Buying or selling a home is one of the most significant financial decisions a person will ever make.
Today, residential property is Australia’s most valuable asset class, worth close to $10 trillion.
As part of every settlement, sensitive information, such as bank account details, as well as large sums of money, are required to be exchanged.
And it’s this reason that cybercriminals are targeting the sector in droves – the nature of the communications and the finances involved are placing a sizeable target on the industry.
The most common form of attack being seen currently are “payment redirections”, part of a broader technique known as “business email compromise”.
In a typical payment redirection scam, scammers impersonate a business or its employees via email and request an upcoming payment be redirected to a fraudulent account.
But what does this look like in practice?
Recent frauds across the country
A WA woman made headlines this month, losing $732,000 after scammers intercepted email communications between her and her settlement agent.
As confirmed by the Consumer Protection WA, the victim received an email with authentic-looking documents attached from whom she thought was her settlement agent asking that the money be deposited into a bank account prior to settlement.
The message came via a generic Hotmail email address that used the agency’s name.
Before carrying out a final inspection of the property, the real settlement agent reminded the buyer about making the payment and it was then that the scam was uncovered.
The scammers had sent the buyer a fake email pretending to be the settlement agent, substituting the bank account details to one that they control.
And losses of this magnitude are not uncommon. In September last year, a Sydney couple were swindled out of close to $1 million in a similar incident.
How to stay safe
PEXA’s Chief Information Security Officer, David Willett, has one clear message to buyers, sellers and industry alike.
“Do not use email as a channel for exchanging bank account details as part of settlement. This is simply not a secure way to communicate this incredibly sensitive information – and places you at a greatly heightened risk of a cyber-attack.
“The inherently safer method is to verbally confirm bank account details over the phone or in-person.”
“Additionally, I highly recommend you make use of PEXA Key. This free app has been specifically built for industry to eliminate the risk of email phishing and enables clients to provide their bank account details to their legal representative safely. All data is encrypted and automatically transferred into the PEXA platform where settlements are facilitated, mitigating any risk of interception.
“This service is also guaranteed to protect consumers – if the communication of bank account details between the client and their practitioner’s PEXA workspace is corrupted within PEXA or compromised due to fraud, buyers and sellers can be reimbursed up to $2 million.”
Tips and tricks
The Australian Cyber Security Centre encourages consumers to follow the below guidance to help avoid being victim to a payment redirection scam:
- Check details such as the spelling of a sender’s domain name to verify if a communication is legitimate. Double-check by comparing it to previous correspondence.
- Exercise critical thinking and vigilance when receiving phone calls, messages and emails.
- Exercise caution opening messages or attachments, and clicking on links from unknown senders.
- Do not provide personal information (such as usernames, PINs, passwords, passphrases or secret/security questions and answers) to unverified sources.
And most importantly: to provide bank account details, use verbal communication instead of email.
PEXA has a dedicated, expert security team on hand to support buyers, sellers and industry. Visit pexa.com.au/security to learn more.