Security Updates topics

Microsoft Internet Explorer Critical Zero Day Vulnerability

IndikaWimalasiri — Mon, 20 Jan 2020 22:39:34 GMT

This advisory applies to Microsoft Internet Explorer Web Browser

What is the new software vulnerability?

PEXA Security is aware of a Microsoft Windows Internet Explorer zero day vulnerability which is being attacked by malicious actors and other cyber criminals over the internet. You can be a target of this attack by clicking on a link or opening an attachment sent you by an unknown party or malicious actor.

More information on this can be found on the links below

How do I address/mitigate the vulnerability?

Currently there is no patch available from Microsoft for this vulnerability. However, they have provided a workaround to protect users from being a target of this attack.

Important - Given the use of malicious websites as part of the vulnerability’s exploitation routine, individual users are encouraged to practice caution when it comes to clicking links, especially those embedded in a suspicious email message.

Do I need to take any action?

Reach out to your IT support service team or your regular System Maintenance team about this vulnerability. They may already be aware of this and it would be important to check with them and follow the instructions given.

https://portal.msrc.microsoft.com/en-us/security-guidance/advisory/ADV200001

https://thehackernews.com/2020/01/internet-explorer-zero-day-attack.html

Thank you.

PEXA Security

Security Advisory – Citrix Zero Day Vulnerability Alert

IndikaWimalasiri — Tue, 14 Jan 2020 03:38:35 GMT

We are aware of a critical zero day vulnerability discovered in the Citrix application. This vulnerability is still without any permanent fixes and patch is yet to be released by the Citrix vendor.

If you are using Citrix applications (example - for digital signing certificate) described in the article below there is a potential you may be vulnerable. Your IT team/ support services may already be aware of this and it would be important to check with them and follow the instructions. We recommend you consider implementing the mitigation strategies explained in the advisories below.

https://www.citrix.com/blogs/2020/01/11/citrix-provides-update-on-citrix-adc-citrix-gateway-vulnerability/

https://support.citrix.com/article/CTX267027

https://support.citrix.com/article/CTX267679

Thank you

PEXA Security Team

Security Advisory - Critical Vulnerability Alert

IndikaWimalasiri — Tue, 14 Jan 2020 03:04:42 GMT

Dear PEXA Community,

This advisory applies to Firefox Web Browser installed on all device types.

What is the new software vulnerability?

New critical vulnerability in the Firefox web browser has been discovered by security researches which is currently being attacked by malicious parties and criminal groups. Attackers could use this vulnerability to gain access to your devices by exploiting the way Firefox browser works on your devices.

Do I need to take any action?

Yes. Firefox vendor has released an emergency security update which addresses the vulnerability and has advised everyone who uses Firefox to immediately update to the latest version.

How do I update my Firefox Web Browser?

PEXA Security always advise to keep your software, including web browsers, up to date.

Please follow the steps below to update your browser,

Open your Firefox Web Browser and Click on the “Menu” and then Click on the “Help" (As indicated in red colour on the screen capture below)

2. Click on the “About Firefox”. This will start the update automatically

3. Make sure version it displays is as same as below highlighted in red text box

PEXA Security recommends members enable automatic updates to make sure in the future, new browser updates are done automatically.

Go to the top right-hand corner “Menu” and click on “Options” from the dropdown menu

2. Scroll down to the section “Firefox Updates” and tick the “Automatically install updates” check box. This will install updates automatically without any manual intervention in the future.

Thank you.

PEXA Security

Member Security Alert

HeatherC — Mon, 04 Nov 2019 06:04:22 GMT

Hi Community,

PEXA has been made aware of a sophisticated phishing incident targeting an Australian conveyancer. In this instance, an email was sent to a client of a practitioner purporting to be from the practitioner. The sender of the email had established a similar email address to that of the practitioner, and subsequently telephoned the client to advise of a change to bank details.

PEXA reminds all members of the importance of having processes in place to obtain or share account details with clients, and to confirm those by a secondary means. We have previously posted about this here.

PEXA also recommends members implement multi-factor authentication for email accounts that are used for business purposes to reduce the risk of compromise.

Members are also encouraged to consider using PEXA Key to securely communicate and receive bank account details with their clients.

Heather

Can you spot the scam? - phishing email

TJ — Fri, 11 Oct 2019 03:09:41 GMT

Can you spot the scam? - phishing email

Below is a seemingly legitimate email from PEXA – but is it?

There are nine red flags in this email that you should always be on the lookout for. Hover your mouse over parts of the email which you believe to be a red flag to reveal them!

Tell us in the comments below how many red flags you found! Answers will be released next week.

Security Shorts - Episode 1

Meghan — Thu, 10 Oct 2019 22:39:01 GMT

Securely managing your Digital Certificate

Welcome to the first episode of Security Shorts featuring one of our experts !

This series will focus on providing you with informative and useful information to help you with your PEXA and IT security. In this episode, Jesse will be discussing how to securely manage Digital Certificates. Stay tuned for the next episode!

Tips to protect your mobile device & its data

DavidWillett — Thu, 10 Oct 2019 04:55:44 GMT

We use our mobile device and its installed apps every day. The apps we download make it easy for us to do everyday things like check our mail, tap onto the tram/train/bus, update our Instagram story, pay for coffee, track our calories and now even to track our property settlement (shameless plug of PEXA Key). All conveniently completed on our way in to work.

With all this private information available at the touch of a button, keeping our phones and chosen apps secure has become increasingly important.

Here are some handy tips to assist you in doing so.

1. Download from official stores

Cybercriminals are known to create rogue mobile apps that mimic trusted brands in order to obtain users’ confidential information. To avoid these types of scams, always download new apps from the official app stores, check the publisher is from the official supplier e.g. Property Exchange Australia Ltd) and when the app was last updated. For example, PEXA Key is available exclusively on the Google Play Store and Apple App store.

2. Use device security

All smart phones have multiple methods of authentication available. We advise you to:

Not leave your phone unlocked. Make sure your phone is set to auto lock within 30-60 seconds of inactivity; and
Use at least one of the authentication methods available to unlock your device e.g. facial recognition etc.

If using a pin code to access your phone, do not use the same pin for your apps or write them down on a piece of paper. Try using a password manager app to store, keep track of and generate new passwords and pin codes.

3. Call your provider

If you lose or misplace your phone, call your provider to ensure your SIM is deactivated to protect your phone and the apps on it from potential criminals. This is good advice for your clients who use PEXA Key. It is also important that they remember to notify you in the unlikely event that they lose their phone.

