How to curb cybercrime

Fraud. It’s a prospect that strikes fear into the hearts and minds of agency owners. But there are steps you can take to mitigate your agency’s exposure to the risk of fraud.

Imagine this. You sit down at your computer to transfer some money from your agency’s trust account. It’s business as usual as you enter your username and password to access online banking. But once you’re logged in, you see money disappearing from the account before your very eyes – and there’s nothing you can do about it.

Think it could never happen to you? Think again.

This is exactly what happened recently to the experienced Principal of a respected Sydney agency. The victim of a sophisticated cybercrime that saw almost $760,000 stolen from their trust account, they’re warning others that it could happen to them.

The money was stolen over the course of five fraudulent transactions – and the Principal witnessed one of the transactions being processed and approved via their online banking portal.

How it happened

It was normal practice for the Principal to use a security USB device to access their bank accounts online. On the day of the theft, they logged in as usual and received a message saying that the website was offline for maintenance, so they logged out.

A few hours later, they logged in again only to receive the same message. Thinking this was a bit unusual, the Principal checked with their accounts team to see if they were having the same problem accessing the online banking portal. Someone in the accounts team logged into the portal and, to their absolute horror, discovered that almost $760,000 had been removed from the trust account in five unauthorised transactions.

The Principal immediately called the bank, but they weren’t able to stop the transactions. Fortunately the agency has been able to recover all but one of the payments, leaving a shortfall of $80,000.

It seems the hackers gained access to the agency’s trust account via the Principal’s earlier attempt to login to the online banking portal. The perpetrator has been identified as a 19-year-old Estonian national with a valid Australian visa. There is a warrant out for his arrest and two accomplices are in police custody.

A growing problem

According to the Principal, all agencies need to be more aware of cybercrime, and have systems and checks in place to protect themselves.

“I’ve been a Principal for more than 20 years and I’m always thorough and careful,” the Principal said. “It’s important for all agencies to be more aware of cybercrime and check the systems they have in place to protect themselves, because this type of crime is growing exponentially.

“It’s terrifying what hackers can do and the level of sophistication is incredibly high.”

The Principal of the agency has this advice to offer others:

  • No same day transfers. Make sure your internet banking doesn’t have Real Time Gross Settlement (RTGS), which allows for same day transfer to another bank with transactions settled as soon as they’re processed. RTGS means money can be transferred and withdrawn within a very short space of time, rather than overnight.
  • Dual authorisation. Never allow the same person to both create and authorise a payment. You should always require two authorisations for payments made by your agency.
  • Check transfers. Always carefully check transfers before authorising them.
  • No USBs. Don’t use a USB to access your internet banking portal as they can be easily compromised.
  • Protect yourself. Don’t rely on the bank to protect you or put appropriate safety systems in place. Do your own due diligence and ask questions of your bank about cybercrime prevention.
  • Have cyber insurance. While it won’t protect your agency from an attack, cyber insurance could be the difference between keeping the doors open or shutting up shop for good. If you’re unsure about the level of coverage you need, talk to an insurance broker. They can help you understand the cyber risks for your business and identify the best cyber insurance product to suit your needs.

If you have questions about what measures you can put in place at your agency to guard against cybercrime, call the REEF Helpline on 1300 616 170.