WA Consumer Protection has confirmed the hackers stole $50,000 from a Broome real estate agency after they hacked into the company’s online banking system in February.
Mandy Reed, general manager at Hutchinson Real Estate, told Real Estate Business the cyber fraudsters most likely accessed the company bank account after a compromised email allowed malicious software (or malware) to be installed.
"We got done alright,” said Ms Reed. “We were doing a reconciliation of one of our bank accounts when we realised the money that was supposed to come into it never arrived. So we looked into it because it came from a trust account. We rang the bank and found out it had been directed to a bank account in western Sydney.”
It’s being alleged the bank account details of one of the agency’s clients were changed on a ‘pre-entered list’ of recipients who receive regular payments.
Three payments from the agency’s trust account, totalling $50,000, were redirected away from the intended bank account. It appears the account details were later changed back to the original, in the hope the fraud would not be detected. The agency has since been reimbursed by their bank.
“What the fraud squad reported to us was that it possibly came about by someone clicking on a dangerous email link, or it may have been from someone trying to view something on Facebook,” said Ms Reed, adding that the malware may have been lurking in their system for a while, since the business only recently ramped up its cyber security.
Ms Reed added the fraud experts advised the agency to take a zero tolerance policy to Facebook and web-based emails being used within the office.
"They told us to lock down anything web-based to the point where we are really minimising the risk, even down to remote devices, charging phones, downloading photos from our phones that we may have taken from properties that we’ve gone out to, even iPads we use when conducting inspections," she said.
This recent cyber theft follows shortly after one leading property manager and industry trainer had his identity stolen and his bank account compromised by a sophisticated scam artist.
Bob Walters, director of the Leading Property Managers of Australia (LPMA), battled a faceless fraudster for months, with no help from the police after his company was attacked by the scammer last month.
It also follows a similar case in March last year when a Perth settlement agency had $50,000 in two BPay transactions taken from their trust account.
WA commissioner for consumer protection, Ms Anne Driscoll, warned real estate to be alert to this type of fraud and to have strict security protocols in place to avoid falling victim to them.
“While the property industry has been targeted in these cases, fraud of this kind can affect any business, so it’s essential businesses have procedures and protocols in place to prevent unauthorised access to their computer system and systems to detect malware,” Ms Driscoll said.
“Staff should be trained to ensure that suspicious emails are deleted immediately, attachments are never opened and links never activated. Having up-to-date anti-virus and anti-malware software is essential for any business.
“In light of these attempted frauds, it is our advice that real estate and settlement agents manually input bank account details of clients when making electronic bank payments, rather than relying on the accuracy of details in pre-entered lists.”