Property Section Workshop: Fraud and cyber-security for property practitioners · 2017-05-10 ·...

Property Section Workshop:Fraud and cyber-security for propertypractitioners

Peter Rodd,Senior Partner, Boys & MaughanSenior Partner, Boys & Maughan

Bristol (April 25)London (May 9)Birmingham (May 18)Manchester (May 23)Southampton (June 27)

No Silver Bullet

Cyber CrimeCyber Crime

Cyber Crime and Fraud

1. Consequences of Fraud and Cyber Crime

2. The Regulatory Position

3. What Would it Mean in Practice?

4. Are You Covered By PII?

5. What Are the Risks?

6. How to Protect Your Firm

1.Consequences of CyberCrime and FraudCrime and Fraud

Victoria Derbyshire Programme on 7th January reported:

From 1st Jan 2014 to 31st October 2015

When did it all begin?

91 crimes of that nature

Totalling £10.2m

Average loss of £112,310

•http://www.thisismoney.co.uk/money/mortgageshome/article-3385825/Sarah-Ritchie-saved-45-000-dream-home-lost-devastating-new-scam.html

• Newlyweds saved £45,000 deposit towards their dream firsthome - then lost everything in a cruel new online scam

• Newlyweds lose £45k deposit for three-bedroom home incruel scam


cruel scam

• Computer hacker monitors emails between buyer andsolicitor

• Hackers send buyers fraudulent emails purporting to be fromsolicitor

• Buyers send cash to hackers rather than solicitors, losingthousands

•

• Phishing and Vishing have been around for years butit is the way in which criminals use these techniquesto scam consumers that have changed.

• One of the phishing attacks goes back to 1996 when


• One of the phishing attacks goes back to 1996 whenhackers tried to steal America Online passwords fromonline users.

You’ve been scammed!

• What would happen if £500,000 had wrongly beenremoved from your client account?

• What action do you need to take?

• Who do you need to talk to?

• What impact would it have on your firm?

• Would you survive?

Adverse Impact on Profits

• Financial Loss

• Reputation – ‘Talk Talk’

• Time

• Future Insurance

• Staff

• Closure of Business

• Regulatory Position

2.The Regulatory Position

• Law Society Practice Notes:

• What happens if you fall victim to a scam?

20th August 2015

The Regulatory Position

Protecting your firm if you fall victim to a scam

14 January 2016

Last updated: 20 December 2016

http://www.lawsociety.org.uk/support-services/advice/practice-notes/protecting-your-firm-if-you-fall-victim-to-a-scam/


• Principle 2 - 'act with integrity'

• Principle 5 - 'acting in the best interests of each client'

• Principle 6 - 'behave in a way that maintains the trustthe public places in you and the provision of legalthe public places in you and the provision of legalservices'


• Principle 7 - 'comply with your legal and regulatoryobligations and deal with your regulators andombudsmen in an open, timely and co-operativemanner’

• Principle 8 - 'run your business or carry out your role inthe business effectively and in accordance with propergovernance and sound financial and risk managementprinciples’

• Principle 10 - 'protect client money and assets'


SRA Outcomes

•(1.1) You treat your clients fairly.

•(1.2) You provide services to your clients in a manner which protectstheir interests in their matter, subject to the proper administration ofjustice.justice.

•(1.12) Clients are in a position to make informed decisions about theservices they need, how their matter will be handled and the optionsavailable to them.

•(1.16) You inform current clients if you discover any act or omissionwhich could give rise to a claim by them against you.

SRA OutcomesRule 4 of the SRA Code of Conduct: Confidentiality and disclosure

•(4.1) You keep the affairs of clients confidential unless disclosure isrequired or permitted by law or the client consents.

•(4.2) Any individual who is advising a client makes that client awareof all information material to that retainer of which the individual has


of all information material to that retainer of which the individual haspersonal knowledge.

Fraud Act 2006

• Section 3 sets out the circumstances in which it is an offence notto disclose information to others (such as the client)

• Section 4 sets out that people (such as solicitors) who are in aposition where they are expected to safeguard the financialinterests of others commit an offence when they fail to do this


3. What does it mean in practice?

What does it mean in practice?

