October is Cyber Security Awareness Month, a good time to focus on the fact that cybercriminals are targeting more and more property transactions. If you are selling or buying property, keep your guard up! In the context of yet another High Court dispute over who will bear the loss of a substantial amount of money paid by a buyer into a fraudster’s bank account, we discuss the risks and share some tips on how to minimise them. Lastly, there’s a warning about a new and significant AI danger which is bound to catch many victims unawares – don’t be one of them! |
“The infectiousness of crime is like that of the plague” (Napoleon Bonaparte)
This October marks the 20th anniversary of the globally observed “Cyber Security Awareness Month”, and with cybercrime continuing to surge, here’s a cautionary tale to bear in mind.
You buy your dream house and pay the purchase price to the transferring attorneys (the conveyancers). Excitement builds as you wait eagerly for transfer and call the family together to plan your move. Then comes a call from the attorneys – why haven’t you paid yet? Your heart sinks, and panic sets in as it becomes clear that you just paid into a fraudster’s bank account. You contact the bank but your money has gone, along with the fraudsters.
That’s a nightmare scenario to which an ever-increasing number of property buyers and sellers around the world are being subjected. Property transactions are a natural focus for these cybercriminals because of the large amounts involved, but more and more personal and commercial transactions are also being targeted.
A recent High Court fight over yet another email interception fraud reinforces the need to remain alert in every situation and at all times…
R2.94m stolen – buyers, banks and conveyancers all at risk from email interception fraud
- A couple bought a house and paid R2.94m into the bank account specified in an email which appeared to come from the conveyancers. It was however a classic case of “email interception and compromise” – somehow the criminals had obtained sufficient information about the sale transaction to enable them to email the buyers, pretending to be the conveyancing firm, and convince them that their payment was being made into a legitimate trust account.
- As soon as it emerged that the account was in fact a fraudster’s, the buyers contacted the bank which promised to immediately freeze the account. Nevertheless, the R2.94m was transferred out to the fraudsters, and the couple sued the bank in the High Court for negligently allowing that to happen.
- The bank replied that, if it were indeed found to be negligent, it would allege contributory negligence on the part of both the buyers and the conveyancers.
- Its application to “join” the conveyancers into the court action failed, the Court holding that the buyers could choose who to sue and who not to, but the practical point of interest to most of us is the clear indication that in a case such as this, everyone stands to lose – property buyers (sellers are equally at risk), banks and conveyancers.
How to stay safe
“Forewarned is forearmed”, so follow these procedures strictly –
- Never fully trust anything you access or receive electronically. Everything electronic is potentially unsafe – think emails, SMSs, WhatsApp messages, websites, social media pages, online forms and anything similar. Don’t click on links without checking first for suspicious URLs and even then, be careful if asked to submit information, don’t download attachments unless you are certain they are safe, never disclose login details, passwords or other sensitive or personal information. Keep reminding yourself, your family and your staff of the ever-present dangers.
- Secure all your email, network and online systems against viruses, malware, breaches, hacking and compromise. Make sure all devices, servers, domains etc are protected. A good start is to install strong anti-malware software and firewalls, to ensure that all software and browsers are constantly updated with the latest security patches, and to use data encryption where you can. Use strong passwords and change them regularly.
- Use an online resource like the South African Fraud Prevention Service’s YIMA to security check websites. Download the U.S. Cybersecurity and Infrastructure Security Agency’s “Tip Cards” on its “Stop.Think.Connect. Toolkit” webpage.
- Pay particular attention to all banking and investing channels, and under no circumstances trust any email, SMS or other communication purporting to advise banking details or (a particular risk area) a change of banking details.
- If you are a business that regularly requests payments from customers or clients, add a suitable warning to every communication and a disclaimer against liability if a loss occurs (legal advice specific to your circumstances is essential here). Consider using a secure payment portal with 2FA (2 factor authentication) protection. If you email invoices with banking details, secure them from alteration (don’t put all your faith in PDFs, it’s a myth that they can’t be changed).
- Perhaps most importantly – always check directly with the account holder before paying anything. Contact the account holder only on its real and confirmed contact details – fraudsters are adept at creating look-alike emails and email addresses, telephone numbers, WhatsApp and cell numbers, and website addresses. Which brings us to …
A new and substantial danger – AI voice cloning
As AI explodes into every aspect of our lives, an increasing number of reports are made of “voice cloning” frauds.
Perhaps you get a call from “your attorney”, or your attorney gets a call from “you”. Or your “boss” or your “HR department” phone you. Perhaps the call is to ask for sensitive information or perhaps it is to ask for money. A particularly successful fraud here, because of its emotional content, could be a variation on “Hi Mum and Dad, I have a problem, can you send me R10k urgently please? Send it to…”.
You know the voice so you trust the call, but the reality of course is that a criminal has fed a sample of someone’s voice into an AI program and duplicated it perfectly (or at least perfectly enough to fool you in the heat of the moment). No doubt cloned video calls and other AI powered scams will proliferate soon if they aren’t already doing so.
Once again, constant awareness is the key to protecting yourself from this sort of scam. Never let your guard down!