7.30pm – posing as the practitioner, the cybercriminal logged on to the online help facility of the practitioner’s mobile phone provider and was able to change the practitioner’s contact details to an email address controlled by the criminal.
7.50pm – the cybercriminal then rang the mobile phone company to confirm the change in contact details and to activate call-forwarding on the practitioner’s phone. With personal identification questions, call forwarding can be activated remotely without access to a physical handset. From this point, the practitioner’s phone calls and messages were forwarded to a phone number controlled by the criminal.
8.50pm – the cybercriminal then telephoned the law firm’s bank, 10 minutes before their telephone help was due to close, and said they were tired of using the current multi-factor authentication system for accessing online banking and the firm’s trust account. They instructed the bank to change over the security token being used to a SMS system where the bank sends a code to the practitioner’s mobile phone.
8.55pm – the bank made the change and because the cyber-criminal had forwarded the practitioner’s calls and messages to the criminal’s phone, they were then able to access the SMS code and transact from the trust account.
11.40pm – the cyber criminal’s plan went into full swing. Over the next few hours, $110,000 was transferred from the firm’s trust account in a series of transactions. Money was transferred to digital bank accounts set up by the criminal and BPAY payments were also made to a bitcoin market website.
5.30am –the practitioner logged on to check the trust account activity overnight, discovering the theft and immediately notified the bank. The practitioner’s diligence in checking the account routinely meant that the fraud was identified quickly, and the bank was able to freeze the trust account to prevent further theft and recover the stolen funds.