‘Fraudsters hacked emails to my solicitor and stole £340,000 from my property sale’
Source: The Telegraph
I have a keen interest in two business areas. The first, is IT Security. The second, is property development. So when I keep seeing articles regarding money being stolen during the purchase of a new home, which is all down to emails that have not been sufficiently protected, I can’t help but get a little bit frustrated. However, I totally understand the problem and it’s an easy trap to fall into. The SRA, the regulatory body for Solicitors, have even identified this problem as a “Priority Risk”. The risk statement can be found here.
As an IT security professional, you have to ask yourself, why on earth would anyone send bank details that contain 6-7 figure sums of money over email? Perhaps even worse, the instruction to transfer money, if there are systems available today that means they don’t have to. Members of the IT industry know that sending an email over the internet is like sending a postcard in the post. You don’t know how many “virtual post boxes and sorting offices” have been compromised by individuals or groups, and are able to intercept, read, and the worst bit, change the details in your email. Due to the rewards on offer, there are highly organised cyber gangs that are making huge amounts of money of what is effectively a quick transaction to them. To understand this properly, we need to go back a step and discuss the problem.
So what is the problem?
Prospective home buyers and their solicitors are exchanging banking information over email and instructing transfers of funds. Cyber criminals, are using a number of techniques to identify these emails; One of which is to use malware, enabling them to identify text within hacked emails that look like banking information as it is usually a standardised format of 6 digits in a “xx-xx-xx” or “xxxxxx” format, immediately followed or preceded by a 8 digit account number such as”xxxxxxxx”. Once they have hacked emails with this information, they can see who it has been sent from, who it is being sent to, the time of the email, the contents of the email, and the attackers may even have additional emails in the conversation trail. Using this information, the fraudsters send their own email, with the same senders email address (usually the solicitors client), to advise the solicitors of new bank details, stating they had used the wrong details before and requesting payment to be made to the new bank details. Emails can provide a high level of assurance to the solicitor; It looks, after all, that it has come from their clients email address, been responded to fairly quickly, and may well contain further information to “prove” they are the client, using information that could have been intercepted in previous emails. Presented with this information, I can understand why a solicitor wouldn’t be suspicious.
Hacked Emails – Who’s problem is it?
That seems to be the big question at the moment and its probably best to avoid being in the situation in the first place. This type of fraud is a problem for the solicitor, as it effects their trade and reputation; not forgetting the client who could lose their money!! To make things even worse, there seems to be a grey area regarding insurance against this type of attack. Technically, the solicitors infrastructure has not been compromised in this instance. Neither has the clients email; so who is at fault? Again, the best solution is to avoid the situation all together if possible.
How can the hacked emails problem be solved?
Two main things need to happen: Firstly, there needs to be a protective element to the contents of emails, to ensure they can not be intercepted and read by anyone apart from the sender and the recipient, thus preventing hacked emails. This will foil any attempt to read emails in transit. Secondly, there needs to be a mechanism to ensure the sender and recipient(s) are adequately authenticated to ensure they are who they say they are.
What can solve the problem?
The problem of hacked emails can be solved very quickly by using an encryption platform such as Galaxkey. Galaxkey offers identity based encryption across multiple areas, which means only the the sender and recipient(s) can access the data that is sent.
Galaxkey is able to:
- Encrypt email to prevent hacked emails
- Encrypt individual files
- Encrypt files for cloud storage
- Share files securely
There is no barrier of cost for the clients. Galaxkey is FREE for personal use; therefore Consumer clients are not required to pay for use of the platform. There is a small charge for corporate users, but they get the usual corporate functions such as reporting, admin access, and AD integration included. Galaxkey is incredibly popular around the world, and has 161,000+ followers on twitter, which is more than Symantec!
If you are interested in using Galaxkey and are a personal use user, sign up to the galaxkey platform here. If you are a solicitor or a firm of solicitors, call MiSEC today, and MiSEC can integrate Galaxkey into your systems within the hour, without any additional infrastructure, so you can encrypt emails and files to your clients, colleagues, partners, etc., knowing that you are doing all you can to keep sensitive customer information safe.
Tel: 0330 606 64732
Photo credit: Toby Melville/PA Wire