4. Anti-virus on your phone

Your hand-held device is no different to your laptop or PC and is similarly susceptible to scams such as phishing. Consider installing anti-virus software onto your mobile device.

Security Advisory - Vulnerability Alert - "Bluekeep"

IndikaWimalasiri — Tue, 13 Aug 2019 23:54:25 GMT

The threat of cyber-attacks are real but there is something you can do about it.

The Australian Government’s Cyber Security Center has released a critical security advisory to individuals and business organizations using older versions of Microsoft Windows operating systems (Windows Vista, Windows 7, Windows XP, Server 2003 and Server 2008) to apply security update/upgrade to newer operating system version to avoid being compromised for the vulnerability named as “Bluekeep”.

What is Bluekeep ?

Bluekeep is a vulnerability in the Windows operating system’s Remote Desktop Protocol (RDP – service use to connect to another computer/network remotely) which allows an attacker to execute commands to compromise your computer. BlueKeep exploit has the potential to spread in a virus fashion and self-replicate without requiring any user interaction.

An unpatched system gives criminals a front door to break into your computer or network and steal your corporate and customer information.

The threat of cyber-attacks are real but there is something you can do about it.

How to protect my systems?

It is critical that organisations and individuals operating older versions of Windows systems immediately install Windows BlueKeep vulnerability patch, available at Microsoft website.

Recommendations

Identify the Computer Systems operating older version of Windows Operating Systems. ( Windows Vista, Windows 7, Windows XP, Server 2003 and Server 2008 operating systems)
Confirm you have backup of data available if needed.
Apply the updates through Windows Update or manually by downloading it from Microsoft website.
Reach out to your IT service support team and ask them to address the Bluekeep if not already.

Mitigation activities until patch is applied.

Practice due diligence and be alerted around what happens in your computer. If any unusual activities observed, engage your IT personnel to look in to it.
Avoid using Remote Desktop Services from internet. (If needed use it only over a Virtual Private Network and with multi-factor authentication.)
Always keep operating systems and application up to date.
Backup your data to a secure location. (Cloud storage/offsite volume)

More Info - https://www.cyber.gov.au/news/update-acsc-confirms-potential-exploitation-bluekeep-vulnerability

Are you using unsupported software?

Meghan — Mon, 16 Dec 2019 05:35:43 GMT

Why you shouldn’t use unsupported software:

The below software is no longer supported by Windows and Apple, but what does this mean?

Windows XP
Windows Vista
Mac OS X (Snow Leopard)
Mac OS X (Mavericks)
Mac OS X (Yosemite)
Mac OS X (El Capitan)

Unsupported software will not receive updates or security fixes which are vital in maintaining your system’s security. This leaves your system vulnerable to hackers who actively target unsupported systems.

In addition, as per your obligations as stated in the PEXA Subscriber Security Policy: ‘Subscribers are required to maintain the security of their computer systems and keep them up to date, including taking reasonable steps to install patches and operating system updates’.

When using unsupported software, this obligation can no longer be met as these products are not supported. In addition, running unsupported software may impact performance when using the PEXA platform, including your signing capabilities.

What should you do?

In order to ensure your compliance with the PEXA Subscriber Security Policy, you must upgrade as soon as possible to a supported version of Windows or macOS.

For Windows users, while Windows 7 is currently supported, it will be end of life from the 14^th of January 2020. To avoid having to upgrade again, it is recommended to upgrade directly to Windows 10. Windows 10 can be purchased from the Microsoft Store or from leading retailers.

Please note that for Mac users, you may have to purchase a new machine in order to upgrade to a supported operating system.

PEXA recommends reaching out to your IT professional or industry body to assist you with this upgrade.

Helpful links:

Upgrading FAQs

https://support.microsoft.com/en-au/help/12435/windows-10-upgrade-faq

Windows Vista end of support

https://support.microsoft.com/en-au/help/22882/windows-vista-end-of-support

How to upgrade (macOS)

https://www.apple.com/au/macos/how-to-upgrade/

Phishing.. Is it only emails?

IndikaWimalasiri — Wed, 24 Jul 2019 05:25:47 GMT

What is phishing and different variants attached to it?

An email appears to come from a someone you trust, such as your bank, online store, credit card company or a popular website. At first it all appears normal, but it will try to trick you in to giving away sensitive information, installing malware on your device or open an attachment while indicating an urgency.

Phishing is one of the easiest and very successful avenue for hackers to gain access to your organization's information. Security researchers say more than 90% of the data breaches worldwide are started with a phishing email. For us to defend against this malicious attack type we need to be able to identify the threat as there are multiple variants of methods used by hackers.

Key indicators of a phishing email. What to look for?

Article below showcase what you need to look for in an email to make sure it is not part of a phishing campaign. This will help to increase your awareness both in and out of work place.

Thank you.

- Indika Wimalasiri -

Cyber-Criminals, the Modern-Day Con Artists

IndikaWimalasiri — Thu, 27 Jun 2019 02:44:36 GMT

Con artists have been constant figures throughout our society’s evolution. From ‘short-cons’, like the Three-Card Monte to ‘long-cons’, when Victor Lustig sold the Eiffel Tower as scrap metal back in 1925. They use their smarts and charisma to gain the trust of unexpectant victims, all for financial gain.

Over the past 20-30 years, the world has evolved dramatically, with advances in technology taking precedence. This has given rise to the modern-day con artist; hackers or cyber-criminals. Since the emergence of e-mail, it has been one of the most prominent and successful mediums for fraud world-wide, including the conveyancing industry; as an entry way to more elaborate scams. For us, the every-day person, employee or business owner, it is essential that we are aware of the real risks of cyber-crime.

The following scenario is one example of a hacker at large, trying to ‘con’ their way into the conveyancing industry with a duplicate website.

The Hacker

Elliot has been dabbling in cyber-crime for some time. It’s quite a lucrative career – if you know what you’re doing – which he and his team do. He is involved in penetrating computer systems, collecting passwords and then selling them to other cyber-criminals for profit. However, this time, Elliott decided to do something more elaborate than simply selling these credentials.

“One of these usernames and passwords has landed me a gold-mine. I noticed a few ‘PEXA’ e-mails in this person’s inbox. I did my research and figured it could be a big win for the team. The username and password I have doesn’t match his PEXA account, but I have another way in.

The team and I set about duplicating the PEXA login page. In the end it looked almost identical to the original and we placed it on a hosting service based in Belize.

Next step, we sent the link via a duplicate PEXA e-mail and waited for our victim, Barry, to enter his details into the fake website. Once we capture his credentials, we’ll have easy access to his account, and his client’s money!

