The fraudster initially compromised the conveyancer’s email account, intercepted a password reset email and gained access to the conveyancer’s PEXA account. They then created a new user profile, obtained new user credentials, accessed a workspace, and changed payment data previously entered by the conveyancer.

Lawyers are not responsible for any technical shortcomings in PEXA’s platform or security weaknesses within the broader banking system, but they are responsible for the data they enter into the workspace and for checking its correctness before applying the digital signature and authorising a settlement to proceed.

1. It starts with email security – recognise that you will be subject to phishing attacks and social engineering techniques. Typically, you may be asked to click on unsafe hyperlinks or open attachments from legitimate looking sources which introduce malware to your computer or trick you into visiting a fake login page of a trusted website and enter username and password details.
   
2. Once an email account is compromised, cyber-criminals have numerous techniques and tools at their disposal to obtain password information and it is just a matter of time before they discover the password(s) you use to access your online accounts.
   
3. Password access to online accounts is akin to having the keys to your house. But in PEXA there is a further step before a cyber-criminal can steal money or complete a fraudulent property transaction – that step involves the application of a digital signature to execute instruments and to certify the correctness of all dealings. A cyber-criminal with password access to the workspace alone cannot transact on the account – they can only enter and save data in the workspace. Only a user holding a digital certificate and signing rights can sign registry instruments and financial settlement schedules and, critically, authorise settlements to proceed. In the MasterChef case the conveyancer authorised the payment via PEXA’s platform without noticing that the payment details had been altered.
   
4. Digital certificates are such important security devices that they should only be given to very trusted people within your firm. You carefully select the people you authorise as signatories to your trust account, and at least the same care is needed when granting digital certificate access rights. Holders of a digital certificate must store it safely and not share access credentials with others.

The major liability risks for legal practitioners arising from the use of PEXA are thus not IT risks. Rather, they are risks arising from human error in entering and checking workspace details, or lapses in security resulting in misuse of a digital certificate.

Keeping the digital certificate secure, not ‘lending’ it out, and being diligent to ensure the accuracy of all disbursement entries in the financial settlement schedule are critical to successfully navigating liability risks with PEXA transactions.

The MasterChef case was a sophisticated fraud, though ultimately simple in its execution. It is a powerful reminder of the need to exercise extreme care with any electronic funds transfers, including PEXA transactions.

Electronic payment platforms relying solely on the manual entry of correct bank account numbers are inherently vulnerable to human error.

You must remain alert to this risk and ensure bank account numbers entered in a PEXA workspace accord precisely with the client’s instructions. This requires:

• clear evidence of the client’s instructions, with verification by telephone if the instructions are via email
• careful data entry in the workspace, and
• a work-system for double-checking the data entry.

A good way to double-check is to involve a second person in the process. Have a work system where one person inputs the account details and a second person checks them and signs the settlement schedule.

PEXA recently announced a Residential Seller Guarantee (the guarantee) to allay consumer concerns about the security of its electronic platform. PEXA’s explanation about the guarantee is available on its website.

LPLC has received several enquiries about the operation of the guarantee.

You must note the three-day time limit for making a claim for payment under the guarantee. This can only be extended by PEXA in its absolute discretion.

The claim form for the guarantee is available on the PEXA website and must be completed by both the seller (Part A), the seller’s practitioner/subscriber (Part B) and submitted to PEXA within three business days of the fraudulent transaction.

Completion of Part B by you will not jeopardise your entitlement to indemnity under LPLC’s insurance policy.

PEXA may exercise its rights of subrogation to claim back any money it pays to the seller under the guarantee if PEXA considers you or your authorised signer was negligent in approving a settlement containing incorrect bank payment details.

You will need to consider any conflict of interest in accordance with the rules of professional conduct.

For more information on how to protect your firm from cyber-attacks see the material on our cyber security page and in particular our cyber security checklist.