Email fraud targets lawyers
Lawyers, homebuyers and real estate agents are being warned by Westpac of an email fraud with the potential to steal hundreds of thousands of dollars in a single hit.
Westpac’s Financial Crime Management Team recently disrupted a scam whereby a fraudster aimed to direct the $600,000 payment for the settlement of an entire house sale to themselves.
The scheme involves fraudsters penetrating a New Zealand law firm, often by claiming they are interested in buying a house and are interested in using the law firm to do the conveyancing.
Emails are exchanged and eventually the fraudsters send an email with “important documents” attached. These are locked and access requires the lawyer to enter their email address and password. This information is harvested by the fraudsters, giving them access to the lawyer’s email account.
The fraudsters then wait and monitor the lawyer’s email, until they see an indication of an upcoming settlement or payment to be made by a client.
When the deadline for the payment arrives, the fraudsters email the client from the lawyer’s compromised email address to remind them of the payment.
They also send an invoice with payment details, where the bank account details have been altered. The client then makes the payment and the money goes to the fraudster’s bank account.
Recovery chances very low
Once the money is in the fraudster’s bank account it is essentially gone, chances of recovery are very low as funds are usually quickly transferred off-shore. The liability will likely sit with the victim, as they are responsible for making the authorised payment, even though it was to a fraudster.
The scheme is a devious new take on the ages-old invoice scam but it has greater effectiveness because the client receives the invoice from a trusted source at a time they are expecting to make a payment.
The Westpac security team has also seen the tactic used with customers of building companies who are paying a large bill for a renovation or new house build.
Verify bank account details
Westpac’s Head of Financial Crime and Security Tiffany Ryan advises that clients, particularly law firms, real estate agents or home buyers, verify bank account details before making large payments.
“The best way to do this is to call the other party to confirm the details, you should contact them on their registered number as it appears on their website or in the Yellow Pages, not on an email," Ms Ryan says.
"Simply checking to make sure the numbers match is an effective tactic to avoid falling victim to this type of fraud, as well as those rare incidents where there was a legitimate error sending the account details.”
Some advice on what to do from CERT
The Government's internet security agency CERT NZ has published some useful advice on this type of fraud and the measures which can be taken.
Last updated on the 16th September 2019