The Victim

Barry’s firm keeps its staff up-to-date with the latest cyber-security trends. They complete security awareness training to maintain the firm's security posture and the integrity of its service. Barry considers himself to be security-savvy, so he had no worries that morning when he opened his inbox.

“I scrolled through my e-mails and noticed a PEXA workspace notification which I opened straight away. I have a million-dollar settlement today and want it to go smoothly. I clicked on the link in the e-mail and instantly thought twice about my decision – it’s unusual for any company to send you a link to their login page. However, the PEXA login page looks legitimate. Although, before I progress any further, I’d better ensure the web page is secure…

I look up at the address bar to check for a padlock symbol – no joy. Instead there’s a red triangle with a white exclamation mark inside. Next, I check the URL begins with ‘https’. It didn’t - Oh no!

I exit the page immediately and sigh a breath of relief that I hadn’t entered my credentials into the page.

I’d better let PEXA know, other practitioners might not check the website’s security level…”

The Hacker

On the other side of the world, Elliot checks if Barry has fallen for his scam.

“It looks like Barry is more tech-savvy than we expected. He didn’t enter his details into our fake website. But not to worry, we’ve sent it to multiple others in his industry. Someone is bound to fall for it.

Hold on. The website has been removed, Barry must have also informed PEXA. **bleep** it, all that time and money wasted…”

Elliot and his team quickly bounce back from their failed website scam and start planning their next con.

“We didn’t fool them this time, but wait until they see what else we have up our sleeves…”

To learn more about how to identify duplicate websites, please refer to the article " How to identify duplicate or unsafe websites"

How to identify duplicate or unsafe websites

IndikaWimalasiri — Thu, 27 Jun 2019 02:03:01 GMT

It’s important to be aware of how to identify a duplicate or unsafe website. You can easily check the security certificate beside the web address (URL). You’ll see one of the following three symbols.

Tips

If a website does not display the first symbol above (padlock), this confirms that it is not secure and everything you do is susceptible to a cyber-attack. We recommend you close the browser without completing any further actions such as inserting your login credentials etc.
Check if the address begins with "https” (not "http)". This will be another indicator of a website’s security level. If you see "http", this means that there is no encryption in place, and information you provide on that page is at risk of being seen by unauthorized personnel.

If you’d like more information about website safety or other aspects of cyber security, the Australian Government’s Stay Safe Online website provides practical tips to assist everyone in staying secure while online.

Regards,

Indika Wimalasiri

(PEXA Security Team)

Security Advisory - Vulnerability Alert

IndikaWimalasiri — Fri, 21 Jun 2019 05:03:27 GMT

Dear PEXA Community,

This advisory applies to Microsoft Outlook App installed on Android devices.

New vulnerability in the Microsoft Outlook App for Android has been discovered. Attackers could use this vulnerability to gain access to your emails and phone by inviting you to click on a crafted link. Microsoft has released an update to its Outlook app through the Android Google Play Store.

PEXA Security advises its members using Outlook app for emails on Android devices to update the app at your earliest window.

How do I get the update for Outlook for Android?

1. Tap the Google Play icon on your home screen.
2. Swipe in from the left edge of the screen.
3. Tap My apps & games.
4. Tap the Update box next to the Outlook app.

Note - Security always recommends keeping your mobile device OS and Apps up to-date by applying updates as soon as they are available.

PEXA Security Team

Why Me? Peter’s patching pickle

cbrown — Wed, 05 Jun 2019 23:32:09 GMT

Peter: Tuesday

Today is my favorite day of the year, my firm's birthday, marking 12 years since I poured my heart, my soul and my savings into my dream; this company. It’s an incredibly proud and emotional day for me as I have spent my whole career building this business. It’s a small firm, but the key to my success lies in my skill to network and I digitally store a comprehensive list of all my network contacts and clients’ details in a secure computer. Through this, I can tailor my service to each individual client without having to re-ask for information I already know.

My nephew Matt is a good kid, he helps me out with my firm’s IT environment and set up all my networking stuff, including the firewalls which protect web traffic. He will often visit and check my systems whilst he has a coffee and chat, but lately, he has been pretty busy with his studies, so my IT environment has taken a back seat for the meantime.

I vaguely remember my nephew mentioning something about a new Microsoft patch released to fix a vulnerability, but I'm too busy at the moment. Besides, last time I installed a patch my computer restarted, and I don't have the time to go through and save all my working documents; I’ll install it tomorrow.

Little did I know that today is also Elliot's favorite day, Microsoft’s “Patch Tuesday”. The day that Microsoft releases patches for Windows’ users to protect their machines. Elliot is a skilled hacker and is able to analyse the details of the patch and uncover what vulnerabilities it might be trying to solve. This means that on “Exploit Wednesday”, Elliot and his team can deliver codes to exploit systems that haven't installed the patch, and he has just selected me as his victim.

Wednesday

I'm sitting at my desk tending to my daily emails when my mouse cursor starts moving across the screen without me touching it. At first, I think it's my brain playing tricks on me, last night was a big night out celebrating with my colleagues after all, so maybe I’m just tired, but no! There - it moved again!

Confused, I take my mouse and bang it against the desk - but that doesn’t help. I look up and see my cursor opening and closing my client’s files with all their personal information. I frown. I don’t have time for technology to be breaking, especially when I'm so busy. I send a frustrated message to Matt asking him to order me a new mouse.

As I leave the office my receptionist calls out to me, she sounds worried. She tells me that her mouse has been doing strange things lately, even when she disconnects it from her PC. To my dismay, I see her cursor darting around the screen like it did on mine, opening and closing files.

I start to feel concerned - two mouse devices can’t possibly break on the same day! I call Matt again and ask him to come in first thing tomorrow.

As I leave the office Elliot continues his work, he is able to control my screen through his own, a vulnerability that the latest patch would have fixed. Elliot is especially interested in the numerous files I have of client information and is able to seamlessly access and copy them. Elliot loves people who don’t install their patches, it almost makes his job too easy!

Thursday

Matt inspects my computer and I stand behind him, anxiously shifting my weight to each foot. Eventually, he leans back in the chair and closes his eyes, “did you install the Microsoft patch on Tuesday?”.

I stammered, informing him that I hadn't. But surely that wouldn't explain the issue with my mouse? Matt goes on to inform me that both mine and the receptionist’s computer had been remotely accessed and controlled by a third party via remote desktop. And because of this, the hacker was able to access all our sensitive information – including my client’s.

Before I can begin to panic, a notification pops up on my computer, Matt stops mid-sentence and opens the email, but it's an email from me, to me. How could that have happened?

