Property-related business email compromise scams are on the rise, with the potential for serious harm, prompting a new government alert to the real estate industry and consumers.
According to the Australian Cyber Security Centre (ACSC), cybercriminals are now targeting the property and real estate sector to conduct business email compromise scams.
Triaging the concern as “medium”, the ACSC is urging all parties involved in the buying, selling, and leasing of property to be vigilant when communicating via email – especially during settlement periods.
It highlighted that the trend “has potential for significant financial harm”.
In a business email compromise – or BEC for short – cybercriminals “pose as a legitimate business to send fraudulent emails to their customers or clients”.
Property-related BECs are seeing those cybercriminals unlawfully gain access to emails or impersonate businesses to deceive individuals attempting to buy, sell, or lease property.
According to the ACSC, cybercriminals will impersonate parties to a property transaction (such as real estate agents or conveyancers) and insert illegitimate bank details for settlement or rental payments.
When victims assume this request is legitimate, they will unknowingly send payment to the cybercriminal’s bank account.
The ACSC has warned how successful BECs may go unnoticed for weeks at a time – until businesses follow up on missing payments.
The cyber security centre also outlined that fraudulent emails may come from hacked email accounts, or cybercriminals might register domain names that are similar to legitimate companies – simply by swapping out letters or adding additional characters.
It warned that yet other cybercriminals will create email addresses with Gmail, Yahoo, or Outlook, using the legitimate business name.
“At a quick glance, an email address may look legitimate when it is actually being operated by a cybercriminal,” the ACSC raised.
Areas of most concern
“All parties involved in the buying, selling, and leasing of property should be vigilant when communicating via email, particularly during settlement periods,” ACSC flagged.
Therefore, this advice applies to real estate agents, conveyancers and lawyers, mortgage lenders, and any clients of these businesses.
ACSC has noted that the scammers are placing particular focus on impersonating conveyancing lawyers and communicating with their clients.
But they aren’t the only ones – cybercriminals are also singling out mortgage lenders in order to intercept property settlements.
ACSC is urging settlement agents and lawyers to be extra wary of updating bank account details – particularly before updating Property Exchange Australia (PEXA).
The Cyber Security Centre explained that when cybercriminals impersonate a property seller and request their bank details to be updated, settlement agents using PEXA will change these details in the system.
It reported: “PEXA remains secure yet the new bank account details are fraudulent, resulting in the buyer sending funds to the cybercriminal’s bank account.”
How to stay safe
While maintaining vigilance on the issue of business email compromise is vital, the ACSC has provided a number of recommendations to individuals and businesses who are transacting real estate.
These are outlined below:
1. Verify payment details
If any party to a property transaction notifies you they have updated their bank details, the ACSC instructs taking extreme care. Confirm any changes by calling the sender’s established phone number or meeting them face-to-face before transferring any funds.
2. Training and awareness
Staff must be trained on the identification of suspicious emails, including requests to change bank account details or emails linking to fake websites. The latter may be a phishing attack, which could capture passwords and compromise account security.
3. Secure your email account
With the knowledge that cybercriminals will attempt to access systems through compromised passwords, all individuals and businesses should be implementing strong passphrases on any accounts.
Where possible, enable or implement multi-factor authentication on email accounts to help prevent unauthorised access.