Simon Glover of property insurance specialists and ARMA Affiliate Chambers & Newman looks at the vulnerability of your clients’ money and what you can do about it.
The past eighteen months have seen some high profile cyber-attacks perpetrated against well-known national and multinational companies. It’s easy to discount these infractions as extraordinary attacks on prominent organisations, however, recent evidence suggests fraudsters are much more likely to target SMEs using high-frequency and comparatively low-impact attacks to evade attention from the authorities.
The issue was given significant coverage during a 2015 RICS seminar where it was highlighted that property management companies and estate agents are particularly vulnerable to such frauds given their requirement to hold substantial caches of client money.
In recent months Chambers & Newman have been made aware of seven similar type scams perpetrated against separate property management companies, four of which were successfully executed resulting in losses of between £8,000 and £16,000 each. Whilst both small and medium sized firms were targeted, the scammers had more success hitting companies with less than ten employees given the propensity of smaller businesses to have less rigorous checking processes and fewer robust security protocols in place.
A typical scam begins with hackers collating information on key people within an organisation before forwarding what appears to be an innocuous spam email to one or more of them. Once the email is opened it triggers a malicious program to embed itself deep in the company email server where it begins sending copies of all incoming and outgoing emails to the fraudsters. The hackers then play the long game - often over many months, monitoring email correspondence to and from the key people to determine patterns of behaviour, colloquial terminology and writing styles.
Once the hackers are in a position to proficiently mimic a key person, they wait for an opportunity for the key person to be away from the office on a client visit.
The hackers strike by sending an email to a member of the accounts payable team purporting to be from the key person and ask if an urgent money transfer can be sent to a client/contractor.
To the accounts person, the email appears legitimate as it is sent from the key persons own email address and styled in the usual format. The accounts person has no reason to reject the transfer and replies requesting the amount and recipient account details. Within minutes of the completion of the transfer the fraudsters will have emptied the recipient bank account and never use it again.
It is virtually impossible to recover the money once the transfer has been completed.
Invoice fraud is a close relative of the aforementioned scam, utilising ‘email logging’ malicious-software (malware) in the same manner as before. However in this case, the hackers monitor email correspondence between the company and its suppliers/contractors.
After a period of time, they will have assembled a profile of contract types and sizes as well as supplier invoice formats. Once the criminals become aware of a substantial contract nearing completion, a fake invoice is drawn up to look identical to previous invoices issued by the same contractor including company logos, a correct contract value and a consecutive invoice number.
Within days of the contracts completion, an email containing the fake invoice will be forwarded to the company accounts team. The fake invoice will, for all intents and purposes appear genuine, with the only difference being amended bank account details. This fraud is particularly pernicious as it may be a number of weeks and months before the legitimate supplier/contractor submits an invoice for payment at which point the scam is discovered and the criminals have long since departed with the money.
The fallout and misconceptions
Many individuals and business owners are under the impression their bank will reimburse losses incurred as a result of cyber frauds, but they are mistaken. Banks have gone to huge lengths to divest themselves of liability following substantial losses at the initial launch of internet banking and will not accept responsibility for losses arising out of frauds for which they were not negligent.
Victims are understandably reluctant to report the fraud to the Police or their clients for fear of reputational damage. In some cases, once the full enormity of the breach becomes apparent, the scale of the loss coupled with rectification and legal costs becomes too large for the company to absorb, forcing it to close.
Given the quickening pace of technology and the increasing sophistication of such scams, the instigation of a small number of risk reduction processes can help property management companies identify the threats and best protect their clients’ money.
1. Educate your staff to the risks
If an urgent money transfer is required, always double-check the request by calling the key person to verify it was actually they who requested it. Similarly, if an invoice is received via email from a supplier/contractor with changed bank account details, again verify the invoice is correct with the supplier/contractor using a known telephone number.
2. Install strong anti-malware software on all devices
Traditional anti-virus software is often unable to detect ‘Trojan horse’ attacks because the malicious program is contracted via an attachment in an email rather than via an infected website or an unsecured network. Good anti-malware software will immediately identify and remove known malicious software substantially reducing exposure to ’ransomware’, ‘email logging’ and ‘keylogging’ attacks.
Where client money has been lost to a sophisticated cyber fraud, Professional Indemnity will only react to legal actions brought against the property management company by their client. This leaves the property management company in the rather uncomfortable and embarrassing position of having to contact the client to inform them of the loss and at the same time be unable to offer any practical solutions because in doing so would be considered inviting a claim by the insurer and thus breach the policy conditions.
Furthermore, the jury’s still out on whether a Professional Indemnity policy will even cover the loss. Protracted legal disputes will most certainly result in a souring of the relationship between property management companies and their clients.
Several UK Insurers are now providing “Commercial Crime Insurance” that would protect you against such losses. However, there are three drawbacks to this solution:
- Premiums at present are expensive
- Policy excess would normally start at £10,000
- If the loss is relating to client money, Insurers require you to make a claim under your Professional Indemnity policy first. If unsuccessful then you would make a under the Crime policy.
Chambers & Newman solution
Chambers & Newman believe they have devised the right insurance solution. In conjunction with Aviva, we have developed a ‘first port of call’ Commercial Crime product which will react as soon as the fraud is discovered, bypassing the requirement to process the claim via the Professional Indemnity route first.
The product has been specifically designed for property management companies, estate agents and associated trades, with reduced excesses and lower premiums compared to competitor crime products.
There is no subrogation clause meaning Aviva will not attempt to pursue the Professional Indemnity insurer for recovery of an outlay which in turn means statutory Professional Indemnity premiums will not be affected at renewal. Moreover it also covers the property management company’s own money losses. Those companies which have enacted the cover have discovered it can draw in new clients attracted to the extra layer of protection for their money.
A typical property management company with a fee income of £250,000 to £500,000 can expect to pay £625 for £250,000 of cover and a £2,500 excess.
For additional support and advice on ways to best protect both your clients and your own money from the increasing scourge of cyber-fraud, please contact Simon Glover at Chambers & Newman on 020 7292 3034 or firstname.lastname@example.org.