Property www.echo.net.au/echo-property
Property Insider
Email us: propertyinsider@echo.net.au
Cyber Attack Alert – Attention Agents From the REINSW An experienced principal of a Sydney real estate agency witnessed nearly $1 million being stolen from their trust account and could do nothing to stop it. The victim of the sophisticated cybercrime, a REINSW member agency, warned others that it could happen to them and to make changes to ensure they are protected. More than $757,000 was stolen, and they witnessed one of the five fraudulent transactions being processed and approved on their online banking system in front of their eyes. The principal immediately called their bank but they were unable to stop the transaction. Fortunately, all but one of the payments were returned, leaving a shortfall of $80,000 that could not be recovered. It is important that agencies become more aware of
cybercrime and check the systems they have in place to protect themselves, because this type of crime is growing exponentially. The agency did not have a standalone cybercrime insurance policy but had a cybercrime extension of their professional indemnity insurance, which is limited for cyber claims. Professional indemnity insurance also requires a third party to make a claim against the agency to cover a loss. The Property Stock and Business Agents Act 2002 (No 66, Part 7, Section 89) requires a licensee to notify the secretary in writing of a trust account becoming overdrawn within five days of becoming aware. The secretary means the Commissioner for Fair Trading, Department of Finance, Services and Innovation, or if there is no person employed
as Commissioner, the Secretary of the Department of Finance, Services and Innovation. The perpetrator of this cybercrime has been identified as a 19-year-old from Estonia with a valid Australian visa, who has a warrant out for his arrest. Two of his accomplices have been arrested.
How did it happen? The principal used a security USB device to access their banking online, after entering their username and password. Once logged in to transfer some funds they received a message saying the online site was down for maintenance, so they logged out. The principal attempted to log back in three hours later and found the same message. Concerned this was unusual the principal checked with their accounts department if they had had a problem
accessing the site. Once the accounts department logged into the bank online, to their horror they noticed five transactions amounting to more than $750,000 dollars which had not been authorised. The hackers had gained access from logging in earlier. The principal added: ‘Noone can work out exactly how the hackers did it. My IT team spent three days on a forensic examination of the office server and individual computer and could find no evidence of any malware or spyware or any affected files.’
Lessons learnt The principal had this advice to offer to agencies from the lessons they have learnt. • Check your internet banking does not allow for Real Time Gross Settlement (RTGS) payments. This allows a
same-day transfer to another bank with transactions being settled as soon as they are processed, allowing for money to be transferred and withdrawn in a very short space of time rather than overnight. • Do not provide permissions for the same person to create and authorise a payment. • Carefully check transfers before authorising them. The agent, since the theft, noticed that the hackers had processed a test payment of water rates which they cancelled.
• Do not use a USB to access internet banking as they can be compromised. • Don’t rely on your bank to protect you or put the correct safety systems in place - do your own due diligence on protection and ask questions of your bank and insurer on cybercrime prevention! • Check that you are covered for cybercrime under your insurance policy. If you are a victim of cybercrime, lodge a report with the Australian Cybercrime Online Reporting Network.
mcgrath.com.au North Coast news daily: www.echonetdaily.net.au
The Byron Shire Echo May 24, 2017 21