Peter,

I have accessed all your client’s information including photo identification, names, email, addresses and bank information. I have posted them for sale on the dark web. If you transfer 0.72 bitcoin* to XXX XXX XXX I will remove them immediately.

You have until 3pm.

-Elliot

*Approximately $8,803 AUD

I look to Matt, waiting for him to tell me this is a joke, but he sits there quietly staring into the distance. Upon further investigation, we see that each computer has been sending my client information to a strange email account, but there is nothing we can do – it's too late now. And how can I trust that this so-called Elliot will pull the information down from the dark web if I pay him??

I’m filled with despair and guilt, if my client's information is purchased, then criminals could perform identity theft and significantly impact their lives, and I would be the one responsible for it! I’m filled with shame, how am I ever going to sleep knowing this was my fault?

Gosh, Why me?

The next day

The next few weeks are spent cleaning up the mess Elliot made, I have emailed all my clients and informed them that their sensitive information has been obtained and the possible effects of this. In addition, I have reported the incident to the Privacy Commissioner, just to be safe.

Patching

The patch that Peter didn’t install, known as CVE-2019-0708, was fixing a vulnerability in the Remote Desktop Protocol (RDP) service that enabled it to be abused remotely. Because Peter did not install the patch, highly skilled and trained Elliot, was able to remotely use Peter’s desktop, access his files and send information to himself.

Software patches usually fix identified vulnerabilities within your system that could be exploited by hackers. Most operating systems, by default, are configured to automatically apply patches when a system is restarted. If yours does not do this, speak with your IT professional to “enable automatic updates”.

Often, people avoid installing patches because they see it as an inconvenience. Usually, your PC must fully shut down for the patch to be installed. However, in Peter’s instance, he could have saved his clients sensitive information and his business by taking a few minutes to install the patch. Read more information on patching here.

Security Advisory - Vulnerability Alert

jesselane — Thu, 16 May 2019 05:31:33 GMT

Dear PEXA Community,

This notice is for anyone that uses Microsoft Windows 7 or Windows Server 2008.

Microsoft has recently announced a critical vulnerability in its Remote Desktop Protocol for Microsoft Windows 7 and Windows Server 2008. This vulnerability opens up the possibility for unauthorised access to your computer system and data.

As a user, it is important that your Windows software is kept up to date to ensure that your device is secure. To keep your Windows software updated, please refer to this article.

PEXA recommends you reach out to your IT Support team/provider if you require further assistance in addressing this security issue.

PEXA Security Team

Why Me? - Password blunder

cbrown — Wed, 15 May 2019 00:59:51 GMT

Just another day for John

It’s Monday morning and everything is going smoothly. I made breakfast for my kids, dropped them off at school on time and the barista didn’t burn my coffee – a great start to the day. I get to my desk and look through my emails and I notice there are quite a few spam messages in my inbox. One of them says I won a free toaster, and another is an Indian prince claiming to be my uncle, the usual silly scams. I’m pretty savvy when it comes to security and have never had a breach. My firm uses some of the best firewall and virus protection software available. In addition, I even have a strong password that no-one will ever guess, and I use it across all my accounts so that everything is secure.

After a day full of meetings, I return to my desk and decide to check LinkedIn. I like to keep up with industry news, and a lot of my business comes from the connections I make through the website.

Little did I know that somewhere in the world, Elliot, an individual in an organised group of hackers, was searching the Dark Web, where illegal information can be bought and sold. Elliot stumbles across 117 million leaked LinkedIn username and passwords for 2 bitcoin ($16,853). How interesting. His team quickly purchases the data, as 2 bitcoin is nothing considering the monetary opportunities the data could present. Elliot and his team get to work downloading the data and selecting their victims.

Two weeks later

It wasn’t a good morning. The kids were dropped off late, one of my daughters left their lunch at home and the traffic was abysmal. To make things worse, the petrol prices had gone up another 2 cents – great. I get into the office and my mobile starts ringing almost as soon as I sit down. It’s my mother.

“Hi Mum, how are you?”

“Yes, good. I transferred the money you needed for your car repair. Here I was thinking that the days of you asking me for money were over! Also, when did you change banks?”

I frowned. I didn’t recall asking her for any money, and what car repair or new bank account was she talking about?

“I never asked you for money”

“Yes, you did, last night on Facebook!”

I start to wonder if my mother had finally gone crazy. Suddenly, my desk phone starts ringing, it's one of my most loyal clients.

“John, why am I getting emails from you with dodgy links, and you’ve been asking me for money that I don’t owe you, have you been hacked?”

I quickly access my work email and see to my horror that last night over 100 emails were sent to my clients from my email address, some asking for money, others with suspicious links that I was too scared to click. But I never sent these emails! What’s happening?

Next, I login to my LinkedIn account and see that someone has been posting advertisements from my account, some of them extremely inappropriate coming from someone who considers themselves a professional. I quickly scramble to delete them all, but most of them have already received scathing comments.

I don’t understand what is going on. My heart races and I sink down into my seat, I wouldn’t be surprised if this day marks the end of my career.

Why me?

Unbeknownst to me, over the past two weeks Elliot and his team had been working to execute the perfect crime. Known as credential stuffing, the group was able to use my credentials to access different accounts through automation, and because I used the same password for every account, they were able to easily access my social channels, work email and destroy my professional reputation. Having a strong password is great, but using it for everything isn’t.

Two hours later

My IT supplier confirms that majority of my accounts have been compromised and advises me to change all my passwords and employ a password manager, so I don’t have to remember them all. I post a statement on my website announcing that I have been hacked and instruct my clients to not click on or engage with any material that they have received. The next three weeks I spend ringing my clients and family to explain what has happened, but it’s too late. My reputation is ruined.

Strong passwords

As far-fetched as it may seem, what happened to John has happened to ordinary people before. It is vital that individuals protect themselves and their personal information by using strong passwords that are unique to each account. Because John used the same password for everything, Elliot was able to use John’s login information to access all his accounts, impersonate him and obtain information.

Understandably, it’s unrealistic that you will be able to create and remember strong passwords for each account so you may want to consider a password manager. By doing this, you will only need to create and remember a strong password for the password manager and change the password every six months.

When you change your password, you should change the entire combination rather than the number at the end. Hackers know this is a common practice and will try different numbers against the end of your password.

When creating a password, it is recommended that you choose two, easily remembered words that are separated by two symbols and a number, e.g. “Alpaca7!@housE”. To make it easier to remember, you could use the names of objects that are around you.

For more information on strong passwords click here.

Security Advisory - Vulnerability Alert

IndikaWimalasiri — Thu, 28 Mar 2019 03:12:21 GMT

Dear PEXA Community,

This security vulnerability notice only applies to members using an ASUS branded laptop device.

