“I was thrilled to contribute to Today’s Conveyancer as a guest writer for this piece on Friday Afternoon Fraud. Did you know it remains one of the most common cyber crimes reported to the Solicitors Regulation Authority? Read on for my practical tips to protect yourself from any type of email fraud, any day of the week.” Nadia
Friday has always been one of the most popular days to complete a house purchase
Certainly not news to solicitors, who understandably now favour pretty much any other day of the week. Perhaps there’s simple logic to the fact that Friday stands firm as a favourite; the prospect of a weekend spent unpacking beats being forced to take precious time off work to complete the task. And don’t forget the allure of completing the bank transfer on the same day as the move.
It’s no surprise, then, that cybercriminals have a preference for Fridays, too. With all those large sums of money hopping from firm to firm to client, not to mention the whole weekend ahead to defer the chances of detection, Friday Afternoon Fraud must have felt like a no-brainer for the first to cash in from the scam. Still, it accounts for around ¾ of all cybercrime reported to the Solicitors Regulation Authority (SRA) (source). So what can we do to make it more difficult for the cybercriminals to succeed?
What is Friday Afternoon Fraud?
Essentially, it’s when a fraudster infiltrates a conveyancing transaction and intercepts funds from a property sale for their own financial gain. In practice, the cybercriminal will have first gained unauthorised access to a computer network, most likely as a result of weak passwords, a successful phishing or social engineering campaign, or by using something called a keylogger to steal credentials. Before you know it, you’re corresponding with a malicious third party over email instead of your intended recipient. And in the blink of an eye, they’ve made off with the funds.
Needless to say, the impact is devastating for nearly every party involved. Hard-earned reputations are ruined overnight, innocent buyers and vendors are left wondering who’s going to reimburse them, and small firms in particular have been known to go out of business completely as a result.
The perfect storm
It’s no coincidence that cybercriminals launch these kinds of attacks at the busiest times of the week. Often, they know your agenda better than you do, and thanks to the wealth of information shared online via social networks, a cybercriminal can identify your most vulnerable moments without using any malicious software or practices at all.
At Naq, we’re most interested in protecting people’s livelihoods, and paying attention to how our overall environment leaves us exposed to cyber security risks. Few of us are operating at our peak on a Friday afternoon, let alone solicitors who are already experiencing fatigue after a long demanding week of work, but are now under pressure to make a completion happen before they log off for the weekend.
Take a moment to put yourself in the mindset of a hacker. Cybercriminals will always attempt to exploit emotional triggers and associated human weaknesses. A tired, busy, distracted employee, under huge pressure and with one eye on the weekend? It really is the perfect storm.
Practical ways to protect yourself
No matter how stressed or pressured you may feel, never authenticate a request to change the destination of funds without double or even triple checking it’s genuine.
- Anything that provokes a visceral response, that makes you feel anxious, angry, or like you’re already out of time should raise alarm bells every time. Pause to breathe in for four, and out for four – a slow, deep inhale and exhale shouldn’t be limited to the yoga studio. Take even one whole minute for yourself, enough time for your logical brain to kick in and override instinctive responses to emotional triggers.
- Most Friday Afternoon Fraud takes place via email. Always call the sender by phone to verify their request by email is legitimate. Be aware that cybercriminals increasingly compromise business emails between colleagues, intercepting familiar email threads. Pay attention to the date and time stamps in the rest of the thread – anything long past is a sign of fraud.
- Be alert to changes in tone and character. Completion date is a highly charged event, so some sense of urgency is to be expected. But by now, you will have been dealing with the client for some time. Querying any significant changes in their behaviour is totally justified, and it could be all it takes to stop a cybercriminal in their tracks.
- Passwords, passwords, passwords. Use strong, unique passwords for all your online accounts. The longer the better, and we recommend using a string of dictionary words at random (plus of course a mix of cases, some numbers and at least one special character). Password manager tools or apps make it easy to create a strong every time. Enable two-step verification (or multi-factor authentication), like a one-time code sent by SMS in addition to your password, wherever possible.
Remember, fraud doesn’t only happen on Friday afternoons. Pause to question anything that doesn’t feel right by giving yourself a chance to rationalise what’s being asked, validate the request with the sender (using a different means to email), and check again with the help of a colleague.
And we’re only as strong as our weakest link, so model security-conscious behaviour to other colleagues, especially if you manage a team. Walk the talk and reward others who challenge the slightest sign of suspicious activity.
In exchange for a restorative deep breath in and out, you can breathe a little easier knowing that you’ve done all you can to protect your firm’s reputational and financial livelihood, not to mention your clients, whose money is also at stake.