Contact Consumer Protection
Tel: 1300 30 40 54
See all Consumer Protection office locations
29 September 2016
A Perth real estate agent is breathing a sigh of relief after a cyber-attack was thwarted in an attempt to steal $500,000 from a trust account.
It’s believed the cyber thieves gained access to the agency’s bank accounts after malware was downloaded into their computer system, probably from an attachment being opened or a website link being clicked in a scam email. The installed malware allows the criminals to record keystrokes and discover bank log in details, including the password.
The unauthorised withdrawal of $500,000 was discovered by a staff member the next morning who immediately contacted their bank. The bank commenced action to have the transfer terminated and the funds returned. The money had not been collected by the scammers so the transaction was stopped and the funds were successfully recovered.
Acting Commissioner for Consumer Protection David Hillyard praised the quick action of the staff member who had prevented a devastating loss.
“A delay in reporting this loss and requesting stops be placed on the transfer could have resulted in the funds being in the hands of scammers and the agency facing a financial disaster,” Mr Hillyard said.
“We commend the quick action that was taken which robbed the scammers of a huge windfall from their criminal activities and maintained the agency’s financial integrity. The agency’s best practice standard of reconciling their trust accounts daily was integral to their picking up on the theft quickly.
“Even though the theft was prevented, the agency has implemented new and more secure connections to its bank through the use of a real-time device commonly called a Security Token which changes the internet banking authorisation passcode on a continual basis.
“Two people are now required to independently enter their system-generated and unique passcode to jointly authorise all transfers of funds out of the trust account. These measures ensure that an unauthorised transfer request is rejected and the agency is advised.”
In February 2014, a Broome real estate agency lost $50,000 after scammers accessed the agency’s online banking system and changed the bank account details of their clients who were on a ‘pre-entered list’ of recipients for regular payments. The account details were later changed back to the original in the hope that the fraud would not be detected. The agency was reimbursed by their bank.
In March 2013 a Perth settlement agency had $50,000 in two BPay transactions taken from their trust account but the suspicious transactions were detected early by the bank and the money was recovered.
Mr Hillyard said people, not only working in real estate but in all businesses, need to be careful about the attachments they open or the links they click on contained in seemingly innocuous emails.
“Giving cyber criminals access to your computer by unknowingly downloading malware means the thieves can compromise your accounting and banking system or they can even spoof emails of executives, tricking staff in to making payments. Staff should be trained to recognise the risks and query these emails to prevent incursions.
“Every business should have procedures and protocols which will prevent unauthorised access to their computer system and to detect malware. Having up-to-date anti-virus and anti-malware software is essential.
“Regular checking of bank account balances and daily reconciling of accounts may uncover unauthorised withdrawals in time for them to be stopped. We advise staff working in the finance area have strict processes around money transfers and changing supplier bank account or contact details.
“Businesses should discuss their online banking security measures with their bank who may recommend extra measures to provide some peace of mind.
“In this latest instance, the agency had put in place all reasonable securities and processes however the scammers were still able to trick the system into commencing the transaction to fraudulently move $500,000 out of their trust account.
“Only through the quick actions of a very diligent staff member had the crime been foiled on this occasion but everyone needs to be vigilant so they don’t fall victim to these cyber criminals.”
Organisations targeted by cyber-attacks and scams can report the details to WA ScamNet at Consumer Protection by calling 1300 304 054 or by emailing firstname.lastname@example.org.
Some tips that may prevent fraud losses: