WARNING: PROPERTY EMAIL SCAMS SURGING

Here’s another warning about cyber-scams in the property industry because the more they increase, and the cleverer they become, the more vital it becomes for you to be aware of them and to protect yourself from them. Remember that you become a prime target when you buy or sell property – the rich pickings on offer when property is involved make sure of that.

So we’ll have a look at how these cyber-scams work, at how you can protect yourself from them and at how, no matter how much security the transferring attorneys may have on their side, you still need to be constantly on guard.

“Forewarned is Forearmed!”
(Wise old saying)

Why yet another warning about cyber-scams in the property industry? It’s because the hard fact is that the criminals are winning this war. In fact we are now reportedly the “second most targeted country in the world with regard to cyber-attacks” (Law Society of South Africa).

Hence, no doubt, the Legal Practitioners Indemnity Insurance Fund report of “over 110 cybercrime related claims with a total value of R70 million” in the period July 2016 to August 2018.

The scammers are using more and more sophisticated techniques to lull their victims into complacency, and your best protection is your own vigilance – forewarned is definitely forearmed!

And remember that property transactions will always remain a firm favourite with online fraudsters for two simple reasons –

  • Property sales usually involve large amounts of money.
  • Electronic communication between attorneys and clients is a fertile ground for interception and deception.

A seller’s or a buyer’s nightmare – every cent stolen!

As a seller, you’ve sold your property for R5m, transfer to the buyer has been registered but the money doesn’t show up in your bank account (let’s call it “account A”). You phone your conveyancer only to be told “but we did pay you, we followed your instruction to pay into account B.” Of course account B was set up by a fraudster and your R5m is long gone.

Or as a buyer, you have paid the full purchase price into the transferring attorney’s “new bank account C” and are shocked to be told by the attorney that you have actually paid nothing at all to anyone – except to a scamster. Good-bye both money and property!

What happened?

How your money gets taken – 2 main scenarios

Cyber criminals are resourceful, creative and constantly updating their methods so this is by no means an exhaustive list of your risk areas. To date however the two main categories of scam remain –

  1. Your attorney’s payments to you: As a seller, when you give the transfer instruction to your attorney you will nominate a bank account – account A in this example – to receive the sale proceeds. Before transfer however (often at the very last minute) the conveyancing firm receives a genuine-looking email “from you” changing your banking details to “my new account, account B”. Your emails to and from your attorney have been intercepted, and your details cleverly spoofed. Your money is gone – forever. Of course if you chose the right attorney to attend to your transfer in the first place this shouldn’t happen to you – but, as we shall see below, the scammers are so sophisticated now that you can never ever let your guard down, no matter how trustworthy the firm.
  1. Your payments to the attorney: The main risk here is to the buyer paying the whole or a large portion of the purchase price to the transferring attorney. Of course transfer duty and other costs of transfer can also add up to a tidy sum, whilst as a seller you will be paying for things like bond cancellation costs, rates, agent’s commission and so on.

The scam here is that once again emails are intercepted, and this time you receive an authentic-looking but entirely fraudulent email asking you to pay into “account C”. The email appears to come from the conveyancing firm but of course it is again a clever (often very sophisticated) impersonation, this time of the firm’s branding, details and email address.

The false account details might be in the email itself or in a falsified attachment – nothing is safe. The email may be in the form of a “we’ve changed our banking details” notification, or the criminal may work on the basis that you just won’t notice the change. And of course account C isn’t the conveyancer’s trust account at all, and the minute you make a payment into it your money is – once again – gone forever.

Who can you recover your stolen money from?

By the time you realise you have been scammed, the criminals are long gone and your chances of catching up with them are remote to say the least.

So could the attorney possibly be liable? A recent High Court judgment deals with that very issue…

Court: Attorney negligent, must pay almost R1m

In this case a transferring attorney was ordered to pay her client damages of R967,510-53 for negligence.

In a nutshell, the attorney had attended to a property transfer for the sellers, and a scammer intercepted emails between the sellers and the attorney’s secretary. This was a classic “Scenario 1” operation, and seemingly a sophisticated one – the scammer persuaded the secretary to accept an emailed “my bank account details have changed” instruction and to pay the proceeds into the scammer’s account.

The sellers sued the attorney for damages, the attorney denied any negligence whatsoever, but the Court found that she had indeed failed to carry out her mandate with the “due care, skill and diligence expected of a reasonable attorney and a conveyancer in the circumstances.”

What is important for you is that the Court reached this conclusion on the particular facts of this matter. There were specific factors present here such that a “diligent, reasonable attorney” would, said the Court, have taken steps to verify the information in the fraudulent emails.

That suggests that there are many possible sets of facts which would have left the seller unable to prove any failure of duty by the attorney. Your risk is that if you try to hold the attorney liable you will have to prove that your loss resulted from his/her fault and not from yours – that’s never going to be easy and if you fail, you are left high and dry.

Protect yourself. Be vigilant!

So prevention really is much better than cure here. Litigation will be expensive and risky, and even if you succeed in your damages claim the attorney’s normal indemnity insurance excludes these types of claims so your victory could be a hollow one.

Fortunately there are several common sense steps you can take to minimise your risk –

  • If you have the choice of transferring attorney (which you normally would have if you are the seller), choose an attorney you trust to do the job properly, carefully and professionally.
  • Having said that, no matter how much security your attorneys have put in place on their side, if it is your system that is vulnerable that is what the criminals will exploit. So keep all your anti-virus, anti-malware and other security software updated, learn all about protecting yourself from malware/spyware/phishing attacks, and generally treat all electronic communications with caution – even those appearing to come from a trusted source like your attorney.
  • Read “Is That Sender For Real? Three Ways to Verify the Identity of An Email” on FRSecure’s blog. All the tips given there are important, but at the very least use the methods given to find out where the email really comes from. Then check back to see that it matches in every detail the email address you were given at the start of the transfer process.
  • Be suspicious if anything in an email just feels “not-quite-right” – perhaps only a cell phone number is given, or a free generic email address (like Gmail) is used, or the wording is somehow “off”. If the email makes you even the slightest bit uneasy, err on the side of caution and investigate further.
  • Most importantly, never accept notification of any supposed change in your attorney’s banking details without visiting or phoning your attorney to check all is in order (don’t of course use the contact details given in the suspicious email, they could also have been doctored!).

NOTE FOR ATTORNEYS: The above article is an updated version of our August 2018 article “Property Scams – Beware (Cyber) Wolves in Sheep’s Clothing!” and it is also a version of our article for conveyancers “Beating Cybercrime 101” on GhostDigest, rewritten to address your client’s interests and concerns.

The judgment in Jurgens and Another v Volschenk (4067/18) [2019] ZAECPEHC 41 is available on SAFLII.

Some updated reading suggestions –

“Cyber criminals targeting legal professionals” on Fin24, “Cyber liability insurance” on GhostDigest, “Do not compromise cybersecurity” on GhostDigest, and “Cybercrime in the South African legal fraternity” on cover.co.za. Also read the LPIIF’s July 2019 Risk Alert Bulletin (downloadable here): “We wish to draw particular attention to the exclusion of cybercrime (clause 16(o)). Risk management steps must be taken by practitioners within their practices to mitigate cyber risk.”

Plus suggested reading from 2018, still highly relevant –

“LSSA Cybercrime advisory” on GhostDigest. Note in particular the recommendation re wording in all your emails and other communications to clients alerting them to the dangers of “Business eMail Compromises”, “Lawyers hit so hard by cybercrime in South Africa insurance refuses to cover them” on My Broadband, and “Here’s how cyber criminals are targeting attorneys in scams to steal cash” on Fin24.