Security researchers have discovered a critical vulnerability with ASUS laptop computers relating to its “Live Update” software component. Live Update is functionality on ASUS laptop computers that keeps your ASUS laptop software up-to-date .

As a user, you are required to update the “Live Update” software component to Version 3.6.8 or higher at your earliest window to ensure your device is secure.

The article linked below, published by the vendor, outlines the steps you are required follow to make your device secure.

To ensure your device is safe please follow the details here.

PEXA recommends you reach out to your IT Support team/provider if you require further assistance in addressing this security issue.

PEXA Security Team

A Hacker’s Tale – A look behind the curtain #3

cbrown — Fri, 08 Mar 2019 04:45:33 GMT

Seasonal Attacks

Imagine it’s 3 weeks till Christmas

You’ve got (e)mail! (✉)

The email says that you are due to receive a parcel delivery from FedEx. You weren’t expecting anything, but then, it’s close to Christmas. It could be something special – who could it be from? Excitedly, you quickly fill in the required details and send the email. You and your team at your conveyancing firm have been receiving an unusually high number of emails lately. It must be that time of the year, when old contacts try to connect, and banks ask you to validate information. A couple of them have clearly been phishing emails – thank goodness they were identified.

Unbeknownst to you, you’ve missed some.

Meanwhile at the other end of these phishing emails, Elliot is slowly gathering information about you and your firm. Through his multiple phishing emails, he’s managed to obtain quite a bit of information about you, your assistant and some of your colleagues. It was relatively easy to follow you from the coffee shop’s free Wi-Fi. As the ‘man in the middle’ (MITM), he’s managed to have continuous conversations with you and your client Grace. Now he’s just waiting for you to take the bait.

Finally, success! Elliot’s managed to install malware[1] into your system through one of the links you clicked on. This spyware will hide in the background and watch what you’re doing online. It records your online activities and data such as your passwords, credit card details and the websites you regularly visit. All this is happening while you remain unaware that your personal data is being compromised.

By the way, did you know that Elliot isn’t really just Elliot. He is an individual in an organised group comprising of six to seven other perpetrators existing for the purpose of theft. Not wanting to put all their eggs in one basket, at any given time, the team may be running multiple online schemes targeting many organisations. They have spent weeks planning this one, fooling different people and collecting information.

In order to perform the theft of the funds from you and your client, Grace, they have also been spending time cultivating people that can execute the transfer of these stolen funds. Abigail King looks positive as a money mule victim.

A couple of days before Christmas

The group has been busy. They’ve managed to set it up – pretending to be Grace they’ve instructed you to transfer the proceeds from the sale of her house to Abigail King. Once the settlement has completed, $250,000 is moved immediately to Abigail’s bank account. Soon after, she will transfer the money, just under $10,000 at a time, to the group’s overseas account; until she gets caught that is.

Back at your conveyancing firm the property transaction was settled several days ago, but you’ve only just realised what’s happened. The funds have gone to the account you’ve told it to go to, but that’s not the right one! You call the bank. They say that they’ll look into it.

Uncertain what to do next, you ring PEXA and inform them that your email account was possibly compromised. PEXA contacts the bank who holds Abigail’s account, ensuring no further funds can be transferred out. However, approximately $30,000 has already been transferred to an overseas account.

The bank works with their counterparts to retrieve the money. They manage to recover close to $20,000 as the remaining $10,000 has already been physically withdrawn. Just under $240,000 is returned to Grace in total, it’s not everything.

After Christmas

It’s been a few days since the incident, and because it was a phishing scam you contacted your PI insurer, they should be able to cover the money that Grace lost through your cyber security policy. As a precaution, you arrange a full review of your firm’s IT security system as well as change your passwords, and suggest that Grace, do the same. You make a mental note that in the future, you will be diligent in verbally confirm bank details, only using private secure Wi-Fi networks and being wary of phishing email scams. It may also be a good idea to install a firewall to protect your systems from malware. The biggest deterrent to a cybercriminal is attempting to break through a robust cyber security system. They will generally go for an easier target because they are financially motivated to get in and out quickly.

Cybercrime in Australia

Email is the common technique used by cyber criminals and according to the Cyber Security Review, led by the Department of the Prime Minister and Cabinet, cybercrime costs the Australian economy approximately AUD 1B per annum.

The Australian Criminal Intelligence Commission (ACIC) states that Australia is an attractive target for serious and organised crime syndicates, and because of the lucrative financial gains, cybercrime is a serious threat. According to some experts, the majority of hackers are affiliated in one way or another to organised groups. They operate like a legitimate business with people who have a range of skills working towards a common goal.

Some organised groups receive direction and support from nation states – who exist with the purpose of stealing data, disrupting operations or destroying infrastructure. The state sponsors a coordinated attack with the intention of acquiring intellectual property or government data, many of these groups are a part of a collective ‘army’.

In this fictional story, Elliot does not belong to a nation state. He is a member of an organised group, that exist for the purpose of theft. It is highly likely that this group do not reside in Australia and like most others, live a lucrative lifestyle off the stolen proceeds. The reality of this story is that it can happen to you, and that being aware, and putting in the right cyber security controls can stop you from becoming another cybercrime statistic.

[1]Malware is malicious software, written with the intent of doing harm to data, devices or people.

Security Advisory - Vulnerability Alert

IndikaWimalasiri — Thu, 07 Mar 2019 05:41:15 GMT

Dear PEXA Community,

High severity vulnerability has been discovered in the Google Chrome Internet browser. Attackers can use this unpatched vulnerability to steal information from your computer.

Google has issued an update to the Chrome Internet browser to address the vulnerability. PEXA Security strongly recommend PEXA members check the version of the Chrome browser used and make sure it is up to date.

Please follow the steps and figure shown below.

Open Chrome browser -> Click on settings -> Help -> Click on “About Google Chrome”
Check your version number to make sure it’s 72.0.3626.121 or later.

PEXA Security Team

Ransomware: The profitable business of the cybercrime industry

cbrown — Fri, 02 Aug 2019 06:45:08 GMT

Recently, it was reported that a Victorian hospital fell victim to a cybercrime syndicate that held 15,000 medical files to ransom. This attack, a probable result of a phishing scam, inadvertently opened by a staff member, resulted in criminals hacking into the hospital’s server to plant ransomware that scrambled and encrypted data, locking access to files from medical staff.

