Get all your news in one place.
100’s of premium titles.
One app.
Start reading
ABC News
ABC News
Business
technology reporter James Purtill

Australia's overheated property market has become a target for hackers — and they're scamming millions

Real estate scams are feeding on the Australian dream of home ownership. (Getty Images: William West)

The scammers' first email to Kelly and her husband arrived in the small hours of the night, when they were sleeping.

"Due to the ongoing bank audit on our account," the email read, "please see attached our subsidiary trust account details for the payment of $25,000 deposit."

The email address looked legitimate — it was the real estate agent's.

Kelly and her husband, both young engineers and "tech savvy", were at the pointy end of buying a house in Western Australia. 

And so the next day, Kelly's husband sent their hard-earned home deposit to a scammer, and never saw that money again.

Property settlement scams are becoming more common as house prices rise and scammers turn their focus to the large and often lightly protected sums of money that prospective buyers are transferring to the trust accounts of real estate agents and conveyancers.

Known as "payment redirection", it's part of a category of scams called "business email compromise", where criminals hack an employee's email account and then, impersonating that employee, send a payment request, substituting their own bank account details.

The victims tend to be individual home buyers or small business owners, for whom the consequences of a lost deposit are devastating.

Six months on, Kelly and her husband haven't yet told their parents or their friends that they got scammed.

"It's been very, very stressful," Kelly said.

Real estate scams on the rise in 2022

According to national figures, plenty of others are falling for the scam too.

The Australian Competition and Consumer Commission's (ACCC) Scamwatch receives on average about two reports per week of payment redirection scams in real estate.

March 2022 saw 14 reports alone — the highest figure in 15 months.

"Twenty-five reports were made this year, which is an increase of 25 per cent on the same period in 2021 and losses this year are up 186 per cent to $1.8 million," an ACCC spokesperson said.

NSW, which has the nation's most expensive property market, accounts for three-quarters of the $4.3 million lost through this scam around the country from January 2021 to the end of March 2022.

A 10 per cent deposit on a median house in Sydney is $160,000 — an increase of $40,000 in 12 months. (ABC News: Michael Coggan)

Buyers aren't the only parties being targeted says Chris Tyler, chief executive officer of the NSW division of the Australian Institute of Conveyancers (AICNSW).

Fraudsters have even used payment redirection to scam the stamp duty a conveyancer had intended to transfer to state revenue, he says.

"Because property transactions are so high in value, all the parties in the transaction are being targeted: The real estate agents, the mortgage brokers, the conveyancer.

"Half the time the deposit could be a couple hundred thousand dollars."

'The value of houses has gone up so much'

The Sydney law firm of Clyde & Co's cyber incident response team handles multiple business email compromise (BEC) incidents every week.

"We've noticed an uptick over the last three or four months," said Reece Corbett-Wilkins, a member of the response team.

Though less "sexy" than ransomware, BEC is just as big a problem, he says.

Clyde & Co saw a 150 per cent increase in reported BEC incidents from 2018 to 2021.

In some cases, the losses are huge — a client of a client recently misdirected a $750,000 transaction.

"The value of houses has gone up so much. There's a lot of cash flowing through the real estate sector," Mr Corbett-Wilkins said.

The nature of real estate transactions, involving many parties and often not much cybersecurity, makes them a favourite target of scammers.

"These attacks are super sophisticated," he said.

"You've got this combination of factors that all come together and you think, well, this is ripe for the picking."

Scam continues after money transferred

It takes at least six years, though often longer, for the average home buyer to save for a deposit on a house in Sydney or Melbourne. (Supplied: ACT Government)

After Kelly's husband sent the scammers the $25,000, the scammers stayed in touch via email, maintaining the charade and allaying suspicion for long enough for the transfer to clear.

"I will issue a copy of our trust receipt once the funds hit our account," they wrote back to the couple.

At the same time, the scammers were emailing the real estate agent, using an address that closely resembled Kelly's husband's, to assure them the home deposit funds were on their way.

The couple only reported they had been scammed a week later, when the real estate agent called to ask them for the deposit.

By then, the money had been transferred to another Australian bank account, and from there to a cryptocurrency exchange, where it was converted to Bitcoin.

"That's where our bank stopped — they said we can't pursue it any further," Kelly said.

"We're still waiting for the police — it took them several months to say they’re even looking into it."

