Estate Agents and Solicitors Continue to make the Same Security Mistakes

Cybercrime is a pressing topic. BBC (amongst others) have highlighted the severity of cybercrime and how cybercrime is effecting even the average person- people who would never imagine to be targeted by such crime.  Cybercrime is opportunistic and one opportunity that these criminals are taking advantage of more frequently is the ease of intercepting and dabbling with email communications for their monetary gain.

This has been accentuated recently, on multiple occasions, with communications regarding property purchases. These communications often involving estate agents, solicitors and the homebuyer.  The information communicated between theses parties is mostly via email and the content is highly sensitive.  These communications should be undertaken in a secure manner; however, this is not happening.

Consider the following scenarios:

Scenario 1

Mr Smith has finally, after many years, raised the deposit for and found his dream home.  He has taken the decision to purchase the property.  Mr Smith follows the purchase process and this partly involves communicating, via email, with his estate agent and solicitor.  Mr Smith thinks the process is running to plan.  He receives an email from the solicitor, in plain-text, asking him to please transfer the funds into their bank account (using the bank details shown), to move the purchase process forward.  Mr Smith goes ahead and makes the transfer.

In the background a computer hacker is monitoring email communications sent between the solicitor and the homebuyer.  The hacker is reading communications and looking for those where cash transactions are being discussed.  It could be the estate agents, solicitors or homebuyers account that has been hacked.  The hacker waits for when a cash transfer is likely to be made and makes his move.

The hacker can intercept the email sent to the homebuyer and alter the content, i.e. change the bank account details or the hacker could send a second fraudulent email impersonating the solicitor, stating a change of bank account details for the transfer.

A few days pass and Mr Smith receives a reminder from the solicitor to send the funds.  Mr Smith is now a little concerned, he contacts his solicitor to verify that they have indeed received the funds that he transferred into their account a few days prior.  The solicitor reiterates that they have not received the funds and to confirm the account details.  Both Mr Smith and the solicitor were unaware of the interception and alterations to their communications until it was too late.  Mr Smith has lost a large sum of money through cybercrime.

Scenario 2

Ms Jones is communicating with her estate agent to arrange tenancy of a new property.  The agent sends her communications via email in plain-text (which includes her personally identifiable information) instructing her to transfer the deposit for her accommodation along with the first rental payment.  Ms Jones transfers the funds.  A few days pass and the agent contacts Ms Jones with regards to the funds, that they have not yet received.  Ms Jones gets in touch with the agent and to her dismay finds out that she has transferred the money into a fraudulent account.  Once again the estate agent and Ms Jones were unaware that anything sinister was going on, however a hacker had intercepted their communications, changed the account details, leaving Ms Jones out of pocket and both parties none the wiser. Not only has Ms Jones lost her money but her personal details have also been compromised.

There are multiple variations to the above scenarios.  One does not have to delve very deep to find a recent case as such and many cases have been prevalent in the news recently.

Not too long ago a colleague found himself in a similar situation while dealing with a reputable agency in Central London.  The agency requested the transfer of funds, by communicating this through multiple emails sent in plain-text.  Although the agency has a very good reputation in the market and they are embracing technology (which is evident through their use of electronic signatures), it is surprising that multiple emails requesting the transfer of funds were emailed in plain-text (One example is shown below).

Picture1 copy

In this case the recipient was knowledgeable of the threats posed by communicating in an insecure manner and was able to take the necessary actions to avoid any unfortunate events. Unfortunately, not everyone is aware of the dangers.

Take control of your security

Clearly email communications are easily intercepted, altered and sent on, with the sender and the recipient unaware.

A great deal of effort is being directed at educating businesses and individuals about cybercrime- what to look out for and how to best protect themselves and their communications and data.  Not everyone is aware of the dangers involved when utilising emails to communicate sensitive information, especially when this is done using plain-text.  It is important that people know that communication in this manner is not a secure practice and email in plain-text is not a trusted source.

Occurrences such as these involving estate agents and solicitors are happening more frequently and far too often.

With the situations explained above the homebuyers/customers are the ones bearing the brunt of the breach as the the solicitors and agents chose not to take a proactive stance.  However, they have left themselves exposed and vulnerable, the monetary impact that they suffer may not be immediate but the impact to their reputation will be great.

It is vital that all businesses ensure that their communications are undertaken in a secure manner.  It is crucial that businesses take responsibility for security.  The manipulation of communications in this manner should not be happening as the problem can be easily solved.

Galaxkey Email Security can ensure communications remain secure. With the Galaxkey solution emails are encrypted and the data within upholds its confidentiality, integrity and authenticity.  Not only does Galaxkey encrypt emails in transit but also data in storage, on servers and in clients.  Galaxkey supports all platforms and businesses can have it up and running within minutes.