Ransomware can happen in different forms. For hospitals, holding their data at ransom not only creates reputational damage but could have a serious impact on their patients. Another method of ransomware is to attack a company's IT infrastructure by disabling employee access to laptops or servers. The company is then held to ransom and the payment method is typically demanded in bitcoin or other forms of cryptocurrency. The use of cryptocurrency is prevalent in the cyber fraud community because of its ability to be transferred anonymously.

In 2017, two companies had their Amazon Web Services accounts compromised by hackers using the victims’ bandwidth and computing power to mine bitcoins, an energy intensive, but potentially lucrative exercise.[1]

Data ransom and bitcoin mining may seem simple and straightforward when compared to more sophisticated hacks such as one which occurred in 2017. The attack, called WannaCry, infected up to 200,000 computers, locking up users’ data in 150 countries, and demanded a ransom to release them. WannaCry was so damaging because the cyber criminals managed to exploit the vulnerabilities of older of Windows software when newer, more secure versions were available.

In Australia, conservative estimates show that cybercrime costs the economy in excess of AUD 1B each year. More than 500,000 small Australian businesses fell victim to cybercrime in 2017 and it is estimated that the majority paid an average of AUD 4,677 in ransom to unencrypt their data. Often small business fall victim as in some cases, maintaining the latest version of IT software is not their highest priority.

Source: Smart Company, From millions to malware: Cyber attacks in Australia by the numbers, July 2018

The cybercrime landscape is ever evolving, and it is therefore imperative for our industry to continually develop and advance a robust security framework. As an industry, we must uphold the highest standards when it comes to cyber security and maintaining the latest in secure software versions. This is non-negotiable when dealing with someone’s most important and emotionally significant investment – their home.

At PEXA, we are determined to ensure that the cyber security practices we have in place continue to protect our members and their customers. Our IT systems are annually audited by external professionals and we continually explore new ways to bolster the security posture of our network. This is achieved by investing, maintaining and constantly improving security controls as well as running a Security Operations Centre to monitor, detect, and respond to cyber-attacks.

What your firm can do

To ensure your practice is protected from similar events, it is important to be aware of how these criminals operate. Hackers like this look for the weakness in a security framework and will exploit vulnerabilities in older versions of software, as they did in the WannaCry ransomware attack. As a preventative measure, we recommend staying up to date with patching.

Patching reduces the risk of hackers exploiting vulnerabilities that have already been remediated by software companies. It updates, fixes, or improves the program or data and mends security vulnerabilities and other bugs.

Firewalls are another layer of protection that can act as a barrier between your computer and the Internet helping safeguard your computer and information. By having a firewall, you reduce the risk of an attacker compromising your computer. There are a number of anti-virus providers that you could employ that meet the requirements in PEXA’s Subscriber Security Policy e.g. Symantec, McAfee, TrendMicro, etc. The Policy also provides guidance on all the security controls that PEXA Subscribers should be leveraging to maximise their security posture.

You’ll notice that in the Victorian Hospital’s ransomware attack, an unwitting staff member fell victim to a phishing e-mail. Training your staff to recognise potential cyber-fraud is the first step to preventing this from happening to you.

Additionally, your business must plan early for this eventuality, however unlikely. Making this decision will assist you in avoiding ‘heat of the moment’ reactions that could have detrimental effects on your business.

Taking the necessary steps to ensure your data is backed-up will alleviate the need to and risks involved in paying a ransom. There are two main options for backing-up your organisation’s data:

perform your own back-ups to a storage device (USB or external hard drive); or
back up to an online (cloud) service.

Business’ that decide to pay a ransom need to be aware of the risks, including the likelihood that even if the ransom is paid, they may not receive their information back and leave themselves open to further attacks. We recommend you speak with your legal advisor beforehand to ensure you are making the correct decision for your firm.

There is a lot of information available to help your firm plan for this scenario. Visit staysmartonline.gov.au for more information on ransomware and PEXA’s online Community forum to learn about measures PEXA takes to bolster security.

[1] Bitcoin miners pool together different computers to solve complex algorithms, success of which generates a set number of valuable new bitcoins.

Security alert | phishing e-mail - RESOLVED

Aoife — Fri, 15 Feb 2019 04:00:30 GMT

Hi Community,

PEXA is aware of a phishing e-mail received by various members of your network.

Details of phishing e-mail

From: Pexa Admin

E-mail: dfsffgsgg@telus.net

Subject: Monro-Sale: New conversation message received - Financial Settlement - Payout figure

The e-mail implies that the reader has received a message from ANZ RETAIL AND SMALL BUSINESS. It includes a Workspace number and requests the recipient to click on a link to read a message.

This is an example of a cyber-criminal creating an e-mail to resemble PEXA communications. It is likely member e-mail addresses were sourced from publicly available information online.

See below for a screenshot of the e-mail.

What to do

If you received this e-mail, clicked on the link and entered your PEXA username and password, we advise you to reset your PEXA password now. Please note, multi-factor authentication on entering your PEXA account protects you against unauthorised persons accessing your account.

If not the above, and you receive a similar phishing e-mail or another you believe to be suspicious, please:

Do not respond
Do not click links or download attachments
Delete the e-mail
Report it to your relevant security administrator or e-mail PEXA’s security team at security@pexa.com.au

Please note, all PEXA Workspace e-mails are system-generated from PEXA and will be received from pexa.admin@pexa.com.au.

PEXA will never send you an e-mail advising you to click a link to access the PEXA Exchange, and will always direct you to login to access your account via pexa.com.au.

Learn more about phishing e-mails here.

Kind regards

Aoife

Security alert | Phishing e-mail - RESOLVED

Aoife — Wed, 19 Dec 2018 05:30:22 GMT

Hi Community,

PEXA is aware of an instance where a member’s e-mail account has been hacked. The hacker proceeded to send e-mails from the conveyancer’s account to other PEXA members.

Details

The e-mail sent by the hacker informed the recipient of a shared document from PEXA.

Screenshot of e-mail

screenshot of phishing e-mail

What to do

If you receive a similar phishing e-mail or another you believe to be suspicious, please:

Do not respond
Do not click links or download attachments
Delete the email
Report it to your relevant security administrator or e-mail PEXA’s security team at security@pexa.com.au

Please note, all PEXA workspace e-mails are system-generated from PEXA. To receive a task related e-mail from a fellow PEXA member is unusual and unnecessary.

For outstanding tasks, please check your workspace(s) via your PEXA account.

Learn more about phishing e-mails here.

Kind regards

Aoife

A Hacker's Tale - A look behind the curtain #2

cbrown — Thu, 24 Jan 2019 22:04:58 GMT

It’s more than just an Internet romance...

