Background /What has happened?
The Australian Signals Directorate’s Australian Cyber Security Centre (ASD’s ACSC) has observed a growing trend of cybercriminals targeting the property and real estate sector to conduct business email compromise (BEC) scams in Australia.
In a BEC scam, cybercriminals pose as a legitimate business to send fraudulent emails to their customers or clients. In a property-related BEC, cybercriminals unlawfully gain access to emails or impersonate businesses to deceive individuals attempting to buy, sell or lease property.
Cybercriminals will impersonate parties to a property transaction (such as real estate agents or conveyancers) and insert illegitimate bank details for settlement or rental payments. Victims assume this request is legitimate and will unknowingly send Âpayment to the cybercriminal’s bank account. Successful BECs can go unnoticed for weeks until businesses follow up on a missing payment.
These fraudulent emails may come from hacked email accounts, or cybercriminals might register domain names that are similar to legitimate companies (typically by swapping letters or adding additional characters). They might also create email addresses with Gmail, Yahoo or Outlook that use the legitimate business name. At a quick glance, an email address may look legitimate when it is actually being operated by a cybercriminal.
Cybercriminals are targeting all parties involved in the real estate sector, with a particular focus on impersonating conveyancing lawyers and communicating with their clients. Cybercriminals are also singling out mortgage lenders in order to intercept property settlements.
Settlement agents and lawyers should be wary of updating bank account details – particularly before updating Property Exchange Australia (PEXA), an online service that deals with property transactions. When cybercriminals impersonate a property seller and request their bank details to be updated, settlement agents using PEXA will change these details in the system. PEXA remains secure yet the new bank account details are fraudulent, resulting in the buyer sending funds to the cybercriminal’s bank account.
Mitigation/ How do I stay secure?
This trend has potential for significant financial harm. All parties involved in the buying, selling and leasing of property should be vigilant when communicating via email, particularly during settlement periods. This includes real estate agents, conveyancers and lawyers, mortgage lenders and any clients of these businesses.
The ASD’s ACSC recommends to:
- Verify payment details: If any party to a property transaction notifies you they have updated their bank details, take extreme care to confirm changes by calling the sender’s established phone number or meeting them face-to-face before transferring any funds.
- Training and awareness: Ensure staff are trained to identify suspicious emails, including requests to change bank account details or emails linking to fake websites. The latter may be a phishing attack which could capture passwords and compromise account security.
- Secure your email account: Knowing cybercriminals will attempt to access systems through compromised passwords, it is recommended that individuals and businesses use strong passphrases and enable or implement multi-factor authentication on email accounts to help prevent unauthorised access.
Further advice on mitigating business email compromise is available below:
- Protect your email account from cybercriminals
- Protecting Against Business Email Compromise
- Implementing Multi-Factor Authentication
- Phishing – Scam Emails
- Know how to spot phishing (scam) messages
- How to Combat Fake Emails