Enforcing Two-factor Authentication (2FA) on your email service is a robust security measure that can prevent payment redirection fraud. In the following article, we demonstrate how you can enable this powerful security feature on your corporate email accounts hosted on Office 365 or G Suite. By making this simple change, you can reduce the chances of your conveyancing firm or your clients becoming a victim of cyber fraud.
What Two-Factor Authentication (2FA) Is and Why You Need It?
You may have read about the highly publicised PEXA conveyancing fraud, whereby a Melbourne family was left homeless. As it transpired, the family’s conveyancer had their email hijacked by a cybercriminal. This lead to the conveyancer’s PEXA account being compromised and ultimately the theft of $250,000 by the criminal redirecting settlement funds. Although the funds were eventually recovered, the damage to the conveyancer’s practice is permanent. The conveyancer’s business name is now associated with the fraud in the Google search results due to the large-scale media coverage.
The recent conveyancing scandal is nothing new to cybersecurity experts. This cyber attack is a well-known class of cybercrime known as BEC (Business Email Compromise), whereby cybercriminals hijack corporate email accounts – typically by phishing – to commit fraud by redirecting payments by changing payment instructions in emails either between:
- a client and the conveyancer; or
- the conveyancer and a supplier.
The good news is that you can protect your firm from similar attacks by enabling Two-factor Authentication (2FA). This simple, yet effective change makes it more difficult for the cybercriminals to commit payment misdirection fraud against your conveyancing practice. The recent statement of the Office of the Registrar General also suggests legal practices implementing a handful of security measures including 2FA. PEXA will also be implementing some new security measures on its platform, which includes 2FA.
The following configuration guide is written with conveyancing practices in mind. It provides you (or your IT staff or your IT service provider) an illustrated step-by-step guide on how to enable 2FA for Office 365 or G Suite.
Enabling Two-Factor Authentication on Office 365
To enable SMS-based Two-Factor Authentication on your Office 365, you must be an Office 365 Global Administrator. If you are not then, ask your IT staff or IT service provider to perform these steps for you.
Login into the Office 365 Admin center on https://portal.office.com/
Click on the Active users label.
Choose More > Setup Azure multi-factor auth. If you don’t see the More option, then you are not a global admin.
A new browser tab should open listing all of your Office 365 users associated with your subscription. Select the checkbox next to the people for whom you want to enable Two-Factor Authentication.
On the right-hand side under the quick steps section, click on Enable.
Acknowledge the pop-up information box.A second pop-up should inform you that Two-Factor Authentication is now enabled for the chosen user account.
Done! The associated users can now enrol their mobile phone upon the next login to Outlook Web Access (OWA).
For a user to enable 2FA for email, log out first and then log back into Outlook Web Access on https://outlook.office365.com/owa/
This Is How Your Employees Can Enrol to 2FA
Log in with your username as usual.
A new prompt should inform you that your Office 365 account must be enrolled to 2FA now. Click on Next.Choose Authentication phone as the 2FA method and enter your phone number. Choose Send me a copy by text message to receive the verification code. Click Next.
Enter the six-digit code you just received in a text message.
Save the app password to a secure location like a password wallet that is now displayed on the screen. If you use Microsoft Outlook, Apple Mail or another third-party email application, you have to use this as a password from now on to log into from these applications.
When you log into Outlook Web Access again, you will be prompted for the six-digit code as shown below. Just enter the code from the text message and you are set.
To keep these additional security prompts on a minimum, click Yes to stay signed in.
Congratulations, your user account is now enrolled to 2FA!
Should you need more help with setting up Two-Factor Authentication, please refer to the relevant tech support article at Microsoft.
Enabling Two-Factor Authentication on G Suite
Visit your Google Admin Console at admin.google.com and click on Security.
Under Security, click expand the Basic settings section.
Scroll down and tick the box next to Allow users to turn on 2-step verification.
Then click on the Go to advanced settings to enforce 2-step verification ›› to open the advanced security settings.
Under the Enforcement section, click on Turn on enforcement from date and pick a day reasonably close enough to start enforcing 2FA at your business.
New G Suite users should have either one day or one week of grace period before they get locked out for not enrolling to 2FA. Pick 1 day or 1 week under the New user enforcement period. The Allowed 2-step verification methods should be left on Any.
Congratulations! Two-factor authentication is now enabled on your G Suite accounts. All your users have to do is log back in again and enrol their mobile phones to receive the six-digit codes.
This Is How Your Employees Can Enrol to 2FA
The following example demonstrates what steps are required from your employees to enrol themselves to 2FA on G Suite.
First of all, they need to log in with their username and password as usual.
Then a new message box should inform your employees that the user account needs to be enrolled to 2FA. Click on Enroll.
Enter your phone number and pick Text message as the security code delivery method.
Now enter the six-digit code that just arrived in a text message.
Click on the Turn on label to finish the setup.
From now on, Google will ask for the six-digit code when a login attempt is made by a previously unseen browser or from a new location. If you tick the checkbox next to Don’t ask me again on this computer, known web browsers will be asked to re-authenticate with the six-digit code only every 30 days.
Once the correct six-digit code is entered, your employees should be able to continue their work as usual. For more information and support, please refer to the relevant G Suite knowledge-base article.
A growing number of cybercriminals are targeting the conveyancing profession with cyber attacks such as payment redirection fraud. These cybercriminals are more likely to scam practitioners with poor cybersecurity practices. To commit payment redirection fraud, criminals hijack corporate email accounts first by phishing and other methods which they then use to tamper with payment instructions sent to or received from others. Conveyancers without 2FA protecting their email accounts are low-hanging fruits and may become a victim of fraud. By applying simple changes like turning on 2FA on your email platform, you can reduce the chances of your conveyancing business becoming a target.
Gabor Szathmari is a cybersecurity expert with over ten years experience, having worked in both private and public sectors. He has helped numerous big-name clients with data breach investigations and security incident management. In his professional life, Gabor helps businesses – including many small and mid-size legal practices – improve their cybersecurity at Iron Bastion.
This article was first published in the AICNSW Weekly News Alert and Iron Bastion Security Blog. The article was co-written with Nicholas Kavadias.