About DavidWillett

Hi Community,   The Sydney Morning Herald published an article today, Monday 6 September, titled “Sydney couple buying property scammed out of almost $1 million”. Within, it is explained that a couple was in the final stages of settlement and just needed to transfer approximately $1 million to finalise the sale. A day before they transferred the funds, the couple allegedly received what appeared to be a legitimate email from their lawyer asking them to pay the funds into a different account.   Unfortunately, scammers were allegedly impersonating their lawyer. This type of scam is known as a business email compromise (BEC) scam. This follows the posting of an alert about the current prevalence of BECs by the Australian Cyber Security Centre (ACSC) – with lawyers and conveyancers, as well as homebuyers and sellers, being targeted by cyber-criminals.   Best practice To protect your business and your clients against BEC scams, we strongly recommend the use of PEXA Key – as a secure method for practitioners and homebuyers or sellers to share financial account details, mitigating the risks associated with email. PEXA Key uses encryption to safeguard the communication of account details. This ensures that confidential information, like bank and trust account details, cannot be intercepted by cyber criminals, keeping transactions safe from this type of fraud. Additionally, the PEXA Key Secure Communication Guarantee provides protection to buyers and sellers if the communication of bank account details between the buyer/seller and their practitioner’s PEXA Workspace is corrupted within PEXA or intercepted due to fraud – up to $2 million.   A reminder about emails The use of email is strongly discouraged for exchanging bank account details – this is NOT a safe channel for the communication of sensitive information. As always, if you have any questions, please reach out to us at security@pexa.com.au and we'll gladly assist you.  ... View more

Hi Community,   The Australian Cyber Security Centre has published this very helpful alert about the discovery of a critical vulnerability in Microsoft Windows.   While there is no active exploitation of this vulnerability, we can all maintain our cyber hygiene by keeping operating systems up to date and applying appropriate security patches when prompted.   As always - patch early and patch often!             https://www.cyber.gov.au/acsc/view-all-content/alerts/critical-vulnerability-discovered-httpsys-microsoft-windows ... View more

“I use a Mac because it can’t be hacked or get viruses.”   I hear this time and time again. It’s untrue – and always has been.   In fact, Apple’s astronomic rise in popularity means that cyber attackers are actively looking for ways to compromise its operating systems. A large proportion of Apple’s range of laptops, phones, watches and TVs require a software update to fix the major security flaws addressed in this article.   We can all do our part to minimise cyber-attacks, regularly keeping your software up to date is a great way to start. Stay informed.   Check out this link from last weeks IT News for information on a whole range of new vulnerabilities in Apple Products!    https://www.itnews.com.au/news/mac-users-urged-to-update-os-to-fix-massively-bad-bug-563820 ... View more

Five password tips and tricks to improve your cyber hygiene We like to practice good cyber hygiene every day, and today is no exception - it's World Password Day! To celebrate, I’ve put together my top five password tips to make sure you're on your way to being cyber secure. 1. Use a long password Longer passwords are often more complex and therefore, harder to crack. At a basic level, cyber-attacks can be carried out by guessing passwords through trial and error of a combination of letters. While more complex attacks exist, a simple way to start practicing good cyber hygiene is to ensure your passwords are long. 2. Include numbers, symbols and a combination of uppercase and lowercase letters Make your password unique. The more you randomise your password into something that only you could know, the better equipped your password is to withstand a cyber-attack. Each number, symbol, and variation of uppercase and lowercase letters acts as a line of defence between a cybercriminal and your personal information. 3. Don’t use predictable personal information We project our lives onto the internet. Social media profiles, working history and involvement in recreational organisations often reveal basic personal information about ourselves. Including pet names or sporting teams you support in your passwords are often easily identifiable from your online activity. 4. Don’t reuse your passwords I get it. We need passwords for everything and it gets tedious and difficult to keep track of all the different passwords you need for day to day life. However, once one password is compromised – reusing passwords can set off a domino effect, compromising nearly all of your accounts. Mixing it up with unpredictable, variable passwords can set up multiple lines of defence to mitigate any damage caused by a cyber-attack. 5. Use a password manager Password managers are a great way to keep track of all your different passwords. Using features such as Apple’s KeyChain or those available on your device’s app store, password managers store your passwords in a secure, encrypted location. Give your passwords the individual treatment they deserve and know that they are recorded and stored securely. ... View more

