To: firstname.lastname@example.org <email@example.com>;
Please could you pay your deposit on 33 Acacia Avenue to us. I’ve included our bank details at the end of this email.
Then we can get the ball rolling.
Name: JJ Law
John Johnson LLB |Partner
JJ Law | 123 High Street Arcadia | www.jjl.com
A decade ago, less than half of the payments made were by electronic funds transfer; cheques were still the most common method. Today, more than 90% are made electronically.
Whilst sending out a cheque is by comparison slow, expensive and subject to the risk of being lost in the post, it does have the advantage that once the cheque is in the hand of the recipient, the ball is in their court to bank it into their correct bank account.
In contrast, the responsibility of ensuring that an electronic payment ends up in the bank account of the intended recipient rests with the sender. New Zealand bank account numbers employ a checksum to reduce the risk of transcribing a bank account number incorrectly. However, what if the number is a valid bank account, but not the account number of the intended recipient?
For as long as we have been making payments electronically, we have required written evidence of the payee’s bank account in the form of a deposit slip or bank statement to minimise the risk that a payment is made to the wrong account. But as technology has increasingly taken over our lives, this documentary evidence has itself begun to be supplied electronically – mainly as emails or attachments to emails, but sometimes as text messages or by reference to a web page. It’s so much faster and easier to flick the payer your details by computer or smartphone than it ever was back in the day when you either had to meet in person, or find a postage stamp and rely on the post.
Email systems and what we now know as the internet were invented originally for easy and open communication between computers around the world, without any priority given to the security of that communication. For that reason, email is in general unencrypted and the computer servers from which they are sent are not subject to any commonly adopted system of authentication; and still we all use them, and have to do so to serve the needs of our clients and our businesses.
The near ubiquity of the system and its lack of security has naturally not escaped the attention of ‘hackers’, ‘spammers’ or ‘phishers’ as they are euphemistically termed in the world of technology; thieves by any other name. One of the newer and more sophisticated approaches taken by the thief is to impersonate a person or entity to whom the recipient of the spoof email would expect to pay money. This is a step above the type of emails that tell you that ‘You need to change your AppleID’ or ‘You have received money into your Paypal account’, both inviting you to log in and thereby give away your credentials to the thief.
By finding and exploiting a weakness in, or lapse of, security, the thief gains access to an email account and starts to read emails. One simple way is to steal a user name and password. An email is easy to fake and attachments are easy to change, but it is often the timing of the email that leads to success for the thief; it arrives at a time when the recipient is expecting to pay money to that person. By infiltrating an email account and monitoring the traffic, the thief can send a realistic email at a plausible time.
Once sitting on the line of communications, the thief can choose to impersonate either party. If the breach has been into an organisation, they might try an intra-firm email appearing to come from the Managing Director to the Accountant giving payment instructions. On the other hand, if it is into a private email account that the thief has hacked, any email trails to and from suppliers or customers would provide a foundation for an attack. The email will usually have bank account details contained in the body of the email or in an authentic-looking attachment. A bank deposit slip, for example, is very susceptible to convincing forgery.
Many firms, including law firms, have taken measures to guard against the risk of acting solely on instructions received in an email. To be safe, there has to be an independent verification such as a conversation, face-to-face or by phone, including recitation of the account number, or receipt of an original signed payment authority. Thieves, knowing that it is likely that security measures taken by firms are likely to be stronger than those taken by individuals, are turning towards the latter. In a recent instance, a client who was expecting to pay a deposit to their lawyer received a fake email including bank details. Luckily the hack was discovered a few hours later and swift action by the banks concerned resulted in the funds being frozen, and the police notified.
So what steps can you reasonably take to prevent this type of fraud?
- Prevent the thief from gaining access to your email system. On top of keeping your operating system up to date, employing antivirus software and a firewall, protect your credentials and, annoying though it may be, change passwords regularly. Don’t respond to invitations to click on links or open attachments contained in emails that look in any way suspicious. Avoid use of shared computers in public spaces such as cafes or airports.
- Literally double-check the account details of the payee; don’t rely only on a single source. Verification by a telephone call to a known number may be the best way. Advice that a previously-used account number has changed should not be acted upon without a back-up call.
- Keep in mind just how open to infiltration email systems are and how easy it is to forge emails, just like the one at the top of this article.