Who you going to call?

•Inform your bank. Do you have an emergency contact?

•Inform the police at the National Fraud and Cyber Crime ReportingCentre on 0300 123 2040.

•Inform your professional indemnity insurer.

•Inform the Solicitors Regulation Authority (SRA) by telephone on•Inform the Solicitors Regulation Authority (SRA) by telephone on0121 329 6827 or email at [email protected].


Implement your emergency action plan!

•Do you have one?

•Who knows what it contains?

•Are all the relevant telephone numbers readily to hand?

•When did you last update it?

Do you need to make use of the Cyber Incident Response (CIR)service? http://www.cpni.gov.uk/advice/cyber/cir/


Can you continue to use your client account?

SRA Warning notice ‘Money missing from client account’

http://www.sra.org.uk/solicitors/code-of-conduct/guidance/warning-notices/Money-missing-from-client-account--Warning-notice.pageclient-account--Warning-notice.page


• SRA Accounts Rules 2011

• It is your duty to remedy breaches of the SRA Accounts Rules 2011.Specifically Rule 7 states:

• 7.1 Any breach of the rules must be remedied promptly upondiscovery. This includes the replacement of any money improperlywithheld or withdrawn from a client account.withheld or withdrawn from a client account.

• 7.2 In a private practice, the duty to remedy breaches rests notonly on the person causing the breach, but also on all theprincipals in the firm. This duty extends to replacing missing clientmoney from the principals' own resources, even if the money hasbeen misappropriated by an employee or another principal, andwhether or not a claim is subsequently made on the firm'sinsurance or the Compensation Fund.


• There is a clear duty in the SRA Accounts Rules to replace adeficiency in a client account.

• In the general law, trustees in breach of trust also have a duty toreplace a deficiency.

• Operating a deficient client account is may involve immediate andcontinuing breaches of trust – by paying some clients their fullentitlement, the amount left for other clients reduces.

• You may well breach your duty to act in the best interests of• You may well breach your duty to act in the best interests ofclients if you pay client money into an already deficient accountwithout fully informed consent - no properly advised client wouldpay funds into a deficient account with the risk of only receiving aproportion back. Failing to inform clients exposes them to a risk ofloss (see O 4.2).


• Until missing money is replaced, you should not take costs fromthe client account – you cannot “properly” require payment ofyour fees from money held in a client account in suchcircumstances and so rules 17.2 and 17.3 of the SRA Accounts Rules2011 will not apply. Nor is it in the best interests of clients for youto take costs from client account when there is insufficient in theaccount for you to pay them in full.

• If you or your insurers do not replace the money promptly, you are• If you or your insurers do not replace the money promptly, you areat serious risk of intervention by the SRA. Intervention may benecessary in any event if there is reason to suspect dishonesty orother grounds for intervention arise.

• Since it is unlikely that a deficient client account can be operatedwithout further breach of trust, you may well need to apply to thecourt for directions as to how to distribute the remaining funds.

• Offences under the Fraud Act 2006 may be committed once youare on notice that money is missing if you do not act properly andhonestly

4. Are you covered by PII?

Are you covered by PII?

Professional Indemnity Insurance

The definition of a claim in the PII Minimum Terms and Conditions(MTC) wording provides that an obligation on the part of an insuredfirm to replace a client account shortage amounts to a claim underthe firm's PII policy.

Will insurers immediately replace missing money?

Clause 7 of the Participating Insurer's Agreement imposes anobligation on the insurer to act with the utmost good faith in thecourse of its dealings, as well as to pay claims without avoidabledelay after liability under the policy has been established and theamount payable by the insurer has been agreed.

Are you covered by PII?

BUT,

SRA will expect the principals to make good the client accountshortage from their own resources in order to meet the urgency of thesituation or to insist upon closure of your firm.

It may be advisable to buy in specialist legal advice to assist.

