Email Spoofing

After the article last week on “Conveyancing Firm Taken for R500K Through Email Hack”, this week we look at logical and effective steps and applications to curb losing a large chunk of money to a random hacker.

It seems most of the cases have happened in the webmail (email client hosted in the cloud and accessed from anywhere using your browser) space. Before we even start here, if you are using webmail to access your email, I would suggest that you implement these solutions.

Migrate Email to Cloud

If you want email that is available to all staff anywhere, and you are not a large firm, think of moving your email to hosted solutions like Microsoft Hosted Outlook (Exchange Online), Google Suite for Small Business (G Suite) to mention two of the most popular solutions.

Passwords Must be Painful!

Unfortunately, “KISS” (Keep it Simple Stupid), does not work well in the world of passwords. This is a common thread in all the email hacks we have seen. “PassW0rD” or “WebMail123” are going to get you in trouble.

Test your password by using https://howsecureismypassword.net/.

Use a phrase. Take the movie Forest Gump, the password could be: “!RunF0restRun!” and then to spice things up and use a different password for things you use the same phrase and F at the end for Facebook or a B for bank etc. (Thanks to a good IT friend of mine.)

Beef up your Client Initiation Letter

Whatever your first interaction is with your client, use the opportunity to explain your payment process and rules. If need be, give them the banking details upfront, even better if it is on a physical letter. 

Most important tell them that it will not change overnight and to ignore any instruction to change bank accounts during the matter.

Split Your Payment Details

If you want to send your banking details to the client during the matter, send part of the message as email and the balance in an SMS or WhatsApp.
For example:
Email – “Our United Bank banking details have been sent to your mobile phone via SMS, please ensure you receive them, otherwise contact our office to check your cell number.”

SMS – “United Bank, Beach Rd Branch, AccNo: 0987654321, Reference: HHD/221332” 

Speak

Pretend you are back in the dark ages when you had to use the telephone to speak to the client.

Prepare the banking details via email, but before you send them, pick up the phone and call the client advising them that you are sending the banking details via email or SMS and that it is a United Bank account ending in “321”. And that it would be best practice to inform your office once the payment was made.

Getting a little more expensive now…

Confirm Bank Account

Advise your clients and your staff to use the banking apps “Confirm Bank Account” service, it does cost (R20 – R50), but this could be an extra step to ensure you and your client have the correct information. I believe the risk search applications that all lawyers use have similar search types in the applications.

Secure Payment Exchange

Use a secure payment system, or an escrow service. This way your transaction is more secure through a trusted third party, and your clients will be aware that unless it is through this system, the transaction would be fraudulent.

Conveyancing Secure Chat

There are some vendors that offer a secure chat system inside your conveyancing software which allows you to communicate through the software with your client. If this is used, no snooping around your email is going to allow the hacker to see any details of the communication including the banking details.

e4 have a bond tracker mobile app, that they encourage their conveyancing clients to use, which is a secure message between the paralegal and the client’s mobile device.

Lexis Convey have a module inside the conveyancing software, called SecureChat which allows secure encrypted communication between the client and the paralegal. There is an option for additional security in the form of a One Time Pin that is needed by the client when receiving their initial communication from SecureChat.

It seems that the idea is to keep away from email for sensitive information.

Most of these solutions take extra effort and time from the conveyancing paralegal to execute, but this is one of those instances where it is not about improved efficiency but more about added assurance that will help remove your firm from the sights of the email hacker. None of the above are complicated to implement or use….

Just Do It!

This image has an empty alt attribute; its file name is LexisSecureChat.jpg

LEAVE A REPLY

Please enter your comment!
Please enter your name here

12 + 19 =