Beating cybercrime 101
“The risk to the legal profession in South Africa is exacerbated by our being the second most targeted country in the world with regard to cyber-attacks. In the case of business eMail compromises, the Attorneys Indemnity Insurance Fund (AIIF), [now the Legal Practitioners Indemnity Insurance Fund (LPIIF)] reported in August of 2018 that since the exclusion of cyber liability insurance with effect from the 1st July 2016 they had been notified of over 110 cybercrime related claims with a total value of R70 million” (Anthony Pillay, LSSA)
One of the increasing risks you face as a conveyancer is cyber-crime, and you can expect that trend to continue as online criminals become more and more sophisticated in how they lull you and your clients into accepting their fraudulent emails as genuine.
You are particularly at risk in that the property industry will always remain a favourite target both because of the rich pickings on offer and because of the flurry of (interceptable) electronic communications that these days accompany the transfer process.
This article discusses the recent High Court judgment against a conveyancer who fell victim to a cyber scam and now has to pay out almost R1m in damages to her clients.
You have no LPIIF cover!
As the LPIIF reminds everyone in its July 2019 Risk Alert Bulletin: “We wish to draw particular attention to the exclusion of cybercrime (clause 16(o)). Risk management steps must be taken by practitioners within their practices to mitigate cyber risk.”
Read also Anthony Pillay’s article “Cyber liability insurance“.
Two broad categories of scam to beware of
To date the two main categories of scam remain –
- Your payments to your clients: You receive a genuine-looking email “from your client” changing their banking details to “my new account”. Your emails to and from your client have been intercepted, and your client’s details cleverly spoofed. If you pay the transfer proceeds into the “new account” the money is gone and you risk not only losing a good client and suffering reputational damage, but also having to cough up a large amount of money by way of damages (see below).
- Your clients’ payments to you: Once again emails are intercepted, and this time your clients receive an authentic-looking but entirely fraudulent “we’ve changed our banking details” notification from “your firm”. They fall for it and pay the purchase price, transfer costs etc into the scammer’s account. Expect these emails to carry a very clever simulation of your firm’s branding, details and email address.
Your risk of being sued
“Attorney’s profession is an honourable profession which demands complete reliability and integrity from the members thereof” (Extract from the judgment below)
Have a read of the recent Eastern Cape High Court, Port Elizabeth, judgment in the case of Jurgens and Another v Volschenk (4067/18)  ZAECPEHC 41 – available on SAFLII.
- In a nutshell, a transferring attorney was ordered to pay her client R 967,510-53 in damages, plus interest and costs, for negligence.
- A scammer had intercepted emails between the attorney’s secretary and the sellers. This was a classic “Category 1” operation, and seemingly a sophisticated one – the scammer persuaded the secretary to accept an emailed “my bank account details have changed” instruction and to pay the proceeds into the scammer’s account. Read the judgment for the full details – both secretary and client were taken in hook, line and sinker.
- The sellers sued the attorney for damages, the attorney denied any negligence whatsoever, but the Court found that she had indeed failed to carry out her mandate with the “due care, skill and diligence expected of a reasonable attorney and a conveyancer in the circumstances.”
- Of course the Court reached this conclusion on the particular facts of this matter. There were specific factors present here, said the Court, such that a “diligent, reasonable attorney” would have taken steps to verify the information in the fraudulent emails. Which means that had the facts been different, the sellers might have been unable to prove any failure of duty by the attorney, in which event their claim would have failed.
But why take a risk at all? And of course prevention is always better than cure, so…
Nine steps to protecting your firm, your reputation and your clients
Here are some ideas on how to ensure that you and your clients are protected from these scams and from the inevitable fall out –
- Firstly, train your staff on all of this and maintain proper supervision of the whole transfer process. In the High Court case in question, the attorney’s attempt to shift all the blame on to her secretary failed, the Court holding that “When the respondent entrusted the management of the applicants’ affairs to her secretary she had a duty to ensure proper supervision and control in order to safeguard her clients’ money.”
- Read last year’s “LSSA Cybercrime advisory” on GhostDigest . Note in particular the recommendation re wording in all your emails and other communications to clients alerting them to the fact that you will never advise them of a change of bank details by way of an email or other electronic communication. Ensure that all your emails have a consistent signature format which includes this notification by default. Let us help you here with our DotNews Email Branding service.
- When you take your first Instruction to Register Transfer, make sure that it includes a written, signed and dated instruction to you by your client nominating a bank account for receipt of all payments from your firm.
- Lexis Convey users can also take advantage of the AVS functionality (Bank Account Verification Search), which is available in Lexis Convey via its integration with Lexis WinDeed.
- Equally of course, your firm should never accept any purported change in your client’s banking details without confirming it direct with the client – in person if possible.
- If your electronic communication systems are vulnerable the criminals will exploit them. So keep all your anti-virus, anti-malware and other security software updated, learn all about protecting yourself from malware/spyware/phishing attacks, and generally treat all electronic communications with caution – whether or not they look genuine.
- Read “Is That Sender For Real? Three Ways to Verify the Identity of An Email” on FRSecure’s blog. All the tips given there are important, but at the very least use the methods given to find out where the email really comes from. Then check back to see that it matches in every detail the email address you were given at the start of the transfer process.
- Be suspicious if anything in an email just feels “not-quite-right” – perhaps only a cell phone number is given, or a free generic email address (like Gmail) is used, or the wording is somehow “off”. If the email makes you even the slightest bit uneasy, err on the side of caution and investigate further.
- Last, but certainly not least, make sure that all your clients are aware of the dangers. No matter how many safeguards you may have in place on your side, if your clients are the weak link in the chain that is where the scammers will strike! Repeating this warning regularly (in your LawDotNews monthly newsletter for example) will ensure that it always remains top-of-mind with your clients.
Article first published on LexisDigest