Potential problems with lenders. Can you complete a purchase due tohappen the day after you discover the money is missing?

The SRA's policy in this area is in the process of development.

5. What are the Risks?

What are the Risks?

• Vishing– the fraudulent practice of making phone calls or leaving voice

messages purporting to be from reputable companies in order toinduce individuals to reveal personal information, such as bank detailsand credit card numbers:

• Phishing– Phishing is the attempt to obtain sensitive information such as– Phishing is the attempt to obtain sensitive information such as

usernames, passwords, and credit card details, often for maliciousreasons, by disguising as a trustworthy entity in an electroniccommunication.

• Whaling– Whaling is a specific kind of malicious hacking within the more general

category of phishing, which involves hunting for data that can be usedby the hacker. In general, phishing efforts are focused on collectingpersonal data about users. In whaling, the targets are high-rankingbankers, executives or others in powerful positions or job titles.

•

What are the Risks?

• Spear Phishing– Spear phishing is an email or electronic communications scam

targeted towards a specific individual, organization or business.Although often intended to steal data for malicious purposes,cybercriminals may also intend to install malware on a targeteduser’s computer.

• Clone Phishing• Clone Phishing– A type of phishing attack whereby a legitimate, and previously

delivered, email containing an attachment or link has had itscontent and recipient address(es) taken and used to create analmost identical or cloned email. The attachment or Linkwithin the email is replaced with a malicious version and thensent from an email address spoofed to appear to come from theoriginal sender. It may claim to be a re-send of the original or

an updated version to the original.

•

What are the Risks?

• Malware– Short for malicious software, is any software used to disrupt

computer or mobile operations, gather sensitive information,gain access to private computer systems, or display unwantedadvertising

• Friday afternoon scams– The frauds typically take place on a Friday afternoon when the

scammers know client accounts are likely to hold large amountsof money in readiness for house completions.

What are the Risks?

• Friday afternoon fraud examples:

– A client's email account may be hacked and the solicitor beinstructed to transfer proceeds from their sale to a differentbank account;

– A solicitor may receive a telephone call, purportedly from the– A solicitor may receive a telephone call, purportedly from thebank's anti-fraud team, warning of ‘suspicious activity’ andadvising them to transfer the contents of the accountelsewhere on the bank's instructions or to provide accountdetails and passwords so that money can be replaced,

– A solicitor's own email account may be hacked or impersonatedso clients are directed to send monies to accounts other thanthe solicitor's client account.

What are the Risks?

• Intercepted emails

• Bogus websites

• False friend

• Surveys

• Screenshot manager• Screenshot manager– allows criminals take screenshots of your computer screen

• Ad clicker– allows a criminal to direct a victim’s computer to click a

specific link

• Webcam manager– where criminals takeover your webcam

What are the Risks?

• Distributed Denial of Service (DDOS) attacks

• Botnet (combination of robot and network)

– a network of private computers infected with malicioussoftware and controlled as a group without the owners'knowledge, e.g. to send spam or a DDOS attack.

• Ransom ware• Ransom ware– a type of malicious software designed to block access to a

computer system until a sum of money is paid.

– https://www.nomoreransom.org/

What are the Risks?

Intercepted emails:

New National Fraud Intelligence Bureau (NFIB) crimefigures which show an 85% year-on-year increase in stolenbuyer’s deposits. In 2015 there were 86 recorded lossesand now this has increased to 159 losses for 2016, that’sand now this has increased to 159 losses for 2016, that’smore than 1 every other working day!

What are the Risks?

New fraud methods being used where clients havereceived telephone calls from fraudsters impersonatingtheir conveyancer’s accounts department. These calls aremade just after the buyer has received their final reportand the fraudster requests that funds are transferred to abogus client account.bogus client account.

6. How to protect your firm

How to protect your firm

Knowledge!

• If you open a scam email what might be the result?

- Malware- Malware

- Ransomware

- Virus

• Would you know this was on your system?


Knowledge!

