Case Study – September 2022

Incident background

An AIC NSW Member (the Member) experienced a phishing incident from an unknown caller (the Threat Actor), claiming to be an Optus contact. (NB. This threat occurred before the recent Optus breach and was unrelated to that event). The Threat Actor referred to confidential information to validate their identity.

Subsequently, the Member disclosed their personal information, however, did not disclose any client information. As soon as the Member became suspicious of the call, they terminated the conversation and called a legitimate Optus contact to verify the call. Optus confirmed that they did not make the call nor had any reasons for doing so.

The Risk

The risk with providing personal information to a stranger, is that the Threat Actor could have had obtained further access to the Member’s mailbox. Further, given that the Member’s mailbox had contained client data and personal information, there was a risk of the Threat Actor viewing and / or misusing the data contained in the mailbox to cause harm to an individual (i.e. commit identity theft or financial fraud).

From our experience, threat actors typically gain unauthorised access to mailboxes via several ways, including social engineering (tricking someone into believing they are legitimate), with the primary objective of misdirecting funds or committing financial fraud. There is often a secondary objective at play, including retaining copies of emails for future phishing, or retaining personal information for financial gain.

Incident response process

The Insured contacted Clyde & Co’s Incident Response team to assist further. Clyde & Co is a law firm, but they aren’t your traditional lawyers. Their cyber incident response team is focused on one mission: facing down cyber risk. AIC NSW is in partnership with Clyde & Co to provide a free 2-hour triage service to its members.

Hidden cybersecurity risks in the property market – what should Members look out for?

While many types of cyber trends can occur, proactively ensuring employee training against phishing scams / links (aimed at harvesting log-in credentials) reduces the likelihood of BEC and subsequent misdirected funds incidents significantly.

The real estate industry and its conveyancers play a central role in transacting property transfer / handling funds, with mailboxes likely storing high-risk data (personal and / or client information).

This makes members prime targets for cyber criminals and increases the need to be particularly vigilant of any phishing scams or suspicious emails.

Please see links to articles for further information on these risks:

Business Owner Members:  If you suffer a cyber incident, contact the Clyde & Co, Cyber Triage Service.  Details are provided on the Cyber Triage Service page in the members section of this website.