The lover’s tale

Abigail thinks she’s in love. It must be love. She’s been looking for love for a while and Elliot seems like the perfect guy. Many of her friends have warned her about internet romances but Elliot’s different. He has never asked her for money. Never asked her for anything. She thinks he might be quite wealthy in fact. He is always moving money around. He’s been struggling lately though. So, she’s been helping him transfer money to his accounts. For some reason, he’s having issues sending money to his overseas account. Abigail doesn’t really know the reasons why, nor does she question it. It all seems too complicated, and as long as it’s not her money she’s transferring over, it must be okay… besides he’s committed to the relationship. He said they will be together soon.

Over the past couple of weeks Abigail’s been transferring money for Elliot’s family and friends. They are all preparing for a big holiday and need the money ready to meet them. It’s not much – a couple of hundred here and there. Now he’s asked for her help to transfer funds from the sale of his property in Australia.

Just a few days ago, Abigail received $250,000 to her account. She’s not meant to transfer everything over to him though. Elliot told her that while he was excited to have sold his house, he needs to move the money in parts to avoid government taxes. He’s asked her to transfer just under $10,000 at a time, over several days, because that way it doesn’t trigger any alerts. Abigail doesn’t completely understand the reasoning, but Elliot is good to her. He said they will meet face-to-face now that he has sold his house, and she is excited to finally put a face to her love.

For the third day in a row she has made the transfer. Something strange has happened though, all her accounts have now been frozen, and her bank keeps leaving messages to call them back.

The practitioner’s tale

Meanwhile your client, Grace, is frantic. She hasn’t received her house’s sale proceeds yet. It’s been a couple of days; how has this happened? You arranged the transfer of the money according to her instructions which you received just before finalising the payment. You look back at the details and see the account name Abigail King and a different BSB – not your client’s.

Wait. What’s happening?

Going back through the email trail you realise that there’s something funny about the email address. The instruction did not come from Grace. Blood drains from your face… you call the bank immediately to try and stop the funds from disappearing. Hopefully it’s not too late.

The Hacker’s tale

Meanwhile, Elliot is busy moving money around several of his accounts across the world and connecting with different people online. While he’s looking for a way to gain access to steal the funds, he has also been cultivating internet romances with men and women to transfer the funds outside of Australia. He loves living in the internet era where crimes can be performed anonymously, and no-one ever has to see his face. On the internet you can pretend to be whoever you want, and a lot of people believe you.

Money Mules

Unfortunately, the above scenario is all too common. Cyber criminals often use middlemen to transfer stolen money to their accounts. These middlemen are real people, with real accounts and they don’t have unusual bank account activity. Known as money mules, they are sometimes recruited or deceived into helping cyber criminals carry out these crimes. Offenders like our fictitious character Elliot.

These criminals have been known to recruit money mules via romance scams or employment scams. In a romance scam, the ‘money mule’ is emotionally invested and could also be considered a victim. Employment scams often offer potential money mules a job that requires minimal effort with lucrative returns – for instance, a small commission for receiving and transferring money.

According to the Australian Federal Police, it is a crime to transact in the movement of stolen funds, even if you are unaware that you are acting as a money mule. Money mules are caught because they are not trying to hide their activities, and when caught, they can have their entire bank accounts, including their own funds, suspended and potentially face criminal prosecution.

How can I protect myself?

Be wary of advertisements for a guaranteed income or job with lucrative returns and very little effort
Don’t transfer money on behalf of someone else, especially when you have never met them
Never give your bank details to anyone
Protect your personal information and be suspicious if anyone asks you for those details
Be cautious of people seeking financial assistance or asking you for financial details – money sent via wire transfer is rarely recoverable
As a business operator, when receiving instructions to transfer money, confirm that the instructions you’ve received have come from your client - verbally confirm details or changes with your client
Be cautious of situations where the name on the account differs from that of your customer

I think I am a victim, what can I do?

Anyone who has disclosed their bank account details, received funds into their account or suspect that they are a victim of a mule scam should contact their bank or financial institution immediately.

For more information on this and more, please refer to Scam Watch

A Hacker's tale - A look behind the curtain #1

cbrown — Thu, 20 Dec 2018 05:14:13 GMT

Shhh! Someone's listening...

An uninvited guest, Elliot, has inserted himself into your conversation. You are sitting at a coffee shop having a chat with your client Grace, and unbeknownst to you, Elliot, at the next table is virtually listening to your entire conversation. This unwanted guest eavesdrops the conversation with your client and gathers all their critical information. When you leave the table, he continues the conversation with your client pretending to be you.

I know what you’re thinking - this would not be possible face-to-face. Your client, Grace, knows what you look like, what you sound like. But what if I told you that this is not improbable at all… this is happening online today.

This seemingly far-fetched scenario is a very real cyber-attack method, aptly called man-in-the-middle (MITM). The hacker, in this instance, Elliot, effectively intercepts your conversation, places himself in the middle and conveys the information he wants to pass on to both sides.

How could this happen?

Hackers like Elliot use various methods to gain access to your computer systems. Elliot may have used a phishing scam, or capitalised on poorly secured Wi-Fi routers, often found in public areas with free hotspots. His goal is to obtain your password and access your email account. The current statistics show an increase of 80% in hacks performed through an email compromise.

Changing your password may not be enough

Once Elliot has got into your system, he can create a rule that automatically forwards your emails to a secondary account. This means that any email you receive is also sent to his email account. Using further filtering with key words, he only needs to monitor what he deems as relevant emails. So, even if you regularly change your email password, in this scenario, the hacker still has access to your emails.

How does it work?

With access to your emails, Elliot then uses the information he has obtained, and, mimicking your email style, he can begin a new conversation as you, with your client, Grace. With valuable context acquired, the hacker then impersonates Grace, responding to your emails.

Once he has obtained the information required, he then exits the conversation. You and your client, Grace, are none the wiser, until that is, you realise you are a victim of a scam. By then, money has exchanged hands and you may or may not be able to recover missing funds.

What can you do to protect against a MITM attack?

Be aware of potential phishing emails. They could appear to be from a trusted source, masked as from your family, friends or even your bank. Instead of clicking on the link, type the website address into your browser.
Moving your mouse over the link will show the website name. If the name doesn’t look like the site, don’t click on it.
Use secure Wi-Fi networks, or if using public networks, connect with a virtual private network (VPN)
Ensure you have a comprehensive internet security solution. An interesting article on this topic can be found here.

I think I am a victim, what can I do?

