New Zealand Law Society

Navigation menu

IT security expert says fight online fraudsters with old technology

27 September 2016

By Nick Butcher

Online fraudsters have been targeting lawyers and firms for some time and an IT security expert says one of the best ways of fighting it is to use a good old fashioned piece of technology – a telephone.

While the more common and easily detectable scams still exist such as a badly written email with poor grammar asking for money, online hackers are now able to hijack a staff member's name at a law firm and set in motion instructions for a financial payment appearing as though the fraudster is a real staff member employed by the firm.

Michael Pook is a senior engineer at Compel Computer Services who works on IT security problems.

"What we are seeing now is a shift away from direct hacking to deception and misdirection," he says.

image of Laptop  

Recently Mr Pook was investigating a situation for a not for profit organisation where the financial controller for that company received an email from the chair of the asking whether some funds could be transferred into an overseas account.

"It used the correct language for that person, knew the person's title and also knew who the financial controller was to direct the conversation to, even the grammar in which the way the person would talk had been emulated and from that the person from the other end the person hit reply and the reply to address was the correct email address," he says.

The email exchange went into further details including how much cash should be transferred to a specific employee.

"It went on to ask for about 25,000 Euro, and specified the employee and account number to transfer the money to. The financial controller then began to type a reply but decided it was too complicated and that it would be better to call the person by telephone," he says.

And it was that short landline phone call that detected something was rotten, IT speaking.

"The person rang the chair of the company who informed the staff member that no such emails in relation to money transfers had been sent or authorised," he says.

To get to the bottom of the situation, Mr Pook analysed all of the email traffic and discovered that while the reply to email address was correct, there was a redirector address in behind that reply to address.

"So when you're in Outlook or your webmail interface it looks like you're replying to the proper email address so it's about deception now, and people in my field cannot protect a company from this because it is standard email traffic."

How do you fight the online fraudsters?

"You can have all the security in the world around your email system, but the problem you have is that you and people in your organisation are sending emails to people in the rest of the world who may not be on a secure mail system."

A good example would be the xtra mail addresses which are hosted by yahoo.

"Barely half a year goes by without yahoo being crippled and hacked. It hit the news the other day. I wouldn't touch yahoo with a barge pole," he says.

Mr Pook says if an email is sent for example to an xtra email account and that is compromised, the hackers will then be able to access all emails linked to that address.

"They can then mine that information for relationships, email addresses, people's names and what their positions are. So they're not trying to extract money from the original email address that was compromised but instead are after the information on the organisation and how they work together," he says.

Mr Pook recommends possessing a healthy dose of vigilance and scepticism to beat online fraudsters at their own game.

"Pick up a telephone and make a call to verify information. Relying on one form of identification is just not enough these days.

"It used to be phone calls and faxes but now people are relying on email because it is so quick. Even use a text. Often in my job I'm having to process credit card details and it horrifies me when someone attempts to send me these details via an email.

"Even if my mail server is secure, the server they're sending from may not be," he says.

Mr Pook says if half the sensitive information is sent by email and the other by text or phone call. It means then that nobody but the client and myself has access to the full information which can then be data-mined," he says.

The use of external typing pools – approach with caution

Mr Pook has dealt with law firms that employ these cheap labour services where typing work is outsourced to online bidders who will do the job.

"They're great services to take advantage of but it does surprise me when I find some lawyers haven't created a legal agreement with the service provider.

"It's not unrealistic that the person on the other side of a legal agreement or dispute could be getting their typing performed by the same person and that's where confidentiality agreements or conflicts of interest agreements should come in to play," he says.

Mr Pook says that's another common way of information being leaked.

"You should also have a confidentiality agreement with your company IT provider. You may think you're getting perhaps a cheap deal, but I would say that maybe you're not paying enough for your company's IT security and the same goes with cloud storage," he says.

Last updated on the 16th September 2019