Cautionary tales

During the autumn of 2016, the Conveyancing Quality Scheme team, in conjunction with the National Cyber Crime Unit, which is part of the National Crime Agency, went on a cybercrime mitigation odyssey. Visiting seven cities across England and Wales over a period of four weeks, we travelled nearly 2,500 miles listening to stories of the impact that cybercrime is having on firms involved in residential conveyancing.

We uncovered a sector in the grip of major criminal activity. Attendees reported being subjected to daily cyber-attacks, ranging from the annoyance of regular bogus email requests to, in one case, a firm being subject to a fraud totalling nearly £1m. The most common problems related to email interception, phishing scams, and the relatively new but increasing threat of ransomware. Below are some of the real-life scenarios we encountered.

Phishing

One medium-sized firm was defrauded using a classic phishing scam. Fraudsters managed to fool the firm’s accounts department into paying a bogus invoice, by posing as the firm’s senior partner, who was away on a three-day business trip.

The firm had a high profile on social media, and this caused the first problem. The senior partner’s business trip was announced on the firm’s Twitter feed, giving the criminals the perfect cover to try to dupe the accounts team. The criminals set up a near-duplicate email address to the partner’s, and, over a period of four or five hours – even including a conversation about the weather – sent a number of emails to the accounts department, asking for an invoice, totalling nearly £35,000, to be paid. The emails consistently told the same story: that the senior partner needed the invoice to be paid immediately. The criminals worded their emails to the accounts department in the same type of nuanced language used in the firm’s social media and blog posts.

It was only at the end of the day, when another senior partner questioned the payment, that the firm discovered that it had been defrauded. Fortunately, it was able to contact the bank and freeze the payment, but only after £10,000 had been withdrawn.

Email intercept

In a second case, we heard about a client who lost the deposit on a flat purchase after having been defrauded via an email intercept.

The victim in question was moving to a new town. Having visited on several occasions the property she intended to buy, she informed her solicitor that she would be making the deposit payment shortly. Unfortunately, she sent the email from a cafe, using its free wifi and, unbeknownst to her, the wifi she had used was a duplicate system set up by scammers to capture web traffic from the cafe. The fraudsters were able to replicate the email template used by the solicitors and redirect the deposit funds into a separate bank account. Unfortunately for the client, £15,000 was sent to the wrong account. As the funds were sent on a Friday afternoon, it wasn’t until the following Monday that the scam was discovered, by which time the funds had been moved on, and eventually withdrawn.

Ransomware

In the third case, we heard about a legal secretary who was the victim of a ransomware attack. The secretary clicked on a link in an email, not realising the email was from a fraudster. Clicking on the link opened a virus that infected her computer, locking down various files and the operating system. A message appeared on her screen telling her that the virus would be deleted and her computer unlocked if she paid one bitcoin (then valued at about £750). Not wishing to get herself into trouble, she paid the ransom herself and was able to retrieve all her files.

However, she didn’t realise that the virus was now live within the systems of her firm. The following day the whole firm was subject to a ransomware attack. Fortunately, the secretary owned up and the firm was able to restore all of its files without paying a further ransom, as it used its offline back-up to reinstate its operating systems and files.

Protecting yourself

All three cases could have been avoided if the individuals had taken some simple steps to protect themselves against cybercrime.

A good place to start is Financial Fraud Action UK’s ‘Take Five’ campaign, which outlines five simple steps to reduce the number of victims of financial fraud.

1. Never disclose security details, such as your PIN or full banking password.

2. Don’t assume an email, text or phone call is authentic.

3. Don’t be rushed – a genuine organisation won’t mind waiting.

4. Listen to your instincts – you know if something doesn’t feel right.

5. Stay in control – don’t panic and make a decision you’ll regret.

The Property Section’s spring seminars can also help you by providing guidance on how to protect your firm from cybercrime.