Conveyancers have been early adaptors of electronic conveyancing, which will be mandatory for all mainstream property transactions in NSW from 1 July 2019. As we head towards this date, it is timely to consider the lessons that have been (and can still be) learned about cyber risk and resilience in conveyancing.
Email security is now a serious business risk for conveyancers
Email compromise usually occurs via a phishing incident or password compromise. Phishing attacks happen when a hacker impersonates a trusted source and sends an email containing a link or attachment that can either deliver malicious software or capture sensitive information such as passwords. Alternatively, intruders can access emails using a compromised password, without any other form of hacking or impersonation. Many people are unaware that millions of passwords are for sale on the dark web as a result of past website breaches. This means that when individuals use the same passwords across different websites, it is easy for criminals who have access to the password to access your email, especially if this password is used for the contact email address published on your website.
Email-enabled impersonation fraud, malware, phishing and hacking
Cyber incidents and email scams can occur in a variety of ways.
Email fraud often involves impersonation fraud facilitated by email rather than interference with a conveyancer’s computer(s). In many cases, fake emails appear to come from a client or another business contact, when in reality they have been sent from a different email account which has been set up to mirror the victim’s name and email address (otherwise known as ‘spoofing’). These emails typically request payments to a bank account connected with the scammer.
In other cases, email accounts have been hacked, with the hacker then sending emails from the victim’s account containing bogus directions for funds transfers. The fraud is often undetected until a loss is reported, because the hacker will usually delete sent messages from the account and set up email rules redirecting replies so that the victim is unaware of the existence of messages sent to and from their account.
Professionals’ duty of care
Section 50 of the Civil Liability Act 2002 (NSW) provides that:
“(1) A person practising a profession (‘a professional’) does not incur a liability in negligence arising from the provision of a professional service if it is established that the professional acted in a manner that (at the time the service was provided) was widely accepted in Australia by peer professional opinion as competent professional practice.
(2) However, peer professional opinion cannot be relied on for the purposes of this section if the court considers that the opinion is irrational…”
Section 35 of the Act enables a court to apportion liability between “concurrent wrongdoers”, where the acts or omissions of two or more parties may have caused the damage or loss that is the subject of a negligence claim.
The concept of a ‘professional’ comes with expectations of specialised knowledge, competency, accountability, ethics, fair dealing and putting clients’ interests first. So, how does email security and technological competence fit into the definition of “competent professional practice”?
Conveyancers hold personal information that they are required to protect and keep confidential, including financial information such as bank account details and personally identifiable information such as driver’s licenses. A court is therefore likely to consider it the duty of conveyancers to take reasonable steps to ensure that such protected information is adequately secured.
The more frequently that email addresses and passwords are used across different websites, the more likely it is that they could be disclosed via security breaches of those websites. Practitioners who mix personal and business emails in one email account are at greater risk. In this context, there is a chance that the use of free email accounts that do not meet modern security standards (such as an ability to incorporate two-factor authentication) would not be regarded as “competent professional practice” by clients or the courts.
Taking action
An easy way to check whether your passwords may have been published online via the breach of other websites can be found at www.haveibeenpwned.com. If you are still using a password that you find has been published online, you should change it urgently. Use complex passwords (such as phrases containing numbers), change them frequently and consider using a password manager.
To protect your clients and your business, consider using:
- a business grade-hosted email service that includes filtering to block spam, phishing and malicious content or attachments and which enables two-factor authentication, meaning that another computer cannot access your email without entering a code sent to one of your nominated devices;
- a DNS-based web filtering service to block high risk websites;
- reputable security software on every computer.
While cyber risk can never be eliminated, taking steps like these can significantly reduce your risk. Don’t let any damage be done to you.