Cyber-attacks and Business Email Compromise
Cyber-attacks and Business Email Compromise (“BEC”) in commerce have become a major concern for attorney firms and their clients alike. Neil Mc Kinon, Attorney and Conveyancer at Hammond Pole explains the reality of email interceptions and email compromise.
According to a global survey conducted by Mimecast Cyber Security Services in 2020, 6 out of 10 companies globally suffered a Ransomware attack and, given the rise in digital activity over the last year, email threats increased by 64%. Also, according to a report by Accenture in May 2020, South Africa has the third most cybercrime victims, losing R2.2 Billion a year.
Who is most vulnerable?
The most vulnerable to BEC are conveyancing firms, and often more so, their clients, where transactions involving electronic transfers of large amounts of money are affected daily. Recipient payments from attorney’s trust accounts and deposits by clients at large conveyancing firms are made regularly with the result that law firms, and their clients, have become common targets for email interceptions, cyber fraud and identity theft.
Fortunately, most threats and compromises can be avoided with the correct server protection and IT monitoring. This includes the installation of firewall protection, anti-virus and EDR (End Point Detection and Response) software. Many law firms, particularly larger firms have the means and abilities to ensure these protections are in place however many smaller firms do not have these means in place.
In South Africa however, the increase in Cyber Fraud has led to the passing of new legislation such as Financial Intelligence Centre Act (“FICA”) and Protection of Personal Information Act (“POPIA”) and accountable institutions like Attorneys and Real Estate Agents are legally obliged to gather and scrutinise information from individuals they deal with to try to prevent fraud and identity theft.
However, email interceptions and data protection threats have unfortunately led to client’s emails being intercepted and payments made to the incorrect bank account. Cyber Fraudsters have become aware of deposits being made to conveyancing firms and target email accounts that do not have firewall protection thereby intercepting their emails and scamming the victim into making payments into the incorrect bank account.
The most common modus operandi of the criminals who execute these crimes is to intercept the mails sent to clients, usually containing bank details, and asking for payment, and then fraudulently changing the bank details to their own. They then re-send the mail to the client from a generic mail address that has been created to look like the law firms e-mail address and containing the law firm’s logo’s, letterheads, and e-mail signatures, and claim the payment details have changed. Clients then unknowingly, and thinking they are paying the firm in question, pay the fraudsters.
It has also happened that the law firms themselves have fell for these fraudsters as well, although this is less common in practice. Two examples of such cases, that ended up in the courts, are:
- GLOBAL & LOCAL INVESTMENTS ADVISORS (PTY) LTD v NICKOLAUS LUDICK FOUCHÉ 2021 (1) SA 371 (SCA); and
- JURGENS AND ANOTHER V VOLCHENK (4067/18)  ZAECPEHC 41 (27 JUNE 2019).
In the Global & Local Investment Advisors (“Global”) case, the email account of a client of Global had been hacked with the result that an email ostensibly delivered by the client was sent to Global instructing them to make payment into several accounts. This mail was obviously a fraudulent one. It was however held that Global had made payment on the strength of the email without a valid signature by the client and was thus liable.
In the Jurgens case an email from the client had been intercepted and an exchange of emails between the fraudster and the attorney’s ultimately led to funds being paid into the fraudsters bank account.
These cases highlighted the risks of email interceptions and email compromise.
While trust funds are relatively safe in attorneys trust accounts, Business Email Compromise remains a threat to any organisation and its clients and this requires that email correspondence dealing with bank details and personal information be handled with caution.
Clients and attorneys should take additional care in verifying account details before making payments and should be aware of sudden changes in email addresses and bank details. Most attorneys send out disclaimers and warnings to their clients warning them that banking details should not be changed via e-mail and, in the event a mail is received stating that the details have changed, they should be verified with the firm telephonically.
Clients who are engaging with attorneys in property transfers where payments are to be made into such attorney’s trust accounts would be well advised to not accept the changing of bank details via electronic means, such as e-mail and should always verify the attorneys bank details before making any payments. Law firms would similarly be well advised to verify banking details before making any payments.
Attorneys who are now compliant with the laws of POPIA and FICA would certainly benefit from initiating systems which verify information and provide for levels of sensitivity of information contained in emails.