Cyber fraud a reality for agents
MAIN IMAGE: Robert Krautkramer, Director of Miltons Matsemela; Jan Davel of PayProp
The Covid-19-pandemic brought many changes to the workplace, one of the most important being the hybrid working structures that were created due to people having to isolate. This in turn lead to a global spike in internet-based offences, partly driven by these home-based working stations. A recently promulgated new law now brings South Africa up to international standards for fighting cybercrime.
The country’s well-developed financial infrastructure makes it an attractive target for cyber criminals who use the internet for extortion, fraud, child pornography, human trafficking and selling illicit goods.
“In order to reflect on the severity of the situation, I thought it best to reflect on a matter that came to my attention just last week. Our IT manageress was asked to act as an expert witness in a trial, which is being conducted virtually, between two law firms,” says Robert Krautkramer, Director of Miltons Matsemela.
“The one firm was instructed to attend to a transfer. It then sent its banking details to the purchaser by email, to pay of R5 500 000.00 into its Trust account. The fraudster, pretending to be an attorney from the law firm, called the purchaser, telling her that they had erroneously sent the wrong details and would send a fresh email with the correct details.
“A fresh email, from a spoofed email account, was sent with false banking details and the next thing you know, R5 500 000 is missing. The firm is of course now being sued for R5 500 000 on the basis that they did not take enough steps to guard against cyber fraud. The scary part is that the scam artists had the purchaser’s contact details, they knew who the secretary and attorney were who would be looking after the transaction – they had all the details.
“Where do fraudsters get this information so early in the transaction? It could be the agency that has an employee that is in on it, it could be the attorney firm, it could be someone at the bond origination company or even the bank. We will never know,” Krautkramer explains.
What can estate agents do to protect purchasers, and themselves?
According to Krautkramer the best solution is to return to basics and keep things simple. He says everyone is trying hard to rely on technology these days but what is forgotten, is that fraudsters will always keep trying and in many instances, they will succeed.
“The only thing one can do, is to take reasonable steps to try as best one can, to try and prevent this from happening. Here is what I suggest: If you are an agency that takes deposits on sales, or rentals for that matter, why not just enter your banking details onto the OTP/Lease, ensure that the purchaser/tenant initials next to this and ensure that he/she is provided with a copy for future use.
“In the clause you have a disclaimer which reads along the following lines: The purchaser/tenant has been warned against cyber fraud. He/she has been advised that these details will not change and if he/she receives ANY communication to the contrary, he/she must contact the agency without delay.
“Should the purchaser then still receive fake calls, whatsapp messages or emails and make payment into the wrong account, you are at least protected because you have then taken reasonable steps to protect yourself and the purchaser. Sadly, as we all know, purchasers do not always follow instructions or advice and for that we cannot be held responsible. All that we do have to do, is show that we have taken reasonable steps. This suggested route is probably the simplest, yet the safest,” Krautkramer emphasised.
Krautkramer explained that if you are an agency which does not take deposits for transfers, and where the attorney is to take the deposit, do not be tempted to share banking details. If you send the wrong details, you will be liable to refund this.
“All you can do is to ensure that you have warned the purchaser of the risks of cyber fraud. It is also here where you want to forge relationships with a law firm that does have a secure system in place. At Miltons Matsemela we use Lexis Tracker. The purchaser gets a username and enters a password and only he/she can access the portal, where our banking details are available. We do not email banking details.
“We also advise purchasers to first do a test payment and to await confirmation from us before paying the bulk. I for one also invite agents to create whatsapp chat groups with purchasers where I share our banking details – this way the purchaser can feel safe because the agent introduces me to the purchaser, in a safe environment,” Krautkramer said.
Why should the real estate industry be aware of cybercrime?
Jan Davel of PayProp agrees with these comments and confirms that more and more transactions take place online, including rental transactions. The more money is moved over the internet, the more attempts people will make to steal it. During the COVID-19 pandemic, which saw an unprecedented move towards online payments as people avoided face-to-face contact, certain types of financial cybercrime increased by more than 700%.
Impact of industry
“Worldwide, hundreds of billions of dollars are lost to cybercrime each year, and the amount of money moved by real estate professionals makes the industry a tempting target for criminals. However, the risks aren’t just financial. The rental industry runs on trust – landlords rely on rental agents to look after what can be the most valuable assets they own, while tenants look to us to keep a roof over their heads. Losing client money or data to criminals damages that trust, often permanently,” Davel explained.
Most common cyber attacks
According to Davel criminals can and do hack into poorly protected systems. However, the most damaging attacks are often ‘spear phishing’ or social engineering – tricking employees into handing over data or money to criminals or downloading malware. It’s often easier to exploit human vulnerabilities than technological ones.
“Preventing cyber-attacks begins with training. Rental agents need to know what a phishing attack looks like and understand the dangers of giving away data to unauthorised people.
“Technology also plays a role. Aside from the obvious encryption and data security measures that rental agencies should have in place already, a robust automated rental payment system will track every transaction in real time and alert users to any suspicious activities or payments.
“A decent automated rental payment system will also leave an indelible, date-stamped audit log that shows exactly which person was responsible for each action in every transaction. Such logs are very helpful in the management and training of rental administrators. Additionally, it will ensure that no employee can carry out a transaction from end to end and requiring dual signatories on any new transaction makes cyber-attacks much more difficult,” he said.