Where are the scammers located?

The FBI has coordinated several global operations, along with national police agencies like the AFP,  to disrupt BEC schemes.

Most of the arrests have been made in the United States and Nigeria.

A 2018 report by the cybersecurity company Crowdstrike also pointed to cyber criminals in Nigeria, including the "formidable criminal organisation" known as "Black Axe".

According to the report, Black Axe "has developed a hierarchical, inter-state organisation while at the same time retaining cult-like tendencies" and its gangs are "involved in a multitude of organised crime ventures such as running prostitution rings, human trafficking, narcotics trafficking, grand theft, money laundering, and email fraud/cybercrime."

The report reads:

Younger Nigerian criminals — often called Yahoo Boys — are said to begin their scamming careers while undergraduates at university.

There are thousands of undergraduates in Nigeria who participate in online fraud, and it has been estimated that there are approximately 5 million online scammers in the Lagos region.

Novices typically start off with variations on the classic "Nigerian prince" email scam — attempting to lure victims to part with a payment with the promise of a return on this investment at a later date.

They then graduate to BEC scams, working either as individuals or within groups, and using malware such as keyloggers to steal passwords and compromise email systems.

"Ransomware tends to be Eastern Europe, Russia, Estonia, areas like that," Mr Corbett-Wilkins said.

"BEC scams tend to be more in Africa and parts of continental Asia."

What can I do to protect myself?

In response to the increase in real estate scams, conveyancers, brokers, and agents are being taught to reduce the risk of payment redirection by, for instance, not sending requests for transfers via email.

But industry training isn't enough on its own, Mr Tyler said.

"It’s about trying to educate mums and dads out there in the community," he said.

The ACCC has the following tips:

  • Prior to sending money, especially for large transactions, always check the account details are correct by calling the person you are paying via a number you have sourced independently
  • If you receive a request that creates a sense of urgency, don’t rush. Take the time to consider and check whether an email is real, including by looking carefully at the sender’s email address.
  • If you have received a request to change payment details, always check with the organisation using contact details you have previously stored, rather than those supplied in the email.
  • If you have been the victim of a scam, contact your bank as soon as possible.

Mr Corbett-Wilkins has similar advice, and also recommends two-factor authentication for your email account (and your online accounts in general).

He added that even if you've been scammed, your bank may be able to claw the money back before it's been transferred out of reach.

"You've got a three-day window where if you act, [there are] high chances you'll get the money back," he said.

Banks accused of failing to protect customers

Aside from education, there's another relatively simple measure that would prevent many payment redirection scams.

If Kelly's bank had noted a customer was transferring $25,000 to an account number (the scammer's) that did not match the account name (the real estate agent's), it could have blocked the transfer.

Banks are not checking account names on electronic money transfers. (ABC News: Sasha McCarthy)

Banks have been dragging their heels on this, Mr Tyler said.

"Banks have to start verifying the account name versus account number," he said.

"If we have robust identification of a person when they're opening an account, then you can verify against that."

The ACCC has recommended account name verification to the corporate regulator, the Australian Securities and Investment Commission (ASIC).

In February 2020, it wrote to ASIC recommending it examine the verification model that would be rolled out in the UK the following month:

Where other jurisdictions make it more difficult for scammers, Australian consumers and businesses are at increased risk of being key targets for scammers.

The banks have argued against such a system, saying that greater scrutiny of account names would end up blocking legitimate transactions.

There are no signs that Australia will follow the UK's lead anytime soon.

ASIC's current review of the ePayments code, a voluntary code of practice for the banks, does not include the prospect of name verification for scam prevention.

Months later, memory of scam still stings

Back in Western Australia, Kelly and her husband have forked out another $25,000 to buy the original house.

"We do love it, but it's definitely ruined the house a little for us," she said.

They're considering legal action against the real estate agent if police are unable to recover the money.

"The blame is ultimately on the scammers, but the agent runs a business and should have that kind of security," Kelly said.

"They'd probably been hacked for months and the hackers had been waiting.

"It was creepy and smart at the same time."

Sign up to read this article
Read news from 100’s of titles, curated specifically for you.
Already a member? Sign in here
Related Stories
Top stories on inkl right now
One subscription that gives you access to news from hundreds of sites
Already a member? Sign in here
Our Picks
Fourteen days free
Download the app
One app. One membership.
100+ trusted global sources.