Posted on 15 Jun 2018 by Valerie Jones



An email hacking scam has been reported to be targeting real-estate-related businesses, including agents, conveyancers, lawyers, and builders.

In just three incidents in 2017 and early 2018, buyers lost over a million dollars.

A woman lost almost $560,000, and another buyer paid $100,000 for stamp duty, but the money went to the scammer's account.

A buyer in Grafton earlier this year lost about $500,000.

This is more sophisticated than simple "phishing" emails. It involves actually intercepting emails that are sent.

The scammer sits "between" the sender and recipient, intercepts emails, then alters the BSB and Account numbers, and sends the emails on their way.

They have been particularly targeting agents and their clients, builders, lawyers, and conveyancers.

In some cases the emails were intercepted and altered, and the recipient did not receive the original email. But in most cases, people received duplicate emails within a few minutes of each other, with the second one altered to show the wrong BSB and account.

The correct sender's email address sometimes appears as the "sender" of the email. So while that should be checked, it is not a reliable indicator of a genuine email.

Just a few days ago, Orange landscaper Jason Munday sent $4,000 to the wrong account because of this scam.

He said he received a supplier's quote in his email inbox. But then he received another quote, purportedly from the same source, 14 minutes later. The second one had altered account information.

When he and his wife later set out to pay the supplier, they saw the second email first, and sent the money to the wrong account.

The Australian Consumer and Competition Commission (ACCC) said variations of this scam have been going around the last few years.

According to Mr Munday, the second email looked "exactly" the same as the original one, except for the altered account information. The scammer's account was in Western Australia.

He reported it to the police, and said the bank informed him there was a good chance his money could be recovered.

Consumer Affairs Victoria (CAV) warns businesses and people making large purchases to be very suspicious if they receive what appear to be duplicate emails.

Before making a payment, it is a good idea to call the person you are paying, and verify the BSB and Account numbers to make sure you are paying into the correct account.

Do not use contact information in the email (such has replying to the email or using a phone number in the email) to verify its validity. It could go straight to the scammer.

CAV offers these tips to help ensure safe payments:

•  Consider setting up a two-step verification process with your email accounts. This requires a user to provide more than one type of proof that they are authorised before they can access an account.

•  Do not use obvious passwords. Change your passwords and other verification details regularly.*

•  Do not share your email address online unless you need to. Consider setting up an email address just for online transactions, and another for communicating privately with clients and customers.

•  Be wary of duplicate emails. This is the most common and simpler form of the scam.

•  Be wary of emails claiming the payee has changed their account details. Contact the payee personally (by phone using your own contact information) to verify any such claims.

•  Contact your bank immediately if you have reason to think you have been scammed.

The scam has been growing into other types of businesses, but real estate transactions often involve a lot of money so it is a favorite industry for this type of deception.


* Despite common advice about passwords, this author was once at a seminar in which the Microsoft security expert on stage said:

"It is possible to set up a security policy requiring users' passwords to be at least 12 characters long, contain upper- and lower-case characters, at least one numerical digit and one 'special character'. And then require them to be changed every 10 days.

"Is that policy secure?"

Everyone shouted "Yes!"

He replied, "No. Once you do that, everyone will write their password down on a post-in note so they can remember it, and stick it to their monitor. And everyone walking past will know what it is."

The moral of the story is that trying too hard to implement policies to make you more 'secure' can actually make you less. There is a proper balance if you can find it.