Hello,   The PEXA Security Team have recently detected a number of fake PEXA domains being used online. In basic terms, a domain is the “address” used to locate a website online. For example, PEXA’s website domain is pexa.com.au.   The fraudulent domains are currently being removed; however we encourage members to remain vigilant at this time, as these may be used by cyber-criminals to coordinate phishing campaigns.   Please ensure you only log in via the verified PEXA Exchange URL – workspaces.pexa.com.au. As always, you can verify legitimate websites by checking for the "padlock" next to the address bar. A reminder that after entering your username and password, you will be required to complete MFA via the PingID app or SMS.   Additionally, please note that PEXA will never:   Call you from unverified phone numbers. Ask for your multi-factor authentication code. Request files or information from you via a third-party service. Email you from unofficial addresses (emails that don’t end in @pexa.com.au). Send you an email advising you to click a link to log in to the platform.   If you believe you have clicked on a malicious link or downloaded a suspicious attachment, please reach out to us at security@pexa.com.au and we'll be happy to assist you.   David Willett Chief Information Security Officer - PEXA ... View more

In today’s digital climate, cyber-security has rapidly become a key priority within the property sector. We all need to take steps to protect our accounts, devices, data and network from threats – ensuring your business and clients’ information remains safe.   New MOR and MPR ARNECC’s Model Operating Requirement (MOR) regulate Electronic Lodgement Networks (ELNs), such as PEXA, while the Model Participation Rules (MPR) regulate its Subscribers (our members).   You’ll notice that changes to both came into effect on Monday 12 April 2021. These changes include newly introduced obligations related to cyber-security.   And to assist you with navigating these updates, I’ve gathered a range of content produced by our expert security team, covering vital topics to support you and your firm.   Under the MOR, PEXA has an obligation to make resources available to members – and we hope these materials assist you.   Maintaining strong passwords: https://community.pexa.com.au/t5/Help-Centre/Strong-Passwords/ba-p/14658 Using only supported software to access PEXA: https://community.pexa.com.au/t5/Security-Updates/Are-you-using-unsupported-software/td-p/17293 Ensuring you have adequate virus and firewall protection: https://community.pexa.com.au/t5/Help-Centre/Virus-Protection/ba-p/14662 How to safely exchange bank account details with your clients (refraining from using email): https://community.pexa.com.au/t5/Security-Updates/Can-you-spot-the-scam-phishing-email/m-p/17906 and https://community.pexa.com.au/t5/Security-Updates/Phishing-Is-it-only-emails/m-p/17018 Being aware of the risks of email phishing: https://community.pexa.com.au/t5/Security-Updates/Phishing-Is-it-only-emails/m-p/17018 Implementing multi-factor authentication: https://community.pexa.com.au/t5/Help-Centre/Multi-factor-authentication-FAQs/ba-p/10693 Supporting your ongoing security endeavours is important to us – our team has been producing help-guides and content for many years now and we’re pleased to see ARNECC recognise the role we can play in educating subscribers.   We recommend you review the MPR and seek additional resources if required.   As ever, your PEXA representative or our friendly Security team are here to help. Feel free to reach out.   Don’t forget, you can subscribe to updates from our PEXA security page by clicking the “options” button. I also encourage you to ask questions and raise any concerns you may have.   DAVID WILLETT Chief Information Security Officer - PEXA  ... View more