SRA Alertshttp://www.sra.org.uk/consumers/scam-alerts/scam-alerts.page

SRA Articles:In the Shadows - Bogus FirmsIn the Shadows - Bogus Firms

http://www.sra.org.uk/risk/resources/risks-associated-bogus-firms.page

Spiders in the Web - Online Crime

http://www.sra.org.uk/documents/solicitors/freedom-in-practice/cybercrime.pdf

Question of Ethics

http://www.sra.org.uk/solicitors/code-of-conduct/guidance/questionofethics/June-2015.page


Knowledge!

Law Society Practice Notes:

Professional indemnity insurance(Last updated: 18 July 2016)http://www.lawsociety.org.uk/support-services/advice/practice-notes/professional-indemnity-insurance/

Information Security (11 October 2011)http://www.lawsociety.org.uk/support-services/advice/practice-notes/information-security/

Mortgage Fraud (Last updated: 31 July 2014)http://www.lawsociety.org.uk/support-services/advice/practice-notes/mortgage-fraud/

Property and Registration Fraud(11 October 2010)http://www.lawsociety.org.uk/support-services/advice/practice-notes/property-and-registration-fraud/


Cyber Insurance:What might it cover?

•Fines and investigations – Covering the potentially significant costs andexpenses of data protection regulator investigations and legally insurablefines following data security breaches.

• Crisis management –This includes: Cyber incident response servicesfollowing a data breach, PR, repair of company and individual reputations,breach coaching, and notification and monitoring costs associated with abreach of information.

• Electronic data – Covering the costs of making data safe again after a leakor breach.


Cyber Insurance:What might it cover?

•Data Liability – Covering the financial consequences of losing or mis-appropriating client or employee data on your network or network devices.

• Business/Network Interruption – Covering the loss of net profit as a resultof a material interruption to the insured’s network, after a denial of serviceof a material interruption to the insured’s network, after a denial of serviceattack or network security breach.

• Multimedia Liability – Covering the damages and defence costs incurred inconnection with a breach of third party intellectual property, or negligence inconnection with electronic content.

• Cyber/Privacy Extortion – Covering ransom payments (extortion loss) tothird parties incurred in terminating a security threat.


What are the two most important things thatyou can do to protect your firm?


What are the two most important things thatyou can do to protect your firm?

Training!

More Training!

and third is

Repeat the Training regularly!


New Law Society advice on protection against scams

11 February 2016

http://www.lawsociety.org.uk/news/stories/new-law-society-advice-on-protection-against-scams/

Protecting your firm against scamshttp://www.lawsociety.org.uk/Support-services/Practice-management/Scam-prevention/

Practical tips to protect your firm from scams

9 February 2016

http://www.lawsociety.org.uk/support-services/practice-management/scam-prevention/practical-tips-to-protect-your-firm-from-scams/


Let’s get down to basics


Who runs your computer system?

What is the extent of their knowledge?

What type of anti-virus and anti-malware software doyou use?

How do you decide?

Does your system have real-time scanningDoes your system have real-time scanning

How often does your anti-malware/virus update

Zero day attacks

Is all of your software up todate?


•Knowledge of how the risks arise.

•Checking that people are calling from where they saythey are calling from.

•Encouraging employees to use strong, uniquepasswords and change them regularly ???????????

•Don’t allow personal emails at work.

•Protect operating systems with up-to-date securitysoftware.

•Using secure wireless connections – such as virtualprivate network (VPN) software – to encrypt wirelesscommunications.


• Making sure that you are completely happy with youroutsourced IT provider (if you have one), and thatyou understand how your systems are protected.

• Consider internal procedures, such as how you verifythat the destination account for the proceeds of ahouse sale belongs to your client. (Copy bankhouse sale belongs to your client. (Copy bankstatement?)

• Set out bank details at the beginning of atransaction stating that this will not be changed.

• Verify your bank account by telephone.

• Balance between adequate safeguards and stillgetting the job done!


Specifically:

Phishing Emails

•Training- How to spot a bogus email:

- Were you expecting the email?

