In light of the recent ‘hacking’ of a conveyancer’s IT system and payee details (no it wasn’t a failure by the PEXA system see – PEXA says platform remains secure), here’s some suggested, relatively-easy additional security steps your business could take when intending to make any such payments or transfers.
As you may appreciate that, with the high level and vastly-differing types of hacking nowadays, it is not simply sufficient as to whether a business has ‘adequate’ virus and malware protection, a firewall, password-updating etc.
It’s also about your business being constantly vigilant for ‘social engineering’ (e.g. via ‘phishing’ or ‘spoofed emails, where the email ‘looks’ like it has come from someone legitimate either in the business or a third party but isn’t…). Or, particularly, such fraudster/hackers may have actually infiltrated your systems and made subtle but material changes to certain data and details.
Further your Privacy Policy won’t protect you from these sorts of incidents but you might have other problems if you don’t have such (see- Notifiable Data Breaches), and of course all the relevant procedures and appropriate personnel-training to go with it.
In addition, possibly your standard ‘cyber-hijacking’ insurance policy may not protect against this particular sort of incident. And no, there’s no such thing as having completely ‘bulletproof’ T&Cs with an infinite disclaimer and total waiver of liability.
Therefore, without knowing your specific payment policies, internal internet security, encryption and firewall procedures, you may also like to consider implementing a relatively simple but nonetheless somewhat more-effective ‘two factor authentication’ (“2FA”) process before making any substantial payment or transfer to any transferees.
This 2FA process is more or less similar to those adopted by banks.
Namely, whilst you may securely store the relevant payee/transfers information in your IT and/or accounts system, in the unlikely but possible event your system is compromised between the time you:
· initially receive those details from them; and
· just before you actually action and undertake those transactions,
it is suggested best-practice to always implement such a 2FA protocol.
- Whereby you personally contact your proposed payee by a pre-agreed, alternate method of communication (usually by phone call or confirmatory text message on their specified mobile phone number) to validate and re-confirm those account details immediately prior to effecting the transfers. Hence the 2FA.
Of course there are many other better and more extensive technological solutions out there but, just like VOI is now a standard, maybe 2FA for businesses may become one too.
Just something to consider and always consult with your bank, IT support, HR/Accounts team, insurers and relevant advisors before implementing any such new protocols in your business.