Axa Assurance Maroc - Insurer Innovation Award 2024
Iron Bastion - How to protect your conveyancing practice from payment redirection fraud
1. How to protect your
conveyancing practice from
payment redirection fraud?
Practical tips to defend your business from cyber attacks
2. Who we are
Nicholas
Technology and legal expert with over 20 years of industry
experience
Gabor
Cybersecurity expert with over ten years experience, having
worked in both private and public sectors
4. What we are covering tonight…
1) Why cybercriminals target conveyancing
practices
2) The consequences of being scammed
3) How payment redirection fraud works
4) How to protect your practice
5) Questions
6. Sit down if you….
❌ Have a business computer which does not have anti-
virus
❌ Have advanced phishing protection in place?
❌ Do not know what two factor authentication (2FA) is,
or have never used 2FA for your email
❌ Do you provide phishing awareness training to your
employees?
Anyone still standing?
❌ Have used 2FA but turned it off because it was too
inconvenient
8. 1) Why cybercriminals target conveyancers?
• Practitioners are low hanging
fruit for cybercriminals.
• underinvestment in security
• bad advice
• no advice
• High-value financial transactions
• Insecure communication
channels
• New e-conveyancing platforms
11. You do not have to look far for Aussie examples
•“MasterChef finalist caught in conveyancing
hacker attack”
•Mid-May, a client lost about $700,000
•May 31 when a client lost more than $1 million
https://www.propertyobserver.com.au/forward-planning/advice-and-hot-topics/85862-pexa-warning-as-conveyancing-fraud-funds-
end-up-in-thailand.html
https://www.smh.com.au/business/companies/masterchef-finalist-caught-in-conveyancing-hacker-attack-20180622-p4zn4o.html
16. 3) How payment redirection scams work
As easy as 1-2-3
1. Steal mailbox passwords
• Phishing
• Data breaches
2. Intercept emails
3. Tamper with payment instructions
17. Phishing
• Social Engineering
• Exploits the weaknesses in people – ‘click whirr’ behavioural
responses
• Fake logins that capture credentials
18. Credentials from Data Breaches
• Websites get hacked.
• People reuse same
email and password
across multiple online
accounts.
26. I. Two-factor authentication (2FA)
How to turn on:
https://blog.ironbastio
n.com.au/how-to-
prevent-payment-
misdirection-fraud-at-
your-conveyancing-
practice-2fa/
27. 4) How to protect your practice
1.Two-factor
authentication (2FA)
2.Stop email spoofing
3.Better antivirus
4.Anti-phishing services
29. II. Stop email spoofing
How to impersonate
Saul Goodman <saul.goodman@sgassociates.com>
• Method #1 – Email Address Spoofing:
Saul’s email address and his name are spoofed on an incoming
email so that the sender appears to be:
Saul Goodman <saul.goodman@sgassociates.com>
• Method #2 – Display Name Spoofing:
Only Saul’s name is spoofed, but not the email address:
Saul Goodman <saul.goodman1337@gmail.com>
30. II. Stop email spoofing
Method #1 – Email Address Spoofing:
Saul’s email address and his name are spoofed on an incoming email
so that the sender appears to be:
Saul Goodman <saul.goodman@sgassociates.com>.
SPF/DKIM/DMARC DNS records
More: https://blog.ironbastion.com.au/email-impersonation-scams-
phishing-what-your-staff-can-do/
31. II. Stop email spoofing
• Method #2 – Display Name Spoofing:
Only Saul’s name is spoofed, but not the email address:
Saul Goodman <saul.goodman1337@gmail.com>.
Add warning banners
Use anti-phishing services
More: https://blog.ironbastion.com.au/email-impersonation-
scams-phishing-what-your-staff-can-do/
32. 4) How to protect your practice
1.Two-factor
authentication (2FA)
2.Stop email spoofing
3.Better antivirus
4.Anti-phishing services
33. III. Better antivirus
Keeps your computer safe from:
• Ransomware
• Phishing
• Keyloggers
• Miscellaneous wizardry
34. III. Better antivirus
Buy the business version
any of these:
•avast!
•Avira
•Bitdefender
•ESET
•Kaspersky
35. 4) How to protect your practice
1.Two-factor
authentication (2FA)
2.Stop email spoofing
3.Better antivirus
4.Anti-phishing services
36. IV. Anti-phishing services (email)
Pre-screens your incoming emails
• Superior to your spam filter
• Machine learning & AI powered
• Text semantics
• Web link protection
• Deep analysis of file attachments
37. IV. Anti-phishing services (email)
• Typically available as separate services
for your email platform
• Works with every platform
(Office 365, G Suite, GoDaddy, etc.)
• We suggest you to research what
providers are available on the market
providing managed anti-phishing services
38. IV. Anti-phishing services (web browsing)
Web browsing protection protects
from phishing attempts arriving in:
• Private emails
• Instant messengers (WeChat, etc.)
• Text messages
39.
40. IV. Anti-phishing services (web browsing)
Blocks access to phishing websites
on:
• Computers and smartphones
• In the office or on the road
• Protects your staff at home
42. III. Anti-phishing services (phishing awareness)
4% of people in any given phishing
campaign will click on a phishing email*
1.Phish your own staff
2.Identify vulnerable people
3.Target them with training materials
* https://www.verizonenterprise.com/resources/reports/rp_DBIR_2018_Report_en_xg.pdf
44. 5) Where to get help
• Report the scam to ACCC ScamWatch,
ACORN and ACSC
• Victims of identity theft: you should contact
IDCARE, NFP helping people
• Have a conversation with your IT Service
Provider, or staff. Use these slides as a talking
point!