The scammers’ first email to Kelly and her husband came in the small hours of the night, while they were sleeping.
“Due to an ongoing bank audit on our account,” the email read, “please see attached our subsidiary trust account details for payment of a $25,000 deposit.”
- Property settlement scams are becoming more common as home prices rise
- Scammers or real estate agents hack email accounts to impersonate and collect money intended for home deposits
- Experts say poor cyber security, as well as banks’ failure to verify account names, have made Australia a target
The email address seemed legitimate – it was from a real estate agent.
Kelly and her husband, both young engineers and “tech-savvy”, were on the receiving end of buying a house in Western Australia.
And so the next day, Kelly’s husband sent his heard earnings to a scammer, and never saw that money again.
Property settlement scams are becoming more common as home prices rise and scammers turn their attention to large and often lightly guarded funds that potential buyers are transferring to the trust accounts of real estate agents and conveyors.
Known as “payment redirection,” this is part of a class of scams called “business email compromises,” where criminals hack into an employee’s email account and then, impersonating that employee, create their own Send a payment request, substituting bank account details.
Victims are individual home buyers or small business owners for whom the consequences of a lost deposit are disastrous.
Six months later, Kelly and her husband have yet to tell their parents or their friends that they have been cheated on.
“It’s been very, very stressful,” Kelly said.
Real estate scams on the rise in 2022
According to national data, many other people are also falling in the grip of this scam.
Australian Competition and Consumer Commission (ACCC) Scamwatch receives an average of two reports per week of payment redirection scams in real estate.
March 2022 alone saw 14 reports – the highest figure in 15 months.
“Twenty-five reports were made this year, which is a 25 percent increase over the same period in 2021, and losses this year increased by 186 percent to $1.8 million,” an ACCC spokesperson said.
NSW, which has the most expensive property market in the country, accounted for three-quarters of the $4.3 million lost through the scam nationwide from January 2021 to the end of March 2022.
Chris Tyler, chief executive officer of the NSW division of the Australian Institute of Conveyors (AICNSW), says buyers are being targeted.
The fraudsters have also used payment redirection to scam the stamp duty, which a consignor intended to transfer to the state’s revenue, he says.
“Because the value of property transactions is so high, all parties in the transaction are being targeted: real estate agents, mortgage brokers, carriers.
“Half the time deposit could be a couple million dollars.”
‘House prices have gone up’
The Sydney law firm of Clyde & Company’s cyber incident response team handles several business email settlement (BEC) incidents each week.
“We’ve seen growth in the last three or four months,” said Reece Corbett-Wilkins, a member of the response team.
Although less “sexy” than ransomware, BEC is just as big a problem, he says.
Clyde & Company saw a 150 percent increase in reported BEC incidents from 2018 to 2021.
In some cases, the loss is huge – a client of a client misdirected a recent $750,000 transaction.
Mr. Corbett-Wilkins said, “Houses have gone up in value. There is a lot of cash flowing into the real estate sector.”
The nature of real estate transactions, which involve multiple parties and often do not have much cyber security, makes them a favorite target of scammers.
“These attacks are highly sophisticated,” he said.
“You have this combination of factors that all come together and you think, well, it’s ripe to choose.”
Scam continues even after money transfer
After Kelly’s husband sent $25,000 to scammers, the scammers kept in touch via email, maintaining doubts long enough to clarify the transfer and clear the doubts.
“I will issue a copy of my trust receipt once the funds are in our account,” he wrote back to the couple.
At the same time, scammers were emailing real estate agents, using an address that was identical to that of Kelly’s husband, to reassure them that home deposits were on their way.
The couple only reported the fraud to him a week later, when the real estate agent asked them to make a deposit.
Until then, the money had been transferred to another Australian bank account, and from there to a cryptocurrency exchange, where it was converted into bitcoin.
“That’s what stopped our bank — they said we couldn’t take it any further,” Kelly said.
“We’re still waiting for the police – it took them several months to say they were looking into it.”