Hi Community,   In recent days, you may have seen spam messages posted on our Community forum. These have since been removed and the user accounts subsequently banned.   Additionally, we have been advised that some members have received private messages containing spam content. An example that has been reported is a member receiving a message with an offer to make money via cryptocurrency.   As always, if you receive a communication you believe to be suspicious, please:   Do not respond Do not click links or download attachments Delete the message/email Report it to your relevant security administrator or email PEXA’s security team at security@pexa.com.au. If you have any questions, please reach out to us.   David Willett PEXA General Manager for Information Security  ... View more

Hi Community,   Thank you to everyone who attended our security webinar on Wednesday. For those who couldn’t attend or would like to re-watch the webinar, you can view the recording below. We received a lot of fantastic questions on the day, and unfortunately couldn’t answer all of them before the end of the webinar. Instead, we’ve posted the questions and answers below - underneath the webinar recording.   Attached, you’ll also find some additional resources provided by our fantastic panellist, Laura Hartley, Head of Public/Private Partnerships, Enterprise Security, NAB: Top tips for business customers; and NAB security toolkit. Ryan Janosevic, COO & Co-founder of RetrospectLabs, has also shared this interesting read about password complexity after some great questions from attendees about password protection.   If you have any further questions, please don’t hesitate to ask PEXA’s security team here or contact us at security@pexa.com.au. And don’t forget the five things PEXA will never do, regarding you and your security: PEXA will never: Call you from unverified phone numbers Ask for your MFA code Request files or information from you via a third-party service Email you from unofficial addresses Send you an email advising you to click a link to log in to the platform   Do you have a security question? Ask the experts   Q&A How safe are pin passwords? PINs (Personal Identification Numbers) usually consist of a series of randomly generated numbers, via an app or sent via SMS. They are very secure and commonly used as a second factor of authentication.   Is Google password saver secure? We always recommend using a reputable password manager when selecting a service. Remember to read the terms and conditions to make sure it meets your requirements before making your decision.   Is PEXA looking at extending its residential settlement guarantee (PRSG) to cover the same risk that is associated with commercial property transactions as well? The PRSG does not apply where the seller is a commercial vendor, such as a developer. The reason for this is that a commercial vendor would not be made homeless as a result of a fraud which the PRSG is intended to cover. For more information, visit our PRSG FAQs.   When we send a form to a client to complete via email, the client completes and sends it back, can we trust that information? Email phishing or business email compromise (BEC) is one of the most common ways for cybercriminals to procure sensitive information. Where possible, don’t use email and avoid this channel for the exchange of sensitive material. Instead, use apps like PEXA Key that is purposely built to protect the communication of bank and trust account information. If you have no other option than to communicate information via email, always validate the details verbally before taking any action.   When you get "oops try again" when trying to log into PEXA, is it okay to press try again? Yes, it is.  Always check the URL after you refresh and make sure a green padlock sign is in place before inserting confidential information.   Can password managers be hacked and in that case are all passwords at risk? Password managers are a great way of keeping all of your passwords safe. Make sure to use a reputable service which has robust security measures built into the application and read the terms and conditions before proceeding. There are no reports of data breaches attributed to well-known password managers in market. In Cybersecurity we often say that there are no 100% risk free applications. There is always a portion of unknown. The important thing is to make sure these risks are minimised by following the instructions.   PEXA checklists require us to confirm a DocuSign ID and unique number. What are some concerns PEXA has regarding electronic signing such as DocuSign? Digital signing should be approached with the same protective measures and rigour as physically applying your wet signature on paper documents. As with any method of signing, to mitigate risk, make sure to:      Verify the request, any information exchanged, the involved parties and documentation being signed; and Ensure the appropriate, authorised person signs.   Can you please advise why I keep getting asked if I want to update my password when I enter a payment in PEXA?   This prompt occurs if you have selected to save your password on the web browser. We do not recommend saving passwords to browsers. Instead, remember your password or use a password manager, and only save your user ID if required.   Are apps safer than websites? For both, it’s important to always validate the source. For a website, always type the address instead of clicking on links from emails and other websites. For apps, make sure to download them from the Google Play Store or Apple App Store. Check the ratings and the developer information before you download.   What is the best "internet cyber security" firm?    Cybersecurity needs are different from one firm to another. These needs and requirements must be assessed before selecting a provider.  The Australian Cyber Security Centre (ACSC) website has great recommendations for individuals and businesses to gain more information. https://www.cyber.gov.au/acsc/small-and-medium-businesses https://www.cyber.gov.au/acsc/individuals-and-families   What is the best anti-virus software on the market? The PEXA Subscriber Security Policy, section 4.2.3, refers to some leading providers of anti-virus software.   Does PEXA have a firewall integrated within its software to prevent cyber fraudsters gaining access? PEXA is protected with multiple layers of security. We maintain the highest standard of security measures to safeguard our members and their clients’ property transactions. Our security portfolio is aligned with international standards and we continue to operate by complying with the requirements set by the e-Conveyancing regulator, Australian Registrars National Electronic Conveyancing Council (ARNECC). Today, more than six million transactions, with a total value of more than $1 trillion, have safely been processed by PEXA.   When will Secure-messages and E-signable documents be able to be sent via PEXA-secure portal maybe even build into PEXA Key app? We are always working with our members and industry to evolve our services. All enhancements will be communicated with our members before they are launched, and we’ll continue to keep you up-to-date with our security developments.   What is your strategy for a zero-day vulnerability? A zero-day vulnerability refers to a software security flaw that is known to the software vendor but doesn’t have a patch in place to fix it yet. PEXA works with the best cyber security organisations in the industry to mitigate this sort of a risk by taking proactive and advanced measurements.   Does PEXA retain the information given by clients on PEXA KEY? Yes, personal information is collected when clients use PEXA Key. PEXA will not disclose your client’s personal information to any third party without their express consent. To read the Terms and Conditions in full, click here.   Can PEXA help small businesses to look at their computer system to see if they are fully equipped, at a small fee? This type of service is currently not available through PEXA. However, the ACSC has some great resources to assist small-to-medium sized businesses.   Will you use blockchain technology for its immutable nature and security? What would be some of the disadvantages? Blockchain is transformational, but not always the only solution. In Australia, we benefit from mature technology systems, with property transactions clearly supported by sound regulation. Therefore, blockchain may not necessarily create additional value.   How soon will you let your customers know if a security breach occurred? PEXA will promptly notify subscribers upon being made aware of any security breach that PEXA considers material to the security and integrity of the PEXA system or relates to unauthorised disclosure, use, access or loss of PEXA System Data. ... View more

