Cybercrime is getting more common and more sophisticated, and businesses that regularly make large electronic transactions – like rental agencies – are tempting targets for criminals.
One particularly dangerous form of cybercrime attack is business e-mail compromise (BEC) – an e-mail seeming to come from a known source, making what looks like a legitimate request for payment or information. They are so hard to spot that you or someone you know has probably fallen victim to such a scam. Some of the world’s biggest companies have been hit by BEC attacks, including Google, Snapchat and Toyota.
In the residential rental industry, a BEC attack might look like an ordinary request from a client or supplier, while actually being a scam carried out using a hacked or spoofed e-mail address. Criminals will often carry out extensive research and use social engineering techniques to make their e-mails as convincing as possible. These criminals might impersonate:
- One of your landlords asking you to update their payment details;
- A higher-up at your company asking employees to transfer money or make a purchase;
- A third-party supplier sending an invoice for works done.
Criminals may pose as a legitimate sender by using a slight variation on a real address, or they might hack a real company e-mail account and use it to send fake invoices or other messages. It’s important to be aware that criminals might also use your e-mail address to send legitimate-looking payment requests to your landlords and tenants, so your clients need to be made aware of the dangers too.
How can you protect yourself, your clients and staff from smart e-mail scams?
As SA’s trusted rental payment authority, PayProp provides top systems-, hosting- and banking security – but not even the best payment system in the business can stop uninformed users from doing the bidding of exploitative criminals.
BEC is first and foremost a type of social engineering attack, so any policy has to start with staff training and awareness. Inform your staff about the risks of BEC, and stress the importance of checking every incoming e-mail for signs of suspicion such as misspelled e-mail addresses – including those in existing e-mail chains, as they can also be intercepted and compromised.
Having the right systems (processes) and policies (rules) in place around payments can also reduce your risk of losing money to scammers, even if your staff are initially taken in.
Cybercrime policy and process best practices
- Verify any payment requests, changes to a client’s account number or other payment details or procedures before making payments. Do so either in person, or (with trusted clients) via telephone call. No changes to payment procedures should be made based solely on an e-mail.
- Require dual approval to make a payment or alter beneficiary details. Two heads are better than one at spotting BEC attempts, and requiring a second person’s signoff provides extra protection if one of your employees is in on the fraud.
- If possible, use automated systems to make rental payments rather than relying on employees to transfer money manually. Using an automated system like PayProp means that payments will only be sent to the payment details provided by the beneficiary, and any changes to payment details can be strictly monitored and require multiple approvals.
Protecting service users is critical too
It isn’t enough to have anti-fraud procedures in place within your organisation. Companies that deal with incoming transactions also need to make their landlords aware of the risks of handling accounts receivable.
Leading case in point
In a recent case heard by the Gauteng Local Division High Court, conveyancing firm Edward Nathan Sonnenberg Africa was ordered to pay R5.5 million plus punitive costs to a property buyer after she became the victim of a BEC scam. The buyer had already successfully placed a deposit, and then paid the balance of the transaction electronically using bank details that had been e-mailed to her. However, criminals had hacked her e-mail account, intercepting the e-mail and replacing ENS’s bank account details with those of an account controlled by them.
ENS’s own systems had not been compromised. However, because they had not warned the buyer about the risks of BEC or advised her of a verification process to use before making a payment, the court found that they hadn’t taken reasonable care.
Given the exposure to business handling client money – and their possible culpability, even if their clients are at fault – do NOT stop at implementing the above policy and processes. Also send out a regular warning about BEC to all landlords and tenants as standard, setting out your agency’s standard payment and verification procedures. For example, your procedures may involve taking payments automatically using bank details provided at the start of the contract, and requiring confirmation of any change of bank details. Emphasise that any requests for money or information that do not follow these are fake.
Using an automated system to collect and pay out rent can help protect your payment service users, as they will have to make fewer transactions by hand.
BEC is an inherently difficult type of financial crime to defend against, which is why it’s critical to do everything you can to prevent it. By arming your employees and clients with the information they need to recognise BEC and putting the right procedures and technology in place, you can reduce the risks to your business and the people you work with.