As eConveyancing has become mandatory in most states and conveyancers and law firms rely more heavily on technology for their daily business, experts warn a failure to implement cyber risk management strategies – and to regularly update them – is leaving the door wide open to hackers.
Last year Australians were scammed of at least $3.1billion – an 80 per cent increase in total losses reported to Scamwatch, ReportCyber, the Australian Financial Crimes Exchange, IDCARE, ASIC and other government agencies from the previous year.
“Behind the numbers are everyday Australians who lost money, sometimes their life savings, to scams,” said Catriona Lowe, deputy chair of the Australian Competition and Consumer Commission (ACCC).
“By responding to a fraud alert call they thought was their bank; clicking on a link in a text message they thought was from a government agency; signing up to a promising scheme to invest their retirement savings or transferring their property settlement funds into a bank account listed in an email they thought was from their lawyer – these people never expected they could lose everything.”
Lowe said losses to cybercrime are increasing because scams are becoming more difficult to detect, meaning anyone can be caught.
“Leveraging emerging technology, scammers impersonate the phone numbers, email addresses and websites of legitimate organisations,” she explained.
“Their text messages can appear in the same conversation thread as genuine messages. Fake ads, social media profiles and reviews are easily, and cost effectively deployed. This makes scams incredibly difficult to identify.”
Using attack vectors, including identity fraud, fraud-as-a-service (FaaS), business email compromise scams (BECs), ransomware attacks, phishing emails, and exploit kits, cybercriminals are employing a variety of tools to abuse vulnerable business systems and, specifically, are aiming at conveyancing specialists.
“Cybercriminals are targeting all parties involved in the real estate sector, with a particular focus on impersonating conveyancing lawyers and communicating with their clients,” said the Australian Cyber Security Centre (ACSC).
“Cybercriminals are also singling out mortgage lenders in order to intercept property settlements.
“This trend has potential for significant financial harm. All parties involved in the buying, selling and leasing of property should be vigilant when communicating via email, particularly during settlement periods. This includes real estate agents, conveyancers and lawyers, mortgage lenders and any clients of these businesses.”
Conveyancing can be a risky business
The conveyancing industry is especially vulnerable to cyberattacks because of the volume of personally identifiable information (PII) held by conveyancers and other related agencies, according to Chris Gibbs, technology expert and chief executive of property title and legal search platform triSearch.
“In Australia we’ve seen a huge increase in the use of technology to support the work of conveyancing,” said Gibbs.
“As the reliance on technology has increased so has the risk of cyberattacks.
“With conveyancers relying more on technology they need to ensure they take into consideration their resilience to the threats around cybersecurity.”
Spokesperson for the Australian Registrars National Electronic Conveyancing Council (ARNECC), Brad McBride, said there are strict requirements put in place to address cybercrime within the industry, and stakeholders in each jurisdiction need to comply with the Electronic Conveyancing National Law (ECNL).
“ARNECC, as a council of regulators from each jurisdiction, remains aware of, and takes very seriously, cyber incidents across the board, be they from nefarious sources such as fraud or cyberattacks or caused by incidents and outages in operating systems across the electronic conveyancing ecosystem that impact the ability for electronic conveyancing transactions to take place,” said McBride, the director land titles regulation, Western Australia.
“As such ARNECC has put in place stringent requirements through the Model Operating Requirements (MOR) for Electronic Lodgement Network Operators (ELNOs) and Model Participation Rules (MPR) (for subscribers), which dictate system requirements in regard to system capability, availability, security and access.
“There are also very clear requirements in regard to data integrity, and notification of compromised systems and transactions.”
Cybercrime – Don’t be a statistic
A spokesperson for the Attorney General’s Department said, “the Australian government recognises the increasing, persistent, and pervasive threat all cybercrime poses to the Australian community, including individuals, businesses and government services.
“Cybersecurity vulnerabilities change over time and cyber criminals may regularly change who they target. The Australian Federal Police work in close collaboration with law enforcement, regulators, and other entities to prevent, disrupt, investigate and prosecute cybercrime impacting the Australian community.”
With a cybercrime reported in Australia on average every seven minutes, recent data from ACSC shows over 76,000 reports of cybercrime were made last year – an increase of 13 per cent from the previous financial year.
According to the ACCCs 14th annual Targeting Scams Report among the common business related
scams is: “payment redirection (business email compromise), where scammers compromise the business email, either through hacking or by impersonating the businesses email (by changing one letter in the email address). They alter invoices or requests for payment by changing the bank account details. Many of these are reported to Scamwatch as false billing scams.
“While all business sectors are affected by these scams, historically the typical targets are high transaction industries such as real estate conveyancing firms or the construction industry.”
The ACCC said last year investment scams caused the country the most financial woes, with combined losses of $1.5 billion. This was followed by remote access scams with $229 million lost, and payment redirection scams with $224 million lost.
While bank transfer remains the most reported payment method with 13,098 reports totalling $210.4 million. Losses by bank transfer increased 62.9 per cent.
Businesses and people who lost money via bank transfer were more likely to have been contacted by phone or email.
The ACSC said losses due to business email compromise scams (BECs) topped $98 million in Australia last year with an average loss of $64,000 per report.
There was a rise in the average cost per cybercrime report to over $39,000 for small businesses, $88,000 for medium businesses, and over $62,000 for large businesses – an average increase of 14 per cent. Large businesses took a smaller hit than medium sized businesses because they were more likely to have cybercrime mitigation strategies in place. In 2022, businesses submitted 3,857 scam reports to the ACCC with reported losses of $23.2 million.
Businesses that reported losing the most money were in NSW ($6.5 million) and Queensland ($6 million). The ACSC reported between 150,000 to 200,000 routers in Australian homes and small businesses are vulnerable to compromise, including by state actors.
The ACSC also said that worldwide in 2022 there was a 25 per cent increase in the number of publicly reported software vulnerabilities (common vulnerabilities and exposures or CVEs).
The rise and rise of cybercrime
Research from the Australian Institute of Criminology Statistical Report – Cybercrime in Australia 2023, showed 47 per cent of respondents had experienced at least one cybercrime in the past year, while 22 per cent had been a victim of malware, 20 per cent had been a victim of identity crime and misuse, and 8 per cent had been a victim of fraud and scams.
Meanwhile, figures from the Australian Bureau of Statistics show reports of cybercrime have more than doubled in the two years from 2020-2022, up from 8 per cent to 22 per cent.
The Australian Competition and Consumer Commission (ACCC) said more coordinated effort is required across government, the private sector and law enforcement to combat scams.
“Businesses need to be vigilant and implement effective monitoring and intervention processes to prevent scammers using their services and stop them when they do,” said the ACCCs Catriona Lowe.
“Identity, verification and communication processes need constant review as scammers constantly evolve. We need to arm consumers with the tools to give them the best chance to identify scams.”
Yet, according to ABS data, only 70 per cent of Australian businesses reported they were employing cybersecurity measures to protect themselves against attacks.
“The essential steps any conveyancer needs to take are staying informed and educated as to cyber risks, maintaining cyberhygiene and preparedness and knowing what to do in the event of a cyberthreat,” said Chris Tyler, chief executive of the Australian Institute of Conveyancers.
“Early detection and remediation is of paramount importance as it will often lead to misapplied monies being short-circuited and prevented from being transferred to the threat actors.
“Another essential step is ensuring staff and industry stakeholders are educated and aware of the risks.”
For more insights and tips on cyber awareness, download edition two of the Australian Conveyancer.