The principal immediately called their bank but they were unable to stop the transaction. Fortunately, all but one of the payments were returned, leaving a shortfall of $80,000 that could not be recovered.
The principal said: “I have been a principal for over 20 years, am very thorough and careful in what I do. Many agencies will think it can’t happen to them because they have systems in place, but they need to be aware that it can happen to anyone. Complacency is your biggest enemy.
“It is important that agencies become more aware of cybercrime and check the systems they have in place to protect themselves, because this type of crime is growing exponentially.
“I was also surprised to find that our bank exhibited almost no empathy and, despite the amount of money stolen, needed to be constantly followed up for feedback on the potential return of the funds. An attempt to report the theft to the police resulted in a refusal by them to even take details of the crime. So you are totally on your own!
“I have lost all my sense of personal security because of this. It is terrifying what hackers can do and the level of sophistication is incredibly high.”
The agency did not have a standalone cybercrime insurance policy but had a cybercrime extension of their professional indemnity insurance, which is limited for cyber claims. Professional indemnity insurance also requires a third party to make a claim against the agency to cover a loss.
The Property Stock and Business Agents Act 2002 (No 66, Part 7, Section 89) requires a licensee to notify the Secretary in writing of a trust account becoming overdrawn within five days of becoming aware.
The Secretary means the Commissioner for Fair Trading, Department of Finance, Services and Innovation, or if there is no person employed as Commissioner, the Secretary of the Department of Finance, Services and Innovation.
The notification needs to include letting them know the name and number of the account, the amount by which the account is overdrawn, and the reason for the account becoming overdrawn. If not they can receive a maximum penalty of 100 points.
The perpetrator of this cybercrime has been identified as a 19-year-old from Estonia with a valid Australian visa, who has a warrant out for his arrest. Two of his accomplices have been arrested.
How did it happen?
The principal used a security USB device to access their banking online, after entering their username and password. Once logged in to transfer some funds they received a message saying the online site was down for maintenance, so they logged out.
The principal attempted to log back in three hours later and found the same message. Concerned this was unusual the principal checked with their accounts department if they had had a problem accessing the site.
Once the accounts department logged into the bank online, to their horror they noticed five transactions amounting to over $750,000 dollars which had not been authorised. The hackers had gained access from logging in earlier.
The principal added: “No one can work out exactly how the hackers did it. My IT team spent three days on a forensic examination of the office server and individual computer and could find no evidence of any malware or spyware or any affected files.”
Lessons learnt
The principal had this advice to offer to agencies from the lessons they have learnt.
- Check your internet banking does not allow for Real Time Gross Settlement (RTGS) payments. This allows a same day transfer to another bank with transactions being settled as soon as they are processed, allowing for money to be transferred and withdrawn in a very short space of time rather than overnight
- Do not provide permissions for the same person to create and authorise a payment
- Carefully check transfers before authorising them. The agent, since the theft, noticed that the hackers had processed a test payment of water rates which they cancelled
- Do not use a USB to access internet banking as they can be compromised
- Don’t rely on your bank to protect you or put the correct safety systems in place - do your own due diligence on protection and ask questions of your bank and insurer on cybercrime prevention!
- Check that you are covered for cybercrime under your insurance policy
- If you are a victim of cybercrime, lodge a report with the Australian Cybercrime Online Reporting Network.
What policies can cover against this?
Samuel Rogers, from the cyber unit at JLT, who are the current distributors of Realcover, said: "This is an unfortunate situation and unfortunately this scenario would most likely not be picked up under a cyber insurance policy.
"This is a pure financial loss resulting from fraudulent access, and does not involve the loss or damage of data or a consequential business interruption loss caused by a system outage.
"This kind of loss is not normally covered under a cyber insurance policy, although there are a small number of policies that would add this cover by extension, normally for an additional premium, and at a sub-limited amount.
"This kind of loss is more likely to be insured however under a crime insurance policy, which will normally extend cover to computer fraud - the unlawful taking or fraudulently induced transfer of monies resulting from computer violation or unauthorised manipulation of computer systems, which was the case here."