- Incorrect URL (Uniform Resource Locator, commonly informallytermed a web address)termed a web address)

- Sender’s Email Address

- Your Name - Analyse the salutation

- Typos

- Low Resolution Images

- Look but don’t click

- Review the signature

- Beware of urgent or threatening language in the subject line

- Don’t believe everything you see


Specifically:

Phishing Emails

• Training- What to look for:

• My desktop looks different.

• Why is my PC running slow.

• What are these funny windows that sometimes open?• What are these funny windows that sometimes open?

• There’s a new icon on my desktop.

• When I log on to the internet, it goes to a different homepage.

• If something looks wrong, it probably is!

- Develop a suspicious approach.

- It’s not just an IT problem!

- No personal emails.

- Which members of staff cause the biggest headaches?


Specifically:

Phishing Emails

• No blame culture- “I clicked on the email but nothing happened so I don’t

have to tell anyone.”

• Well maintained IT system – regular scans- How often does your anti-virus software update? Zero-day

vulnerability risk.

- Virus check all discs/memory cards.

Don’t allow macros to run automatically.


Specifically:

Intercepted and Bogus Emails

•Never send bank details by email.

•Never accept email instructions for net proceeds of•Never accept email instructions for net proceeds ofsale.

•Warn clients of the risk:- Don’t hide the warning in your T&Cs.

- Is your client care letter already too long?

- What do you need to tell clients?


Specifically:

Intercepted and Bogus Emails

Seen on the bottom of one firm’s emails:

“IF WE HAVE SENT YOU OUR BANK DETAILS BEFORE YOUSEND US ANY FUNDS PLEASE CALL US TO VERIFY THOSEBANK DETAILS. THIS IS SO THAT WE CAN PREVENT FRAUDAND THE DIVERSION OF FUNDS MEANT FOR THIS FIRM”

Is this a good idea?


Seen on the bottom of one firm’s emails:• Fee earner Name and Qualifications

• Full postal address

• T: 01234 56789- Probate and Conveyancing

• 01987 65432- Criminal, Civil and Matrimonial Solicitors F: 001122345 DX 1234Somewhere

• Partners: Alan Bloggs LLB – Charlie David LLB Regulated by the Solicitors Regulation• Partners: Alan Bloggs LLB – Charlie David LLB Regulated by the Solicitors RegulationAuthority No: 00000 Cybercrime Alert: Bank Details Please be aware that there is asignificant risk posed by Cyber fraud, specifically affecting email accounts and bankaccount details. PLEASE NOTE that our bank account details WILL NOT change during thecourse of a transaction, and we WILL NOT change our bank details via email. If in anydoubt, please be careful to check account details with us in person. WE WILL NOTaccept responsibility if you transfer money into an incorrect account.

• NOTE: This e-mail transmission is strictly confidential and intended only for theaddressee. It may contain privileged and confidential information. If you are not theperson for whom it is intended, you must not copy, distribute or take any action inreliance on


Seen on the bottom of one firm’s emails:• Fee earner Name and Qualifications

• Full postal address

• T: 01234 56789- Probate and Conveyancing

• 01987 65432- Criminal, Civil and Matrimonial Solicitors F: 001122345 DX 1234Somewhere

• Partners: Alan Bloggs LLB – Charlie David LLB Regulated by the Solicitors Regulation• Partners: Alan Bloggs LLB – Charlie David LLB Regulated by the Solicitors RegulationAuthority No: 00000 Cybercrime Alert: Bank Details Please be aware that there is asignificant risk posed by Cyber fraud, specifically affecting email accounts and bankaccount details. PLEASE NOTE that our bank account details WILL NOT change duringthe course of a transaction, and we WILL NOT change our bank details via email. Ifin any doubt, please be careful to check account details with us in person. WE WILLNOT accept responsibility if you transfer money into an incorrect account.

• NOTE: This e-mail transmission is strictly confidential and intended only for theaddressee. It may contain privileged and confidential information. If you are not theperson for whom it is intended, you must not copy, distribute or take any action inreliance on


Warning!

