This is a revised version of an article that was first published in the June 2019 edition of Convey, the Magazine of the Australian Institute of Conveyancers NSW Division.

Conveyancers have been early adaptors of electronic conveyancing, which has been mandatory for all mainstream property transactions in NSW since 1 July 2019. With the commencement of this new era it is timely to consider the lessons that have been (and can still be) learned about cyber risk and resilience in conveyancing.

Email security is now a serious business risk for conveyancers

Email compromise usually occurs via a phishing incident or password compromise. Phishing attacks happen when a hacker impersonates a trusted source and sends an email containing a link or attachment that can either deliver malicious software or capture sensitive information such as passwords. Alternatively, intruders can access emails using a compromised password, without any other form of hacking or impersonation. Many people are unaware that millions of passwords are for sale on the dark web, as a result of past website breaches. This means that when individuals use the same passwords across different websites it is easy for criminals who have access to the password to access your email, especially if this password is used for the contact email address published on your website.

Email-enabled impersonation fraud, malware, phishing and hacking

Cyber incidents and email scams can occur in a variety of ways:

Email fraud often involves impersonation fraud facilitated by email rather than interference with a conveyancer’s  computer(s). In many cases, fake emails appear to come from a client or another business contact, while in reality they have been sent from a different email account which has been set up to mirror the victim’s name and email address (otherwise known as ‘spoofing’). These emails typically request payments to a bank account connected with the scammer.

In other cases, email accounts have been hacked, with the hacker then sending emails from the victim’s account containing bogus directions for funds transfers. The fraud is often not detected until a loss is reported, because the hacker will usually delete sent messages from the account and will also set up email rules redirecting replies so that the victim is unaware of the existence of messages sent to and from their account.

Professionals’ duty of care

Section 5O of the Civil Liability Act 2002 (NSW) provides that:

‘(1) a person practising a profession ("a professional" ) does not incur a liability in negligence arising from the provision of a professional service if it is established that the professional acted in a manner that (at the time the service was provided) was widely accepted in Australia by peer professional opinion as competent professional practice.

(2) However, peer professional opinion cannot be relied on for the purposes of this section if the court considers that the opinion is irrational…”

Section 35 of the Act enables a court to apportion liability between “concurrent wrongdoers” where more the acts or omissions of two or more parties may have caused the damage or loss that is the subject of a negligence claim.  

The concept of a “professional” comes with expectations of specialised knowledge, competency, accountability, ethics, fair dealing and putting clients’ interests first. So, how does email security and technological competence fit into the definition of “competent professional practice”?  

Conveyancers hold personal information that they are required to protect and keep confidential, including financial information, such as bank account details, and personally identifiable information, such as driver's licences. A court is therefore likely to consider it the duty of conveyancers to take reasonable steps to ensure that such protected information is adequately secured.

The more frequently that email addresses and passwords are used across different websites, the more likely it is that they could be disclosed via security breaches of those websites.

Practitioners who mix personal and business emails in one email account which is used for a range of purposes and to access non-business websites are at greater risk. In this context there is a risk that the use of free email accounts that do not meet modern security standards (such as an ability to incorporate two factor authentication) would not be regarded as “competent professional practice” by clients or the courts.

Taking action  

A quick and easy way to check whether your passwords may have been published online via the breach of other websites can be found at https://haveibeenpwned.com/. If you are still using a password that you find has been published online, you should change it urgently. Use complex passwords (such as phrases containing numbers and other special characters), change them frequently, and consider using a password manager. To protect your clients and your business, consider using:

• a business grade hosted email service including filtering to block spam, phishing and malicious content or attachments, and which enables two-factor authentication, meaning that another computer cannot access your email without entering a code sent to one of your nominated devices;

• a DNS based web filtering service to block high risk websites

• reputable security software on every computer.

While cyber risk can never be eliminated, taking steps like these can significantly reduce your risk. Don’t let any damage be done to you. 

© 2019 Law & Cyber Pty Ltd.

This article is subject to copyright. Except as permitted under the Copyright Act, 1968, no part of it may be reproduced, published, adapted or communicated to the public without the written consent of Law & Cyber Pty Ltd.