Hi Community,   At PEXA, safeguarding Australia’s property transactions is our highest priority. With cybercrime costing Australian businesses $29 billion each year and email phishing attempts increasing exponentially since the onset of COVID-19, we are dedicated to supporting our members however we can to combat this threat.   Join our security webinar On 7 October 2020 at 12pm AEDT, as part of PEXA’s Security Awareness Week, I’ll be hosting a security webinar with Security Advisory and Awareness Manager at NAB, Laura Hartley and COO and Co-founder, Retrospect Labs, Ryan Janosevic.   Together, we will share our insights into the cyber-security landscape, tips on how to protect your business and finally, answer your questions. Click here to RSVP. Our socials will also be live with daily security tips and, for everyone who can’t wait, our new resource ‘Five things PEXA won’t do” is now live.   See you at the webinar!   David Willett PEXA, GM IT Security ... View more

Hi Community,   I’d like to advise members of an email phishing scam targeting PEXA Exchange users. In this instance, an email was sent to a practitioner, purporting to be from PEXA via WeTransfer, asking the recipient to open/download files.   Malicious emails being sent via WeTransfer is an ongoing cyber-threat affecting Australian organisations. Please note PEXA does not use WeTransfer for any email correspondence or service.   What to do   If you receive an email appearing to be sent from PEXA via WeTransfer, do not click any links and delete immediately.   As always, if you receive a similar phishing email or another communication you believe to be suspicious, please:   Do not respond Do not click links or download attachments Delete the e-mail Report it to your relevant security administrator or e-mail PEXA’s security team at security@pexa.com.au.   PEXA will never send you an email advising you to click a link to access the PEXA Exchange, and will always direct you to login to access your account via pexa.com.au.   Learn more about phishing e-mails here.   Kind Regards,   David Willett General Manager, IT Security ... View more