Our bank account details are as follows:

We will never send you an email asking you to send money to any otheraccount.

We will never telephone you asking you to send money to any other account.

If you receive a request to send funds to any other account, please contact usimmediately by using the telephone number on our headed notepaper.

We will never ask you to contact us by ringing any other number.

Please keep this information for future reference.


Specifically:

Vishing Telephone Calls

•Establish protocols with your bank:•Establish protocols with your bank:

- Who from the bank would contact you?

- Who would they ask for?

- Who can you contact in an emergency?

- Limit the people the bank can speak to and agree that withthe bank.


• Always ring back- Use a different phone or ring another number first.

- Use a number that you know is genuine not one you’ve beengiven.

- If in doubt, check the number you’ve been given with:

• Your relationship manager.

• The bank’s website.

- Be aware of what the bank will and will not ask you.

- Never transfer money to another account for safety.

- Remember that the number displayed on your telephone

may not be correct.

- Be wary about giving any security information over thephone.

- If in doubt get someone else to ring your bank whilst youremain on the line.

Once the buyer has been invited to the Safe Buyer Scheme bytheir conveyancer, the buyer logs in and decides whetherhe/she wants to purchase Safe Buyer to protect them fromfraud – which is explained so they can make an informeddecision. If the buyer declines Safe Buyer, their decision toproceed at their own risk is recorded in the Safe Buyer Schemeso the firm can prove it acted diligently in providing theso the firm can prove it acted diligently in providing thecustomer advice if required to provide an audit. If the buyerwants to purchase Safe Buyer they pay online and can thencheck the bank account details whenever they like.

Safe Buyer costs £10 + VAT.


• Training- All staff, not just cashiers and conveyancers.

- Where is the weakest link in your firm?

- Make sure staff know what information they can and can’tgive out.

- Refresh training regularly.

- Don’t make it easy for criminals:- Don’t make it easy for criminals:

• Understand and explain to receptionists the importance oftheir role.

- Beware overconfidence.

- Have procedures and policies in place to deal with likelyscenarios.

- Ask staff if they know the latest scam:

• They don’t know – it hasn’t been identified yet!

- Constant vigilance.


• Lawyer Checker

• Lender Exchange

• Lock in regular account details for solicitors withwhom you deal regularly and for lenders where thewhom you deal regularly and for lenders where thesame account details are provided for mortgageredemptions.


• 123456

• 123456789

• Qwerty

• 12345678

• 111111

• 123321

• 666666

• 18atckd2w

• 7777777

• 1q2w3e4r

• 1234567890

• 1234567

• password

• 123123

• 987654321

• Qwertyuiop

• Mynoob

• 654321

• 555555

• 3rjs1la7qe

• google

• 1q2w3e4r5t

• 123qwe

• zxcvbnm

• 1q2w3e


Password (instantly)

Spurs£Win£The£Cup£

)zWx”(fE (130,000 years)

586 trillion yearsSpurs£Win£The£Cup£

Arsenal£Win£The£Cup£https://howsecureismypassword.net/

http://www.passwordmeter.com/

586 trillion years

3 quintillion years


How to send a spoof email:

https://emkei.cz/

http://www.anonymailer.net/

http://www.deadfake.com/Send.aspx

STOP AND THINK

• Never disclose security details, such as your PIN or fullbanking password

• Don’t assume an email, text or phone call is authentic

• Don’t be rushed – a genuine organisation won’t mind• Don’t be rushed – a genuine organisation won’t mindwaiting

• Listen to your instincts – you know if something doesn’tfeel right

• Stay in control – don’t panic and make a decision you’llregret

• https://takefive-stopfraud.org.uk/scam-academy/


Factory Default Administrator Passwords

Have you changed the default login and passwordHave you changed the default login and passworddetails for your router?

http://www.routerpasswords.com/

Property Section Workshop: Fraud and cyber-security for property practitioners · 2017-05-10 ·...

Documents

Transcript of Property Section Workshop: Fraud and cyber-security for property practitioners · 2017-05-10 ·...