A fast-acting staff member has thwarted cyber thieves from stealing $500,000 from a Perth real estate agent’s trust account, it has been reported.
The cyber thieves were believed to have gained access to the agency’s bank accounts using a malware downloaded into the agency’s system, probably from an email attachment. Said malware allows cybercriminals to record keystrokes and discover bank log in details, including passwords.
Upon discovery of the unauthorised withdrawal the next morning, a staff member quickly contacted the bank. The staff member’s quick response led the bank to have the transfer terminated and the funds returned even before the scammers collected the money.
David Hillyard, acting commissioner for Consumer Protection, commended the staff member for his quick action which prevented his company from suffering a huge loss.
“A delay in reporting this loss and requesting stops be placed on the transfer could have resulted in the funds being in the hands of scammers and the agency facing a financial disaster,” Hillyard said.
“We commend the quick action that was taken which robbed the scammers of a huge windfall from their criminal activities and maintained the agency’s financial integrity. The agency’s best practice standard of reconciling their trust accounts daily was integral to their picking up on the theft quickly.”
Hillyard said the incident has prompted the agency to implement stricter measures to prevent cyberattacks.
“Even though the theft was prevented, the agency has implemented new and more secure connections to its bank through the use of a real-time device commonly called a Security Token which changes the internet banking authorisation passcode on a continual basis.”
“Two people are now required to independently enter their system-generated and unique passcode to jointly authorise all transfers of funds out of the trust account. These measures ensure that an unauthorised transfer request is rejected and the agency is advised.”
Hillyard advised businesses to be careful about opening attachments or clicking on links in seemingly harmless emails to avoid cyberattacks.
“Giving cyber criminals access to your computer by unknowingly downloading malware means the thieves can compromise your accounting and banking system or they can even spoof emails of executives, tricking staff in to making payments. Staff should be trained to recognise the risks and query these emails to prevent incursions,” said Hillyard.
“Every business should have procedures and protocols which will prevent unauthorised access to their computer system and to detect malware. Having up-to-date anti-virus and anti-malware software is essential.
“Regular checking of bank account balances and daily reconciling of accounts may uncover unauthorised withdrawals in time for them to be stopped. We advise staff working in the finance area have strict processes around money transfers and changing supplier bank account or contact details.”
“Businesses should discuss their online banking security measures with their bank who may recommend extra measures to provide some peace of mind.”
“In this latest instance, the agency had put in place all reasonable securities and processes however the scammers were still able to trick the system into commencing the transaction to fraudulently move $500,000 out of their trust account.”
“Only through the quick actions of a very diligent staff member had the crime been foiled on this occasion but everyone needs to be vigilant so they don’t fall victim to these cyber criminals.”
Consumer Protection provided the following tips for preventing fraud losses:
Zurich: SMEs increasingly worried by cyber risk
Big business worried more about data loss than hackers – survey
- Install the latest security software and keep operating system updated.
- Educate the staff on basic electronic security measures.
- Consider using security tokens for e-banking and set device protocols to the highest possible level for all staff members.
- Do not store payee lists within online bank accounts as these entries can be easily manipulated. Payee details should be entered manually each time when creating an electronic transfer of funds.
- Be wary of unsolicited emails purporting to be from the bank.
- Know that banks will never ask for personal details via email.
- Always type the bank’s address into the address bar when accessing it online.