Hi Community,   As you may be aware, this morning several high-profile Twitter accounts were targeted by cyber-criminals. You can read about this here.   While this incident has no impact on PEXA or the broader network, it’s a timely reminder to be cyber-aware when working or browsing online – particularly on social media.   As always, only seek information from known, trusted sources and remember that PEXA will never send you links requesting your sensitive login or financial details. If you have any questions or would like to flag suspicious material, please get in touch with our friendly team at  security@pexa.com.au . Kind regards, David Willett General Manager, IT Security ... View more

Hello Community   With many businesses asking their teams to work remotely, security experts are warning of spikes in cyber-crime attempts. The global COVID-19 pandemic has sparked a surge of phishing attempts on unsuspecting individuals. One such attack used the logo of the CDC Health Alert Network claiming to provide a list of local active infections, before stealing confidential information from the unprepared victims. Cyber criminals are looking to take advantage of this period of global uncertainty, reinforcing the urgent need for everyone to be extra vigilant when it comes to cybercrime. We strongly recommend Australian lawyers and conveyancers utilise the tools and processes available to them to mitigate this risk, including: Install and update your anti-virus software Ensuring your anti-virus software is up-to-date is critical. Cyber-criminals can use a number of different methods to try and attack your devices, anti-virus should always be your first line of defence in protecting you and your business.   Keep operating systems (OS) and browsers up-to-date Updated OS and browsers add protection from security issues that could be used to compromise your information. Restart your devices regularly to make sure updates are fully installed. Cyber-criminals use weaknesses in outdated software to scam individuals and businesses. The best way to keep you and your business safe is to action software updates the instant they become available.   We also recommend that you shut down and restart your device frequently for automatic updates to proceed.   Do not use public WiFi If outside of the home or office, we do not recommend the use of free WiFi.  Instead, use your mobile as a hotspot (or purchase a 4G mobile router). This will provide you with a safer connection online. Public WiFi is easily compromised by hackers and your personal information easily obtained.    Virtual Private Network (VPN) When you’re working from home for an extending period of time, use your company’s VPN to make sure that you maintain a secure connection to all your corporate services and applications, away from the prying eyes of cyber-criminals.   Phishing – protect you and your clients’ information With reported email phishing attacks on the rise and the risk becoming more tangible across the world, it has never been more important for us and the broader e-Conveyancing network to use the tools available to us to protect against this threat. While you’re working remotely and limiting face-to-face client meetings, bank and trust account details can be communicated safely via the free PEXA Key app between you and the homebuyer or seller. The app removes the need to use email, mitigating any risk of succumbing to email phishing attacks in the sharing of critical transaction information. Lawyers and Conveyancers who use InfoTrack can also use Securexhange to communicate sensitive information with real estate agents.   Multi-factor Authentication (2FA/MFA) Check the security and privacy settings of all your essential services and make sure they have 2FA/MFA available. When logging into PEXA, members must use MFA to access their accounts. Although users have the option of receiving their MFA code via SMS or the smartphone app, we find the most reliable option to be the latter – via the PINGID application. The code is generated immediately in the smartphone app for users to transcribe into PEXA.  The SMS option can experience latency issues with some telecommunication providers, meaning the code is not received by the user for some time. If you’d like assistance moving from SMS to the smartphone app, please contact PEXA’s Support Centre on 1300 084 515.   Protect your passwords Keep your passwords and pin codes safe. Now might be a good time to change your passwords and use a password manager e.g. LastPass and 1Password to ensure you have unique passwords for all your different accounts. This ensures that if one of your accounts is compromised, the others are protected, and the impact is minimised.   Kind regards   David Willett Head of IT Security, PEXA ... View more

