Se ha denunciado esta presentación.
Utilizamos tu perfil de LinkedIn y tus datos de actividad para personalizar los anuncios y mostrarte publicidad más relevante. Puedes cambiar tus preferencias de publicidad en cualquier momento.

Iron Bastion - How to protect your conveyancing practice from payment redirection fraud

240 visualizaciones

Publicado el

Practical tips to defend your conveyancing practice from cyber attacks and payment redirection fraud

Publicado en: Tecnología
  • Sé el primero en comentar

  • Sé el primero en recomendar esto

Iron Bastion - How to protect your conveyancing practice from payment redirection fraud

  1. 1. How to protect your conveyancing practice from payment redirection fraud? Practical tips to defend your business from cyber attacks
  2. 2. Who we are Nicholas Technology and legal expert with over 20 years of industry experience Gabor Cybersecurity expert with over ten years experience, having worked in both private and public sectors
  3. 3. Who we are www.ironbastion.com.au We defend small to midsize businesses from cyber scams and hacking
  4. 4. What we are covering tonight… 1) Why cybercriminals target conveyancing practices 2) The consequences of being scammed 3) How payment redirection fraud works 4) How to protect your practice 5) Questions
  5. 5. Would everyone please stand up… Before we begin, a small exercise
  6. 6. Sit down if you…. ❌ Have a business computer which does not have anti- virus ❌ Have advanced phishing protection in place? ❌ Do not know what two factor authentication (2FA) is, or have never used 2FA for your email ❌ Do you provide phishing awareness training to your employees? Anyone still standing? ❌ Have used 2FA but turned it off because it was too inconvenient
  7. 7. 1) Why cybercriminals target conveyancers?
  8. 8. 1) Why cybercriminals target conveyancers? • Practitioners are low hanging fruit for cybercriminals. • underinvestment in security • bad advice • no advice • High-value financial transactions • Insecure communication channels • New e-conveyancing platforms
  9. 9. 1) Why cybercriminals target conveyancers? In-house research of conveyancers:* • ISP provided email (e.g TPG) - 20% • Webmail (e.g. Hotmail) - 10 % • Office 365 - 70% * Non-representative sample
  10. 10. 1) Why cybercriminals target conveyancers? Anti-phishing protection: • Yes - 0% • No - 100% Two-factor: • Yes - 10% • No - 90% Password reuse: • Yes - 90% • No - 10% Paid antivirus: • Yes - 90% • No - 10%
  11. 11. You do not have to look far for Aussie examples •“MasterChef finalist caught in conveyancing hacker attack” •Mid-May, a client lost about $700,000 •May 31 when a client lost more than $1 million https://www.propertyobserver.com.au/forward-planning/advice-and-hot-topics/85862-pexa-warning-as-conveyancing-fraud-funds- end-up-in-thailand.html https://www.smh.com.au/business/companies/masterchef-finalist-caught-in-conveyancing-hacker-attack-20180622-p4zn4o.html
  12. 12. 2) Consequences?
  13. 13. 2) Consequences? •Breach of confidential information • copy of identity documents • personal details •Financial •Lawsuits •Reputation
  14. 14. Try Googling your brand.. once you have suffer a publicised data breach
  15. 15. 3) How payment redirection scams work
  16. 16. 3) How payment redirection scams work As easy as 1-2-3 1. Steal mailbox passwords • Phishing • Data breaches 2. Intercept emails 3. Tamper with payment instructions
  17. 17. Phishing • Social Engineering • Exploits the weaknesses in people – ‘click whirr’ behavioural responses • Fake logins that capture credentials
  18. 18. Credentials from Data Breaches • Websites get hacked. • People reuse same email and password across multiple online accounts.
  19. 19. Credentials from Data Breaches
  20. 20. Secret: “hackers” log into your webmail
  21. 21. 4) How to protect your practice
  22. 22. 4) How to protect your practice 1.Two-factor authentication (2FA) 2.Stop email spoofing 3.Better antivirus 4.Anti-phishing services
