Professional firms, particularly those handling money for mortgage lenders, are increasingly at risk of high level cyber-attacks, according to leading experts in the field of law, finance and mortgage lending.
Speaking at the Mortgage Tech UK conference yesterday morning (27th June) Georgina Squire, Partner at solicitors Rosling King, warned professionals of the dangers that cyber-attacks impose to professional firms such as lenders, valuers, brokers and solicitors and advised on what steps should be taken to prevent and mitigate the fall-out when falling victim to a such an attack.
A joint report by GCHQ’s newly-opened National Cyber Security Centre and the National Crime Agency published earlier this year, warned that the cyber threat to UK business is at an all-time high.
Georgina Squire said: “Given that 2016 was the year that law firm data security came to the fore, by means of high profile events such as the Panama Papers and the rise of Ransomware, it seems reasonable to suggest that the threat will impact professional services firms in much the same way as the wider economy.
“Over the last year, professional firms such as my own, have been urged to take proactive steps to manage the risk posed by cybercrime to protect both ourselves and our clients.”
Squire also encouraged firms to increase staff training and awareness and to build in additional security and protections to try to limit the potential harm, adding: “We have legal and regulatory obligations like all other professionals involved in the mortgage industry. Our regulators are increasingly taking on more hands-on approach to data security and publishing regular guidance.”
Current threat areas for law firms and other professionals involved in mortgage origination are:
- Cloud computing
- Email fraud/phishing
- Identity fraud
Firms are increasingly being advised to develop a cyber-aware business culture, by developing clear and efficient internal procedures for handling money and considering methods to avoid, for mortgage lenders, the two most prevalent areas of cyber fraud which are:
1 Identity Fraud
2 Friday Afternoon Fraud
One aspect of identity fraud is “home high-jacking”. The value of this type of fraud is more than tripled since 2013 rising to nearly £25 million in April 2017, according to HMLR registers.
Squire said: “It is now getting to the stage where criminals are paying people to pose as tenants and rent a property using fake identities. One of the tenant’s changes their name by deed poll to match the true owner’s name, put the property on the market and sells it to a cash buyer. It is only when the buyer goes to register the change of ownership with HMLR that the true owner, the landlord, is alerted.”
To detect this type of fraud, firms are advised to consider the following:
- If a tenant is hassling the agent saying they need keys and want to move in quickly, that might be indicative of them being up to something.
- In these scams it is often the case that the tenants do not actually ever live in the property – which remains empty. This can be checked by the agents. Fraudulent tenants rarely move into the house, they are looking to sell it on quickly.
- Solicitors and professionals doing KYC on new clients may be alerted by the sight of a brand new passport or brand new driving licence or other ID. Fraudsters change their name by deed poll to the landlord’s name.
- When doing KYC follow up on references. Maybe check phone numbers.
- Owners can sign up for HMLR Alert service which informs you if someone is checking the register for your house…
The second major type of cybercrime hitting professional firms acting in the mortgage industry, is what has commonly become called Friday Afternoon Fraud.
“As solicitors, we see alerts from our regulator, the SRA, almost weekly now with stories of Friday Afternoon Fraud”, said Squire.
To avoid this type of fraud, Georgina Squire suggests the following:
- Beware of changes in bank details mid-transaction and beware of requests to do so during a transaction.
- When someone asks for money to be sent to a particular bank account, call back on a phone number to double check those bank account details over the phone and verify them. Only the most sophisticated of fraudsters would be able to intercept that call and provide their own mobile phone number to verify the fraudulent bank details.
- Never send out our bank details in open emails. They should be sent in a password protected attachment with the password sent by separate email. It may sound simple but it should act as an extra layer of protection and is something that is certainly worth doing.