Handling a hack: Be alert...and alarmed!

1 November 2017

Stories of cyber security breaches are so commonplace that many of us now switch off when we hear them. But if you’re an agency owner, switching off is the last thing you can afford to do, as the recent series of unprecedented cyber attacks continue to leave businesses around the world reeling.

By Cath Dickinson

Starting in May 2017, cyber extortionists tricked victims into opening malicious malware attachments to spam emails. Dubbed WannaCry, the ransomware exploited a Microsoft Windows vulnerability, encrypting data on the infected computer and demanding payment to restore access. 

Wreaking havoc across the globe, the attack stopped factories, brought health care services to a halt, affected telco networks and impacted government infrastructure in more than 150 countries.

Then in June came Petya, a ransomware attack that encrypted important files after a user clicked on an infected email attachment and then demanded a Bitcoin ransom to restore access. From a single infected computer, Petya had the ability to spread rapidly across a business by taking advantage of a number of Windows vulnerabilities. Big and small businesses across the world again fell victim to this latest cyber security attack.

Not just a ‘big end of town’ problem
The majority of cyber security related incidents reported by the media involve large businesses. But the impact of these breaches can be felt as heavily, if not even more so, by small to medium businesses. They’re the victims that don’t make the news.

Real estate agencies are not immune and it’s dangerous to be complacent and adopt an “it will never happen to me” attitude. When it comes to your business experiencing a data breach, the 2017 IBM Cost of Data Breach Study shows the odds are as high as 1 in 4. And falling victim to a cyber attack can have significant ramifications including financial loss, reputational damage, loss of intellectual property and business disruption.

Staying on top of all the risks and latest threats is no easy feat, but there are some simple things you can do to minimise the risk of your business falling victim to a cyber attack.

  1. Update your operating system
    The WannaCry attack targeted a known Windows vulnerability, one easily defended by installing a patch issued by Microsoft prior to the attacks. The disheartening reality is if users had stayed on top of security updates, their machines wouldn’t have been infected.

  2. Install antivirus software
    Cyber criminals are always looking for holes and vulnerabilities they can exploit to create new and more powerful viruses and malware. That’s why it’s important to not only install antivirus software, but keep it up to date. If you don’t, you’re leaving yourself open to a cyber attack.

  3. Beware of email attachments
    The devastating effects of WannaCry and Petya were the result of users clicking on email attachments. The lesson? Don’t click!

  4. Create data backups
    In the event a hacker successfully infects your computer, all is not lost. If you have a backup, you’ll be able to restore everything with minimal fuss. And don’t forget to test your backup. A backup is useless if it can’t be restored correctly.

  5. Have cyber insurance
    While it won’t protect your business from an attack, cyber insurance could be the difference between keeping the doors open or shutting up shop for good. While some business insurances cover cybercrime, many don’t – so take the time to check.
    If you’re unsure about the level of coverage you need, talk to an insurance broker. They can help you understand your business’s cyber risks and identify the best cyber insurance product to suit your needs.

CASE STUDY: $760k trust account theft

Imagine this. You sit down at your computer to transfer some money from your agency’s trust account. It’s business as usual as you enter your username and password to access online banking. But once you’re logged in, you see money disappearing from the account before your very eyes – and there’s nothing you can do about it. Think it could never happen to you? Think again.

This is exactly what happened recently to the experienced Principal of a respected Sydney agency. The victim of a sophisticated cybercrime that saw almost $760,000 stolen from their trust account, they’re warning others that it could happen to them.

The money was stolen over the course of five fraudulent transactions – and the Principal witnessed one of the transactions being processed and approved via their online banking portal.

How it happened

It was normal practice for the Principal to use a security USB device to access their bank accounts online. On the day of the theft, they logged in as usual and received a message saying that the website was offline for maintenance, so they logged out.

A few hours later, they logged in again only to receive the same message. Thinking this was a bit unusual, the Principal checked with their accounts team to see if they were having the same problem accessing the online banking portal. A member of the accounts team logged into the portal and, to their absolute horror, discovered that almost $760,000 had been moved from the trust account in five unauthorised transactions.

The Principal immediately called the bank, but they weren’t able to stop the transactions. Fortunately the agency has been able to recover all but one of the payments, leaving a shortfall of $80,000. It seems the hackers gained access to the agency’s trust account via the Principal’s earlier attempt to login to the online banking portal.

Don't let it happen to you

“I’ve been a Principal for more than 20 years and I’m always thorough and careful,” the Principal said. “It’s important for all agencies to be more aware of cybercrime and check the systems they have in place to protect themselves, because this type of crime is growing exponentially.

“It’s terrifying what hackers can do and the level of sophistication is incredibly high.”

The Principal of the agency has this advice to offer others:

  • No same day transfers. Make sure your internet banking doesn’t have Real Time Gross Settlement (RTGS), which allows for same day transfer to another bank with transactions settled as soon as they’re processed. RTGS means money can be transferred and withdrawn within a very short space of time, rather than overnight.
  • Dual authorisation. Never allow the same person to both create and authorise a payment. You should always require two authorisations for payments made by your agency.
  • Check transfers. Always carefully check transfers before authorising them.
  • No USBs. Don’t use a USB to access your internet banking portal as they can be easily compromised.
  • Protect yourself. Don’t rely on the bank to protect you or put appropriate safety systems in place. Do your own due diligence and ask questions of your bank and insurer about cybercrime prevention.
CASE STUDY: Fake listings rental scam
In a bid to obtain bank details and photocopies of passports and drivers’ licences, scammers recently uploaded 31 fake listings to an agent’s website and domain.com.au.

The Principal of the agency, an industry veteran of more than 30 years, warned other agents to be on their guard.

“I first twigged to the fact that something was wrong when I started receiving calls on a Sunday morning about properties for rent in locations we don’t list in. We found properties in Victoria, Queensland, Western Australia and Tasmania listed on our website for rent – and for ridiculous prices aimed at baiting people,” the Principal explained.

“We contacted Domain immediately and they took the listings down. We also contacted anyone who made enquiries to find out if they had completed an application. Fortunately, no one had. By filling in an application, which included bank details, it’s possible the scammers could have stolen money from their account or their identity.”

It’s not known how the scammers gained access to upload the listing, but the situation serves as a warning to agents to always be aware of the possibility of cyber crime."