  23. 23. 4) How to protect your practice 1.Two-factor authentication (2FA) 2.Stop email spoofing 3.Better antivirus 4.Anti-phishing services
  24. 24. I. Two-factor authentication (2FA) Powerful security measure protecting from: •Bad passwords •Stolen passwords •Leaked passwords
  25. 25. I. Two-factor authentication (2FA)
  26. 26. I. Two-factor authentication (2FA) How to turn on: https://blog.ironbastio n.com.au/how-to- prevent-payment- misdirection-fraud-at- your-conveyancing- practice-2fa/
  27. 27. 4) How to protect your practice 1.Two-factor authentication (2FA) 2.Stop email spoofing 3.Better antivirus 4.Anti-phishing services
  28. 28. II. Stop email spoofing
  29. 29. II. Stop email spoofing How to impersonate Saul Goodman <saul.goodman@sgassociates.com> • Method #1 – Email Address Spoofing: Saul’s email address and his name are spoofed on an incoming email so that the sender appears to be: Saul Goodman <saul.goodman@sgassociates.com> • Method #2 – Display Name Spoofing: Only Saul’s name is spoofed, but not the email address: Saul Goodman <saul.goodman1337@gmail.com>
  30. 30. II. Stop email spoofing Method #1 – Email Address Spoofing: Saul’s email address and his name are spoofed on an incoming email so that the sender appears to be: Saul Goodman <saul.goodman@sgassociates.com>.  SPF/DKIM/DMARC DNS records More: https://blog.ironbastion.com.au/email-impersonation-scams- phishing-what-your-staff-can-do/
  31. 31. II. Stop email spoofing • Method #2 – Display Name Spoofing: Only Saul’s name is spoofed, but not the email address: Saul Goodman <saul.goodman1337@gmail.com>. Add warning banners Use anti-phishing services More: https://blog.ironbastion.com.au/email-impersonation- scams-phishing-what-your-staff-can-do/
  32. 32. 4) How to protect your practice 1.Two-factor authentication (2FA) 2.Stop email spoofing 3.Better antivirus 4.Anti-phishing services
  33. 33. III. Better antivirus Keeps your computer safe from: • Ransomware • Phishing • Keyloggers • Miscellaneous wizardry
  34. 34. III. Better antivirus Buy the business version any of these: •avast! •Avira •Bitdefender •ESET •Kaspersky
  35. 35. 4) How to protect your practice 1.Two-factor authentication (2FA) 2.Stop email spoofing 3.Better antivirus 4.Anti-phishing services
  36. 36. IV. Anti-phishing services (email) Pre-screens your incoming emails • Superior to your spam filter • Machine learning & AI powered • Text semantics • Web link protection • Deep analysis of file attachments
  37. 37. IV. Anti-phishing services (email) • Typically available as separate services for your email platform • Works with every platform (Office 365, G Suite, GoDaddy, etc.) • We suggest you to research what providers are available on the market providing managed anti-phishing services
  38. 38. IV. Anti-phishing services (web browsing) Web browsing protection protects from phishing attempts arriving in: • Private emails • Instant messengers (WeChat, etc.) • Text messages
  39. 39. IV. Anti-phishing services (web browsing) Blocks access to phishing websites on: • Computers and smartphones • In the office or on the road • Protects your staff at home
  40. 40. IV. Anti-phishing service (II.)
  41. 41. III. Anti-phishing services (phishing awareness) 4% of people in any given phishing campaign will click on a phishing email* 1.Phish your own staff 2.Identify vulnerable people 3.Target them with training materials * https://www.verizonenterprise.com/resources/reports/rp_DBIR_2018_Report_en_xg.pdf
  42. 42. 5) Where to get help
  43. 43. 5) Where to get help • Report the scam to ACCC ScamWatch, ACORN and ACSC • Victims of identity theft: you should contact IDCARE, NFP helping people • Have a conversation with your IT Service Provider, or staff. Use these slides as a talking point!
  44. 44. 6) Questions? 💌 nick@ironbastion.com.au 💌 gabor@ironbastion.com.au 🌏 www.ironbastion.com.au
  45. 45. Attribution • https://blog.cryptoaustralia.org.au/2018/07/19/how-to-protect-your-legal- practice-from-payment-redirection-fraud/ • Cruz/Kavadias/Szathmari – How to Protect Your Legal Practice from Payment Redirection Fraud

×