Law Mutual (WA) Risk Alert: Is Email the 'Weakest Link'?

Law Mutual Risk Alert
Is Email the 'Weakest Link'?

Law Mutual (WA) has recently received a number of claims and notifications relating to instances of email-based fraud. In addition, PEXA has been in the news in relation to issues associated with its e-conveyancing system. We strongly recommend that practitioners consider the information and ensure they are responding to the risk of fraud via email.

Case Study One – Solicitor’s Trust Account Scammed

A Perth solicitor’s trust account was recently scammed by fraudsters posing as beneficiaries of a deceased estate.

The solicitor, who was also executor of the estate, sent documents by post to the beneficiaries of the estate. The documents included a trust statement which the beneficiaries were asked to sign and return. The letter asked the beneficiaries to provide their bank account details if they wished their inheritance to be electronically transferred.

It appears that one of the beneficiaries’ email account was hacked. The solicitor received an email, apparently from one of the beneficiaries, which provided the trust statement signed by both beneficiaries, a marriage certificate proving a change of name and the purported bank account details of one of the beneficiaries.

The only evidence that the email was not authentic was a minor discrepancy in the beneficiary’s name in the email address.

The solicitor emailed in reply and asked for the bank details of the other beneficiary. The fraudster replied the same day with what was claimed to be the second beneficiary’s bank details.

The solicitor then transferred a substantial sum to the second beneficiary’s bank account.

Attempts were made to transfer funds to the first beneficiary’s bank account as well, but they proved unsuccessful, despite the fraudster providing alternative bank details.

The fraud was uncovered when the solicitor was informed that the second beneficiary had not received the funds.

Enquiries were made with the receiving bank. It advised that the funds had been withdrawn. The matter was promptly reported to the police and enquiries were made with the bank to try and identify the account holder that had received the funds.

The bank refused to provide the requested information and the complaint to the police did not result in any apparent investigation.

The beneficiaries brought a claim against the solicitor for negligence. The claim was settled through Law Mutual (WA). However, the solicitor suffered a great deal of stress, reputational damage and had to pay the insured’s contribution (policy excess).

The fraud illustrates the danger of relying upon bank details which have been provided electronically, especially in the body of an email.

Case Study Two – Conveyancers’ Emails Hacked

In two separate incidents an unknown party gained unauthorised access to a (conveyancing) practitioner’s email account. In these instances, through access of the practitioner’s email account, the unknown party used the change-in-password email link sent from the PEXA platform to allow access to the subscriber's PEXA profile. With access to the practitioner’s PEXA profile, the unknown party was able to create a new user account and was able to fraudulently change the destination account details in the respective settlement schedules.

The practitioner subsequently digitally signed (or re-signed) the financial settlement schedule, confirming the account details that were entered, allowing settlement to proceed. It appears in both of these instances the practitioners did not check the settlement schedule they were signing off on, which resulted in the misdirection of funds.

In both instances, the misdirected funds were sent to bank accounts and the banks involved were quickly contacted. While it is believed that all the money from one transaction and a substantial proportion of the money from the other transaction have been recovered, besides the stress involved, one of the cases attracted national media attention as the funds belonged to TV celebrity. The prospect of reputational damage for PEXA and the conveyancing practitioners involved is, no doubt, very significant.

Law Mutual has met with PEXA and been informed that PEXA will make the following additions to the system:

Increased monitoring of PEXA Workspaces: PEXA has been monitoring all Workspaces for several activities including identifying unusual activity surrounding password resets, and new user creations and changes to BSB and account numbers. PEXA has been actively contacting practitioners to confirm any such activity is legitimate. No new instances of this fraud have been found and these continue to be isolated incidents.
Creation of new users within existing accounts: PEXA will only allow new users to be created to existing subscriber accounts in an ‘inactive’ status, and PEXA will be required to activate them.
Workspace time stamps: PEXA will add a feature to the system which highlights the date, time and specific user that last updated the settlement schedule. This will provide an additional method to validate the details prior to signing and will be displayed on the signing screen.
Multi-factor verification: Over the next few weeks, PEXA will introduce additional two-factor authentication. All subscribers will be required to confirm their identity through this additional verification layer when logging into PEXA.

What is the Out-take?

In all of the case studies above, the initial problem has been susceptibility of emails to be hacked.

It seems that emails are simply not a secure form of communicating potential sensitive information.

In a recent article in the Australian Financial Review (3 July 2018), Peter Moon, a technology lawyer at Cooper Mills, made the following comments:

“Email wasn't designed as a secure messaging platform and almost everything about it is the opposite of how a secure communication system should work.

Email was conceived as a short messaging tool. "Meet at the cafeteria at 1pm to talk about the results?" "Sure. See you then." It didn't matter that it travelled over the network encrypted, or that copies might sit indefinitely on servers that third parties could access, or that there was minimal proof of the sender's identity.

If it appeared to come from Fred, it probably was from Fred.

It was later generations who decided to apply this handy but insecure chat system to serious business and high value transactions.

Most of us simply choose to trust email, against overwhelming evidence that it doesn't warrant it.”

However, email is now part and parcel of how we do business; that isn’t going to change any time soon.

Many law practices now have security gateways to detect malicious emails but they are unlikely to be a complete defence to criminal activity.

For example, a criminal scammer can gain access to a client’s or practitioner’s account via a weak password or where a password has been copied while the user has accessed an insecure (often free) wi-fi network. More sophisticated forms of access are by targeted computer network hacking (and law practices are a high profile target) or via malware which has enabled a scammer to gain access.

Where the above has occurred the fraudulent email is likely to come from the sender’s actual email account. In other instances, the email comes from an entirely different account but with an email address that is nearly identical to the apparent sender’s (this is called “spoofing”).

Regardless of the method by which the email is sent, it may be the recipient’s response to the email that will determine if the fraud is successful.

So what can I do; how should I respond to the risk?

The following are the steps we suggest you implement:

1. Vigilance

Adopt a less trusting and more critical mindset as requests by email regarding money transfers may be fraudulent.
Develop secure cyber fraud prevention policies and procedures for managing emails, especially requests for money transfers or change of bank account details.

2. Inform

Train your staff in the prevention procedures and ensure they are complying with them.
Let your clients know that you will not –
- change your account details by email; or
- request by email that they provide you with account details
  and that they should inform you if they receive an email to the contrary.

Tell your clients that you will seek verification of any emails apparently from them that seek to change account details or request the transfer of money to other than verified accounts.

3. Verify

When an email contains instructions to transfer funds or change account details call the apparent sender using a credible number, such as from original instructions (not from the suspect email), and verify all relevant information.
Consider also verifying the identity of the person you are speaking to by one other valid piece of information (try to ensure the information would not have been contained in any email exchange).

4. Act

If the verification process is correct, proceed as instructed.
If the verification fails, you need to consider:
- Informing the apparent sender of the suspected fraud, particularly if it appears they have been hacked
- Investigating the incident if it appears your email has been compromised
- Conducting a “lessons learned” review, amending your prevention procedures if necessary and letting staff know of what has happened and why the procedures are so important.

Acknowledgements

Peter Moon 'PEXA hack shows antiquated email is a fraudster’s best friend', Australian Financial Review, 3 July 2018.
'Cyber Fraud Aware and Prepared', Law Cover (NSW)

Contact Law Mutual (WA)