Why Australian property and real estate CISOs need to be on high alert

Property-related scams are rising in Australia, the Australian Cyber Security Centre (ACSC) recently warned. Cybercriminals are targeting all parties in the real estate sector, particularly during the settlement phase. With transactions involving large sums of money, potentially running into millions of dollars from house sale transactions, there’s a lot at risk.

Paul Haskell-Dowland, associate dean for computing and security at Edith Cowan University, has investigated invoice fraud for ABC News and is also the Australian country representative on the security and privacy committee with the International Federation for Information Processing. He says when it comes to a property settlement, people have an inherent belief in payment instructions and just act upon it. “What we need to do is change that practice and have an independent verification of every single transaction,” he tells CSO Australia.

It’s cybersecurity issue with a human face to it. “We see an email and believe it and the processes,” Haskell-Dowland says. “Even if the settlement agent can be shown to be culpable—and in those cases maybe there is a financial case and that will probably come out of their insurance policies—the fact is there’s still a cost to all of this. And it will ultimately be borne by increased settlement costs to sellers and buyers. It will always be the individuals who will suffer because these costs have to be passed on,” he says.

The ACSC advises settlement agents and lawyers to be wary of updating bank account details, particularly before updating Property Exchange Australia (PEXA), the online platform for property transactions. Cybercriminals impersonate a property seller and request their bank details to be updated, leading settlement agents to introduce these fraudulent details into the PEXA system. “PEXA remains secure, yet the new bank account details are fraudulent, resulting in the buyer sending funds to the cybercriminal’s bank account,” the ACSC says in its advisory.

How people become the fault in the system

The majority of cases of property-settlement fraud are linked to business email compromise on the sender’s or the receiver’s end. The compromise can happen when a computer is infected by malware or an email account is compromised and instructions in the email or an attachment can be modified during the transitstage.

Haskell-Dowland sees this not as a fault of the transaction mechanism itself, but rather of how the system is used: “the fact that people are inherently trusting and the fact that we still believe IT systems are trustworthy. So we see an email and believe in the processes that we’ve got. When it comes to a settlement, there is that inherent belief when you receive that instruction to pay an amount of money to a bank account, you just act upon it,” he says.

“Someone is entering the details of accounts numbers, but if it is not independently verified, the information itself becomes the problem. They’re typing it in, and probably checking it carefully and making sure that it’s exactly as provided to them, but they’re not validating the authenticity of the information,” Haskell-Dowland says.

Both education and policy are needed to minimise the human element that is exploited to create the vulnerability. While CISOs need to know their technical people have all the standard security countermeasures in place, the underlying risk is really about human nature.

“While organisations are paying a lot more attention to human factors, and there’s enhanced attention to onboarding, Haskell-Dowland says there’s still probably too much of a focus on the more traditional cybersecurity messages, such as on being wary of attachments in emails or on rogue USB keys.

What’s needed is the use of both process and policy so that there is an appropriate level of safeguarding around email and transaction systems. And ultimately there need to be consequences if someone doesn’t follow the rules “because that settlement agency could lose its privileged position within systems” he says. “They ought to take their role seriously in ensuring that their staff are following all those same rules as well. This needs an element of governance wrapped around it in terms of rules and processes within the organisation. But [there also needs to be] an acknowledgement that individuals play a significant part in this,” he adds.

How property-related CISOs should respond

“It’s unsurprising hackers have set their eyes on the real estate industry, lured by high-value payments they handle on behalf of their clients,” says Phill Zongo, CEO of the Cyber Leadership Institute and a member of ISACA Emerging Trends Working Group.

Multifactor authentication (MFA), complex passwords, and recovery emails are all needed to protect against email accounts being compromised, but there is also another important line of defence outside of the purely technical side that is just as important.

Zongo says employees need to be given the okay to develop questioning attitudes and even challenge high-risk requests, such as emailing sensitive information or processing payments, regardless of their origin—the CEO, direct managers, customers, regulators, or auditors. “Cultivating a positive culture is especially important for smaller enterprises, where CEOs or owners are very powerful and their directives are often barely questioned,” Zongo tells CSO Australia. “Toxic cultures are fertile ground for BEC [business email compromise] scams.”

On the technical front, a process of dual approval for all payment transactions is needed. “Tricking two individuals is harder than tricking one,” he says. Added to that, MFA is essential to make it exponentially harder to compromise these accounts.

Zongo also says that staff who interact with customers should get a feel for their usual habits, particularly around payment patterns. “Familiarity with client norms makes it easier to detect unusual requests,” he says. “For instance, an unusual payment request by a local banking client ‘stranded’ or ‘taken hostage’ in a foreign nation should raise alarms.”

There are also defensive steps to minimise fraud from fake websites that businesses can take, especially those involved in high-value property transactions. “Purchase internet domains that closely resemble yours, making it difficult for fraudsters to establish fictitious email accounts and websites,” he says.

If your organisation has been hit by an attack, in addition to the obvious steps to recover, Zongo says it’s essential that CISOs take steps to check the password-recovery secondary email, secret question, or mobile phone number to ensure they have not been changed. “Cybercriminals often change this vital information once they gain unauthorised access to an email account to facilitate future scams,” he says.

There is also a possibility that scammers may have installed some keylogging program on the computer to steal credentials, so this needs to be checked as well. “As a precaution, consider engaging your IT service provider to reinstall your operating system and security software, as well as run a full security scan on your files,” he says.

Is a transaction ID the answer?

Verifying the identity of the recipient, similar to the existing PayID, could minimise some of the vulnerability, Edith Cowan University’s Haskell-Dowland says. “If it’s acceptable to show personal information for PayID, why isn’t it done for normal electronic transactions to a BSB [bank-state-branch number] and account number?”

“How easy it would be for the banks to display the recipient’s name when you go in to create a bank transfer in their online banking,” he says. And while some may express concerns about sensitivity and about confidentiality, her counters that we already have this kind of things with PayID. “When you go into a PayID transaction, you type in the person’s email address or phone number and it will come up with the name of the account holder name,” he says.

“The same thing could be true of settlement. When that information is put into the settlement system, why doesn’t it come up with a verification on screen of the registered account holder that could then be compared with the information not in the payment transaction, but in other associated information that you’ve got in terms of the settlement process?” Haskell-Dowland suggests.

While independent verification of every transaction is technically possible, Haskell-Dowland admits it’s introducing a potentially significant hurdle in the process. But he says that it’s worthwhile to do so “when you’re dealing with million-dollar transactions,” he says.

Another option is a low-tech workaround of phoning the person and verifying the details for any electronic transaction. “We shouldn’t just be trusting the information that we see in an email address, simply because our email client say is it came from person X, because an email can be made to look like it’s come from absolutely anybody,” he says. “It’s got to be an out-of-band verification, not using any of the information that you’ve received via the email.”