A Cautionary Tale: Protecting Against Sophisticated Email Hacking

Last night during a casual conversation with a friend, I heard a distressing story about her brother’s recent experience of email hacking during a property sale settlement. As she narrated the incident, it became clear that email hacking is not only rampant but also becoming increasingly sophisticated, posing significant risks to individuals and businesses alike.

According to the Australian Cyber Security Centres’ most recent report, during the 2021–22 financial year, over 76,000 cybercrime reports were made via ReportCyber, an increase of nearly 13 per cent from the previous financial year. One cybercrime report is made approximately every 7 minutes, compared to one report every 8 minutes in 2020–21.

In this article, we will examine the details of this incident and discuss the importance of implementing robust measures to safeguard against such cyber threats.

Misdirected Settlement Funds

My friend’s brother, like many others, was eagerly awaiting the settlement of his property sale. However, the anticipation quickly turned to despair when the sale did not go through as planned.

The reason behind the failure was shocking – the purchaser’s email had been hacked. The hacker deviously sent a dummy email substituting the account details for settlement funds and leading the unsuspecting purchaser to transfer the money to the hacker’s account instead of the law firm’s trust account. 

To be clear, our firm was not acting in this matter.  Sadly, now everyone involved is trying to sort out the mess.

Manipulation of Trust Account Verification and Deceptive Domains

Regrettably, these are not isolated cases.

In a recent matter, our firm (in fact me personally) had a similar hacking event (or at least an attempt).

Our firm has a policy of verifying account details by making a direct phone call at the time of sending an email with trust account information. In this case, the hacker replicated the email, altering the account details and modifying the message to claim that Nicole, my assistant, would verify the accounts and warning not to transfer funds without that verification. The hacker then sent a follow-up email posing as Nicole, providing the same fraudulent account details and confirming that the transfer was acceptable.

The hacker’s efforts extended to using a domain that looked remarkably similar to the original email address. By adding an extra letter to the domain name, the hackers attempted to deceive the recipient into believing the email was legitimate, causing further confusion and facilitating their fraudulent activities.

Luckily, Nicole contacted the client by telephone at about the time of the email requesting funds, to verify our account details by telephone. The hack was discovered through our process, and the hackers plan was thwarted. 

To be clear, we identified that the hack and interception of the email had occurred at the client’s end (not our end, because our system has significant layers of encryption & protection). 

Strengthening Defences and Fostering Vigilance

As a law firm, and indeed as a society, it is essential for us to come together and brainstorm effective strategies to fortify our defences against hacking attempts. Cybercriminals are becoming increasingly adept at exploiting vulnerabilities, and we must remain vigilant. Adopting a proactive mindset is essential – nobody should assume that they are immune to such attacks.

Strengthening Trust and Security

At Mason Lawyers, we put in place strict controls for all monies leaving our trust account. However, even this incident has prompted us to think about how we can enhance our existing Verification of Account procedures to better protect our clients from falling victim to such hacking events. The implications of this incident could have been far worse if not for the vigilance of those involved.

In light of these incidents, a prudent measure for all members of society is to not rely on emails when transferring funds, without at least verifying the account details received by telephone with the intended recipient of funds.  Verifying the legitimacy of the request with a brief (old-fashioned) phone call can help prevent tragic consequences.

So Who is Liable?

In cases like this, the question of liability arises, and the blame game ensues. The bank may claim innocence, leaving the lawyer or conveyancer to bear the responsibility on the basis that there was some defect in their own system. This unfortunate situation highlights the importance of providing robust warnings and implementing sophisticated systems to thwart cyber fraud.

Guarding Against Email Hacking Threats

The tale shared by my friend, coupled with my own experience, serves as a poignant reminder that email hacking is a serious threat that should not be underestimated. Implementing stringent verification processes, adopting telephone verification practices, and enhancing cybersecurity measures are essential steps that individuals and businesses must take to safeguard their interests.

Both individually and collectively, we need to work together to stay one step ahead of cybercriminals and protect ourselves and each other from falling prey to such malicious schemes.

And I must admit, it’s moments like this that make me appreciate the good old-fashioned cheque!

Ross Mason
Ross Mason

18 Aug, 2023

The information in this article is intended to provide general information only and does not constitute legal advice. If you require legal advice specific to your particular circumstances, you must formally engage a lawyer or law firm. The law is subject to change, and whilst we strive to keep our content up-to-date, developments may occur after publication. The information contained on our website should not be relied upon or used as a definitive or complete statement of the relevant law. Mason Lawyers takes no responsibility for any use of the information provided. Liability limited by a scheme approved under Professional Standards Legislation.

Recent posts