If you suspect that you’re a victim of a scam:

Change your passwords to be unique on all of your systems.
Check if there are any forwarding rules in your email account, and if found:
1. Record the email address being forwarded to
2. Confirm no-one in your organisation created this rule
3. Have your team check their email accounts for forwarding emails and reset their passwords too
4. Inform your clients by telephone and verbally reconfirm all details, especially bank account details
5. Delete the rule
6. If this has impacted your PEXA business, inform PEXA Security alias – security@pexa.com.au. PEXA is working with Law Enforcement to identify these types of behaviours and any information you provide could help in the tracking and potential capture of those involved in cyber-crime.

At PEXA…

Multi-factor authentication (MFA) provides an additional level of security to access your PEXA Workspace. The levels include your PEXA account name, password, your MFA token, and your digital signing token and pin. However, you still need to be vigilant when it comes to communicating with your client. Soon, PEXA will introduce a new app that will allow your clients to input financial data directly into the Workspace and enable you to request and receive information from your clients securely. [Stay tuned]

As our world becomes more and more connected online, it’s important to be aware of the cyber threats that could compromise the security of your personal information and business operations. Cyber criminals have a low cost of entry into criminal activities and they often have the anonymity to avoid detection. With many targets they will usually go for the easiest person to scam so stay informed and be aware. Collectively, we are better together, as we work as one to reduce the threat of cyber-crime and stay smart online.

By Craig Brown, Head of PEXA Security

PEXA Security Initiatives

cbrown — Thu, 28 Feb 2019 03:17:01 GMT

Hi Community,

The team at PEXA continues to explore techniques and technologies to align with the ever-changing security landscape. Below is an update on current security initiatives happening on the PEXA platform including our insights into a topical security concern – phone porting.

Multi-Factor Authentication

In September, multi-factor authentication (MFA) was rolled out to PEXA members. MFA requires the user to provide two or more types of evidence to verify their identity when logging in to an account or completing a transaction. This includes a password and unique authentication code which regularly changes. Members choose to receive an authentication code by SMS, the PingID mobile app, or the PingID desktop app.

MFA was added as another layer of authentication on top of digitally signing. Members with the relevant authority must digitally sign-off transactions with their unique [bespoke] digital signing token and PIN, confirming that all details are correct prior to the transfer of funds.

More than verification

Additionally, we initiated the following measures to boost the protection of members while transacting online:

Increased monitoring of unusual activity surrounding password resets, new user creations and changes to BSB and account numbers. If such activity is detected by PEXA, a member of PEXA’s team will contact members to confirm that the activity is legitimate.
Machine learning algorithms to detect behavioural anomalies on a per user basis. If the behavioural pattern of a user changes, PEXA’s risk profiling mechanism is activated to trigger an alert. The member will then be promptly contacted by PEXA’s Security team.
Workspace time stamps and summary screen so that members can see when the Financial Settlement Schedule was last updated and by which user.

Phone porting

A current concern from industry is the possibility of phone porting – a situation where a scammer uses your personal details to port your mobile number from one provider to another, therefore accessing further personal details.

With a suite of security measures in place to protect PEXA members and your clients, and lawyers and conveyancers continuing to practice their due diligence, the small percentage of members who have chosen to receive their authentication code via SMS should not be alarmed.

It is important to note that for phone porting to occur, the scammer would require several pieces of a user’s ID, as well as the ability to convince a service provider to transfer the SIM details from one telco to another. Therefore, not only would the scammer need to know the targeted user’s personal information, they would also need to know if that user has chosen SMS as the preferred method.

To assist in preventing this from happening, I advise members to remain vigilant of people calling, emailing and requesting personal details.

If you have any questions about this information, please don’t hesitate to reply below.

Regards,

Craig Brown
Head of PEXA Security

Stay Smart Online Week

IndikaWimalasiri — Mon, 08 Oct 2018 02:55:39 GMT

This week is #StaySmartOnline Week.
The campaign aims to reverse the threat of cyber-crime by empowering people to discuss and own their cyber-security.
Over the next few days we’ll be sharing a number of best-practice resources to assist you, here on Community and on PEXA's social channels.

Security alert | Phishing e-mail

Aoife — Tue, 11 Sep 2018 01:11:34 GMT

Hi Community,

PEXA is aware of a phishing e-mail received by a member of your network.

Details of phishing e-mail

From: Jessica Wong

E-mail: cains8x@nsas.avinetmail.net

The e-mail implies to have a contract of sale attached and requests to settle via PEXA. See below for a screenshot of the e-mail.

What to do

If you receive a similar phishing e-mail or another you believe to be suspicious, please:

Do not respond
Do not click links or download attachments
Delete the email
Report it to your relevant security administrator or e-mail PEXA’s security team at security@pexa.com.au

Learn more about phishing e-mails here.

Kind regards

Aoife

Phishing e-mail

Security Reminder - Confirming client bank details

JoW — Fri, 18 May 2018 00:47:23 GMT

PEXA is aware of phishing attempts outside the PEXA platform where unknown parties are intercepting emails between practitioners and their clients and fraudulently changing customer bank details which may result in the unwitting misdirection of funds.

While not specific to e-Conveyancing, PEXA urges all practitioners to take steps to reduce the risk of fraud. This includes verbally confirming bank account details with your clients before entering them into the settlement schedule (if completing the transaction electronically).

It may not be sufficient to simply confirm with the client that they have sent you an email with their bank account details. It would be appropriate to read the bank account details out to your client, confirming that the information you have received is the same as what the client intended to send.

The Law Institute of Victoria offers a practical guide covering cyber security which we would encourage you to read. In addition, The Queensland Law Society has also published a warning in relation to email scams.

If you have any questions or concerns regarding an existing transaction, or guidance on how to stay safe online, please contact the PEXA Support Centre on 1300 084 515 or visit the security page on our website.

Kind regards,

Member security alert | phone scam

Aoife — Tue, 14 Aug 2018 01:44:56 GMT

Hi Community,

PEXA is aware of a current phone scam purporting to come from PEXA.

So far, two cases have been identified.

Details

Phone call one: Scammers contacted an AIC member telling them that they have been randomly selected by PEXA to trial PEXA 5.6.

Phone call two: Scammers contacted an AIC member referring to an email sent two months ago from PEXA regarding security enhancements and asking for email addresses.

Please note, a PEXA employee will never call you and ask for your e-mail address.

What to do

If you receive a call similar to the above or that you believe to be suspicious, please:

Ask for the caller’s full name
Ask for the caller’s e-mail address
Record the caller’s preferred phone number

Then, contact your Account Manager, PEXA Direct Specialist or PEXA’s security team at security@pexa.com.au to alert them.

It’s important that we continue to work together to defend against scammers, phishing attempts and/or cyber-fraud. Please reach out if you encounter any suspicious behaviour.

Kind regards

Aoife