.

If an attachment comes in an unusual format like .zip or the email asks you follow a link to file hosting site, this should be a red flag. If the apparent sender is known to you, call them and double check.

Delete generic spam immediately.

If you receive an email that seems fishy, you can report it by sending an email to wascamnet@demirs.wa.gov.au with the suspicious email attached.

Regularly check sent and deleted items folders for any unusual activity. This can help you to detect if an account has been compromised.

Security policies and culture

To manage IT risks over the long term, it is important for businesses of any size to have a robust set of security policies in place. As settlement is a high risk industry, it is recommended that staff have regular training on cyber security and fraud prevention. You may also consider having your system security reviewed by a reputable IT security firm.

It is also important to develop a security conscious office culture. This is an office culture that values and prioritises security over convenience, and one in which all staff are trained and encouraged to identify and navigate security risks in daily practice

PEXA security tips

Make sure each staff member uses their own individual account. Do not share passwords.
Verbally confirm bank account details with clients.
Double check payment details entered on the workspace before signing off and locking it, especially bank account details. Do not assume the details will be the same as when you entered them.
If your password stops working, do not simply reset the password. Contact PEXA and ask them to check the account and whether any changes to uses and passwords have been made. Also check any pending settlements for unauthorised changes.

More tips for best practice

Don't reuse passwords across multiple accounts.
Keep your business and personal life on separate devices as much as possible.
Don't give family members the password to access your computer, phone or other device that you use for work.
Avoid sending financial details and other sensitive information by email. Encourage your clients to do the same.
Don't think that you are not a target. Everyone is a potential target of scammers and cybercrime.

Deadline approaches for audit reports, statutory declarations

Settlement agents must have a yearly audit of trust accounts conducted by an approved auditor and lodge the audit report with the Commissioner for Consumer Protection. If an agent has not held or received any trust funds during the year, the agent can instead lodge a statutory declaration to this effect.

The deadline for audit reports and statutory declarations to be lodged with the Commissioner is 30 September of each year.

For more information, see Consumer Protection’s Trust account handbook for settlement agents.