Where are the scammers located?
The FBI has coordinated a number of global operations with national police agencies such as the AFP to disrupt BEC plans.
Most of the arrests have been made in the United States and Nigeria.
A 2018 report by cyber security company CrowdStrike also pointed to cybercriminals in Nigeria, including a “formidable criminal organization” known as the “Black X”.
According to the report, Black X has “developed a hierarchical, inter-state organization while at the same time maintaining cult-like tendencies” and its gangs “run a number of organized crimes such as prostitution rings, human trafficking, human trafficking”. Undertakings include drug trafficking, grand theft, money laundering, and email fraud/cybercrime.”
The report reads:
Petty Nigerian criminals – often referred to as the Yahoo Boys – are said to have started their scamming careers while graduating from university.
There are thousands of undergraduates in Nigeria who participate in online fraud, and it is estimated that there are approximately 5 million online scammers in the Lagos region.
Novices usually begin with variations on the classic “Nigerian prince” email scam – attempting to entice victims to part with payouts with the promise of a return on this investment at a later date.
They then graduate to BEC scams, operating either as individuals or within groups, and using malware such as keyloggers to steal passwords and compromise email systems.
“Ransomware tends to be in regions like Eastern Europe, Russia, Estonia,” said Mr. Corbett-Wilkins.
“BEC scams are more frequent in parts of Africa and continental Asia.”
What can I do to protect myself?
In response to the rise in real estate scams, carriers, brokers and agents are being taught to reduce the risk of payment redirection, for example, by not sending requests for transfers via email.
But industry training by itself is not enough, Mr. Tyler said.
“It’s about trying to educate moms and dads in the community,” he said.
The ACCC has the following suggestions:
- Before sending money, especially for large transactions, always check that the account details are correct by calling the person you are paying through a number that you have freely received
- If you receive a request that creates a sense of urgency, don’t be hasty. Take the time to consider and check whether an email is genuine, including carefully looking at the sender’s email address.
- If you have received a request to change payment details, always contact the organization using the contact details instead of the contact details provided in the email.
- If you have been a victim of any scam then contact your bank as soon as possible.
Mr. Corbett-Wilkins has similar advice, and also recommends two-factor authentication for your email account (and your online accounts in general).
He said that even if you have been cheated, your bank may be able to get the money back before it is transferred out of reach.
“You have three days where if you act, [there are] There are high chances that you will get the money back,” he said.
Banks accused of failing to protect customers
Besides education, there is another relatively simple solution that will prevent many payment redirection scams.
If Kelly’s bank had noted that a customer was transferring $25,000 to an account number (the scammer) that did not match the account name (the real estate agent), it could have blocked the transfer.
Banks is dragging its heels on this, Mr Tyler said.
“Banks need to start verifying account name versus account number,” he said.
“If we have a strong identity of an individual at the time of opening the account, you can verify against him/her.”
The ACCC has recommended account name verification to the Australian Securities and Investments Commission (ASIC), the corporate regulator.
In February 2020, it recommended ASIC to examine a validation model, which will be rolled out in the UK next month:
Where other jurisdictions make it more difficult for scammers, Australian consumers and businesses are at increased risk of being prime targets for scammers.
Banks have argued against such a system, saying that excessive checking of account names would block legitimate transactions.
There are no signs that Australia will follow Britain’s lead anytime soon.
The current review of the ePayments Code by ASIC, a voluntary code of practice for banks, does not include the possibility of name verification for scam prevention.
Even after months, the memory of the scam stings
Back in Western Australia, Kelly and her husband paid another $25,000 to buy the original home.
“We love it, but it definitely ruined the house a little bit for us,” she said.
If the police is unable to recover the money, they are contemplating legal action against the real estate agent.
“Ultimately the blame is on the scammer, but the agent runs a business and there should be that kind of protection,” Kelly said.
“They were probably hacked for months and the hackers were waiting.
“It was scary and smart at the same time.”