To help combat cyber-crime, our expert team has compiled this email phishing case study.
What is phishing?
Phishing refers to any fraudulent attempt to obtain sensitive information or data, such as usernames, passwords and credit card details, by disguising oneself as a trustworthy entity in an electronic communication. Phishing can be conducted via email, text message, phone call and other digital means.
Spear phishing
Spear phishing is a highly specialised type of scam that involves the sending of targeted communications towards a specific individual, organisation or business, in order to obtain sensitive information.
To make their attempts appear legitimate, cybercriminals use details and information specific to the business that they have obtained elsewhere.
Increasingly, phishing attacks are becoming more complex and difficult to identify, posing a significant risk to industry.
Impact on Australian businesses and clients
According to the ACCC’s Scamwatch, in 2020, $176 million was lost to scams in Australia. The total number of reported scams also rose 23.1% year-on-year to a total of 216,089.
Additionally, in its latest Targeting Scams report, business email compromise was the number one contributor to financial losses within Australia – costing organisations $132 million in 2019.
ACCC data confirms that email phishing is the most common type of scam and the primary threat to businesses.
Phishing is a threat that impacts all industries – not just property. However, residential property is the nation’s most valuable asset class and with the finances involved in the purchase or sale of a property, the sector is unfortunately a natural target for potential cyber criminals.
Best practice
The use of email is strongly discouraged for exchanging bank account details – this is NOT a safe channel for the communication of sensitive information. Instructing your client to provide their bank account details via email directly places you at significant risk of a cyber-attack.
It is urged that Subscribers verbally confirm bank account details with clients before entering them into the Workspace.
We highly recommend you make use of PEXA Key. This free app has been specifically built for industry to eliminate the risk of email phishing and enables clients to provide their bank account details to their legal representative safely.
Additionally, PEXA Key Secure Communication Guarantee provides protection to buyers and sellers if the communication of bank account details between the buyer/seller and their practitioner’s PEXA Workspace is corrupted within PEXA or intercepted due to fraud – up to $2 million.
It’s important for firms to build cyber-secure steps within their overall settlement process. These measures are no longer ‘nice-to-haves’ – they must be implemented to ensure your settlements remain safe.
Case study
Below are two hypothetical scenarios whereby a settlement has been compromised due to process failings.
Scenario #1
In this instance, email is being used as the communication channel for the exchange of sensitive information and the email account of the client has been compromised.
A fraudulent email from an illegitimate address, containing fake BSB/Account Numbers is sent to the Subscriber. Often, only a single character in the email ie: from john.smith@hotmail.com to j0hn.smith@hotmail.com) is changed.
Having received the email, the Subscriber does not call the client to verbally confirm the bank account details.
The Subscriber, unaware that the information is fraudulent, enters the account details into the PEXA Exchange Workspace. Settlement proceeds and funds are disbursed to the fraudulent account.
Scenario #2
In this instance, email is being used as the communication channel for the exchange of sensitive information and the email account of the client has been compromised.
The client sends an email to the Subscriber containing the legitimate bank account details required for settlement. Unbeknownst to the Subscriber, a hacker has installed spyware/malware to monitor activity. Having done this, a hacker then intercepts this email, changes bank account details around and then re-sends the email to the Subscriber.
Having received the email, the Subscriber does not call the client to verbally confirm the bank account details.
The Subscriber, unaware that the information is fraudulent, enters the account details into the PEXA Exchange Workspace. Settlement proceeds and funds are disbursed to the fraudulent account.
In these cases, there are two key gaps:
- Email is used as the communication channel and is extremely prone to being compromised by hackers, who are actively seeking to intercept communications containing sensitive information.
- Failing to verbally confirm account details prevents the fraudulent activity from being detected prior to settlement.
Situations to avoid
In general terms, the below are known instances which introduce risk of fraud:
- The Subscriber has requested details from the client via email. This email is then intercepted by a third party.
- The Subscriber is communicating with their client via email. The fraudster has compromised either the Subscriber or the client’s email account and is falsely posing as the party.
- Details provided to the Subscriber by the client were not verbally confirmed and contained incorrect/fraudulent bank details.
- Having previously only communicated via phone call or PEXA Key, a fraudster posing as a client requests that the conversation moves to a new channel, such as WhatsApp, in order to conduct fraud.
- A fraudster posing as a client sends new bank details as a screenshot from a different number through third party messaging services, such as WhatsApp.
In any of the above scenarios, it’s vital to be certain that the communication you have received is from a legitimate source and if uncertain, verify over the phone with the relevant party.
How to protect yourself
If you receive an email you believe to be suspicious:
- Do not respond.
- Do not click links or download attachments.
- Engage your relevant security administrator or reach out to PEXA’s Security team to inspect the email. PEXA would also like to be made aware of any fraudulent emails using our branding.
- Delete the email, once it has been provided for analysis.
If you click on a link within a phishing email:
- Contact the PEXA Support Centre immediately, who will connect you with our Security team.
- Additionally, engage your relevant security administrator.
- Report scams to the ACCC via the Scamwatch report a scam page.
PEXA Subscriber Security policy
It’s recommended that members familiarise themselves with the PEXA Subscriber Security Policy, which was established to help safeguard transactions and contains minimum standards required to be maintained across the network.
It’s important to routinely manage your ‘cyber hygiene’ – ensure you utilise multi-factor authentication, run anti-virus, regularly update your operating systems and applications and periodically change your passwords.
If you suspect you’ve been targeted by a phishing attack or scam, it’s important to inform your relevant security contacts immediately. Acting fast ensures the best chance of recovery. There’s no need to fear speaking up – we’re all human, honest mistakes can happen and we’re here to help.