Hi Community,     Whilst businesses around the country and indeed the globe are making important preparations to respond to COVID-19 (Coronavirus), it is important to understand that cyber criminals can use a situation like this to their advantage.   Targetted phishing attacks, with malicious content disguised as Coronavirus notices, may be launched to capitalise on the public's desire to learn more about the outbreak. There have already been reports in the media about scams attempting to steal personal information or infect people's devices with malware that distributes false information or scam products.    In one example, a phishing email that used the logo of the CDC Health Alert Network claimed to provide a list of local active infections. Recipients were instructed to click on a link in the email to access the list. Next, recipients were asked to enter their email login credentials, which were then stolen by scammers.   What to do to protect yourself  If you want to educate yourself further on COVID-19, only look at reputable sources like the World Health Organisation, Centre for Disease Control or the the Australian Governments Department of Health websites.  Always be on the lookout for tell-tale signs of email phishing from emails that appear to come from reputable sources. Remember, you can look at the sender’s details – specifically the part of the email address after the ‘@’ symbol – in the ‘From’ line to see if it looks legitimate.  Be weary of social media posts that attempt to bait you to click on links to gain more information. Social media is notorious for being used to spread misinformation despite the review processes that have been implemented by these sites in recent times. As per point number 1, go direct to reputable or government sources to get information on COVID-19.  You can check out our link on phishing emails here to get more general information on how to spot scams.  Finally make sure you have good anti-virus protection installed on your device, whether it be a laptop or mobile.    Kind regards   David Willett Head of IT Security ... View more

Hello   The Legal Practitioners Liability Committee has recently posted an insightful article that details a use case of email compromise leading to funds being transferred to a fraudster.   Be alert and get to know the warning signs that your client may have been compromised. A request to change account details at the last minute? This should always be followed up with a phone call to confirm it is legitimate.   Take a look at the LPLC article here to learn more! ... View more

We  use  our  mobile device and its installed apps  every day . T he apps  we download  make it  easy  for us t o  do  everyday  things like  check  our  mail, tap onto the tram /train /bus , update  our  Instagram story, pay for coffee, track our calories  and now  even  to track   our  property settlement  ( s hameless plug of  PEXA Key ).  All  co nveniently completed   on our way in to work .     With  all  this   private  information  available at the touch of a button ,  keeping our phones and  chosen  apps secure  has become   increasingly  important.    Here are some handy  tips  to  assist you  in  doing so .     1. Download from official stores   Cybercriminals are known to create  rogue mobile apps  that mimic trusted brands in order to obtain users’ confidential information.  To avoid  these type s  of scam s ,  a lways download new apps from the official app stores , check the publisher  is  f rom the official supplier e.g. Property Exchange Australia Ltd)  and when  the  app  w as  last updated .  For example ,  PEXA Key  is  available exclusively on  the  Google Play St ore  and Apple App store .        2. Use device security     All smart phones have multiple methods  of  authentication  available. We advise you to:   Not leave your phone unlocked .  Make sure your phone is set to auto lock within 30-60 seconds of inactivity ; and   Use at least one of the authentication methods available to unlock your device e.g. facial recognition etc.    If using a pin code  to access your phone, do not use the same pin for your apps  or write the m  down  on a piece of paper . Try using  a  password manager   app  to  store ,  keep track of  and generate new  passwords  and  pin codes.      3. Call your provider    If you  lose  or  m isplace  your phone, call your provider  to ensure your SIM is deactivated  to protect your  phone and the apps on it from potential criminals.  This is good advice for your clients who use PEXA Key . It is also important that they remember to  notify you in the  unlikely  event  that they lose their phone.     4. Anti-virus on your phone    Your  hand-held  device is no different to your laptop  o r  PC and  is similarly  susceptible to scams such as phishing .  Consider installing  anti-virus software  onto your mobile device.   ... View more