The property and real estate sector has a growing trend that is of notable concern to ACSC who have observed a rise in  business email compromise (BEC) scams in Australia.

Acting as a legitimate business, cybercriminals send fraudulent emails called a BEC scam, to their list of clients or customers. Likewise in a property related BEC, the cybercriminal poses as the legitimate business to gain access to emails to deceive people trying to buy, sell or lease property.

Victims assume the email is legitimate regarding a property transaction and will unknowingly pay for conveyancing, property sale deposits or rental payments to an illegitimate bank account. In other words, they end up giving their money to the criminals – deposited directly into the criminal’s bank account. The missing payment can go unnoticed for weeks. Often not noticed until the business follows up on payment.

Cybercriminals can initiate fraudulent emails from hacked email accounts or create an email address with Gmail, Yahoo or Outlook that use the legitimate business name. In addition, they may register domain names with a very similar name to the legitimate companies. They do this by swapping a letter or adding a character. A quick glance at the email address or the domain name looks legitimate, so it tricks us.

To try and intercept property settlements, Cybercriminals are targeting all parties involved in real estate. For instance, they are impersonating conveyancing lawyers and mortgage lenders and communicating with their clients by email.

Meanwhile, both agents and lawyers need to take extra care when updating bank account details– particularly before updating Property Exchange Australia (PEXA). PEXA is an online service that deals with property transactions.

If the cybercriminals successfully impersonate a property seller and have their criminal bank details updated, settlement agents using PEXA will change these details in the system. The new bank account details are fraudulent, resulting in the buyer sending funds to the cybercriminal’s bank account, even though PEXA is secure.

Mitigation / How do I stay secure?

The potential financial harm for this growing trend is significant. Most importantly, it asks all parties to be careful when communicating via email and buying, selling, and leasing of property. And especially careful during the settlement process. Parties that can be affected can include real estate agents, conveyancers and lawyers, mortgage lenders and any customer or client of these businesses

The ACSC recommends to:

  • Verify payment details: If any party to the property transaction tries update their bank details with you, call the senders established phone number or meet them face to face before the money transfer. Take extreme care to confirm changes.
  • Training and awareness: Ensure you and your staff are train to:

#1 identify any suspicious emails

#2 question all requests to change bank account details and confirm changes

#3 spot emails linking to fake websites, which could possibly be a phishing attack. These phishing emails are trying to capture passwords and compromise the account security.

  • Secure your email account: it is recommended that individuals and businesses use strong passwords and enable or implement multi-factor authentication on email accounts to help prevent unauthorised access. After all, we know cybercriminals will attempt to access systems.

Want insights like this in your mailbox? Join our monthly mailing list

How can we make your business better with IT?