New Zealand real estate company scammed out of $450,000.
An Auckland-based real estate company is fast on the rise and experiencing a large amount of success, particularly with their property management services. The company manages a significant number of rental properties on behalf of homeowners, sourcing tenants and collecting the rent before passing it on to the landlords (minus their fees).
The business is well set up with the majority of the business run through digital systems, which includes maintaining tenants' details, landlords' details, bank account numbers, property reports and using industry-related software.
When the company set up their online systems, they paid an IT company to help them get up and running. They assumed they were safe and hadn’t worried too much about further IT involvement after the initial setup. They believed they were too small to be targeted by online thieves, scammers or hackers.
One day at the beginning of the month, an Account Manager at the company turned on her computer and discovered she wasn’t able to access any of the files or information.
One by one, as the other staff arrived in the office, they all realised they had the same problem. Their stomachs churned with anxiety as they realised something was seriously wrong.
They reached out to us at Swerve to investigate the issue for them.
Sure enough, they had been hacked by external opportunists. It took nearly a week to get them back up and running. In the meantime, they relied solely on the telephone to operate.
That week they dreaded every time the phone rang.
A tenant would call to say they had a water leak, or a broken window, and the real estate company couldn't look up any of their details - who they were, which property they were in, or even what their address was. Nor could they call the landlord for approval of the repair since all the information was stored on their system, and the system was down.
The team was incredibly relieved when everything was up and running again.
Approximately four weeks later they received a call from one of their landlords… “I was wondering why my rent hasn’t been paid into my account this month?”, the landlord asked.
The account manager’s throat went dry. “um, what was that sorry?” they asked in disbelief.
“You normally pay my owed rent into my account on the 20th of the month. It’s been 10 days since then and I’ve still not received the money in my account”, continued the landlord.
The Account Manager suddenly realised the issue had something to do with the computers going down and the recent hacking they had experienced.
The scam.
The online scam involved hacking the Account Manager’s password, who, just like over 50% of Kiwis, relied solely on memory to recall her password. To make her life easier she used the same password she used for most things online. The password was 'Sunshine365', which helped to remind her to stay positive 365 days of the year.
The online attack which took the company down was called a 'brute-force' attack. This type of attack involves acquiring an online dictionary (normally from other hackers), which has a list of all English words, phrases, numbers and commonly used passwords (like Sunshine365).
Getting the Account Manager’s email address was easy, as it was listed on the company’s website.
Armed with one of these dictionaries, the hackers will continually try to access your computer system, email or other online portals via a piece of software which systematically attempts to 'crack’ (identify) your password using millions of combinations from the dictionary, until they successfully unlock it.
Sometimes this can take as little as a couple of minutes and other times it can take hours.
As soon as the hackers cracked the Account Manager's password, they had free reign to do as they pleased with the entire company's online systems, files and information.
The damage.
Once the attackers had access to the Account Manager's password and login details, they were able to infiltrate the Real Estate Company’s systems. Along with taking the company off-line, the attackers set up all rent payments to be forwarded to an offshore bank account before wiping all of the data and information on the system.
This meant, all rent payments for the entire month were gone, and in the hands of the thieves.
While the company was focused on getting back up and operational nobody thought about checking the bank accounts to ensure the rent payments were still going into the trust account.
It cost the company $450,000 before they became aware and were able to rectify the situation. The company was liable for all the damages as they didn’t have insurance for such an occurrence, believing they had nothing to worry about.
This incident brought the agency close to ruin. Fortunately, they had developed good relationships with their customers and were able to continue.
Although they were able to restore data from five months prior (sourced from an old server that had been replaced but not wiped clean of data), they still lost five months’ worth of records, data, and information from their system.
The solution.
There are a couple of steps we took when they first contacted us at Swerve. Firstly, we insisted everyone in the company create new login details and passwords and installed Multi-Factor Authentication (MFA). MFA requires multiple forms of authentication in order to log on, such as a unique verification code sent via text message.
This means that unless a scammer or hacker physically has the employee’s phone, they'll be unable to access the system, even if they’ve somehow managed to obtain their password.
To set up Multi-Factor Authentication for Office 365 users, click here for instructions.
To set up Multi-Factor Authentication for Google users, click here for instructions.
Next, we established multiple system backups per day, so if they were to lose their data or any information again in the future, everything could be restored within the fastest time-frames possible.
The company also decided to hire Swerve on an ongoing basis to monitor and secure all of their IT systems.
This means all the latest software updates and security enhancements are installed as soon as they’re available. We’re also alerted anytime anything suspicious occurs within their IT system, enabling us to jump into action immediately to prevent further intrusion and issues.
Finally, the company signed up their team to Swerve's Cyber Security Awareness Training.
This programme results in staff becoming fully aware of possible scams, suspicious emails and links. This allows staff to work with greater confidence online and helps to protect the company, as their team are much more conscious of what they're clicking on.
Protecting yourself and your business.
You can easily find out if your business is vulnerable to these types of scams or attacks. Take this short, simple test to check whether you and your business are protected - just click the button to get started.
Many Kiwi businesses are unprepared when it comes to securing themselves from online theft. Most companies believe that having a dedicated IT consultant, or having their online systems set up professionally, means they're automatically safe. Unfortunately, this isn’t the case.
At Swerve, we hate seeing New Zealand businesses getting scammed and that's why we've set up user-friendly, easy to implement processes, which help to secure and protect your livelihood and business.
Our systems help to reduce the chance of human error when operating online. Whether it’s safeguarding your accounts team, setting up simple security systems, or familiarising your team with correct online policies and training.
Do you want to safeguard your business and reduce the risk caused by online thieves, scammers and hackers?
Book your free business security audit with us today by clicking the button below.
