Scammers, fraudsters and devastated victims: part 1 of an API Magazine crime series

It used to be enough to install an alarm and lock the door of a business so you could sleep well at night knowing intruders couldn’t get in.

But as an increasing number of buyers, real estate agents, conveyancers and solicitors are learning, scammers are not only opening their digital doorways but stealing vast sums of money from right under their noses.

The ACCC (Australian Competition and Consumer Commission) Targeting Scams Report released this month found Australian businesses lost $227 million to payment redirection scams in 2021, a 77 per cent increase compared to 2020.

Recouping funds is rare and the experts warn everyone can assume there is a scammer ready to redirect funds from legitimate transactions, into their own bank accounts.

Rachel Falk, CEO, CSCRC

“It sounds very paranoid but you do have to be paranoid,” Cyber Security Cooperative Research Centre CEO and one of Australia’s foremost cyber security experts, Rachael Falk told Australian Property Investor Magazine.

“Nowadays what I would be doing with a real estate agent or a law firm is ringing them up and I’d also make sure I ring their number, not the number on an invoice emailed to you, because that could be hacked too,” Ms Falk said.

In a payment redirection scam, scammers impersonate a business or its employees via email and request an upcoming payment be redirected to a fraudulent account.

“Property transactions, by their very nature, are for many of us are the largest single biggest transaction we’ll ever do in our lives so it really matters where you’re sending money to and making sure it arrives safely,” Ms Falk said.

“Often deposits are sent to the lawyer to be held in trust and a hallmark of being scammed is if there’s a sudden change in bank details.

“Even if it’s not a property transaction you will suddenly find that the details of the supplier, the vendor you’re dealing with, or a third party, will change.”

Nat Anderson, IDCare’s Support Team – Cyber First Aid Identity Security Operation Centre representative, is an expert in identity theft and cyber security.

“From an identity point of view, real estate agents are a very attractive target to scammers, both for the value of material they hold on individuals such as rental applications, and also for the value of potential transactions that may be susceptible to business email compromise (BEC) and payment redirections,” he said.

An IDCare client, ‘Bob’* (not his real name) was in the process of purchasing a property.

“He emailed his broker for the banking details and received an email back (within the ongoing email thread), with bank account details to transfer the stamp duty of $15,000.

“He duly paid the money and it wasn’t until speaking to the broker later that day that his broker said no email had been received and the bank account details were not his.

“It turned out Bob’s email had been compromised and the scammers were aware of the impending transaction and struck at the appropriate time, but luckily in this case the banks were alerted and the transaction blocked,” Mr Anderson said.

Unfortunately, that’s not always the outcome.

John (not his real name) is another IDCare client who owns a strata management company.

“He had an ongoing relationship with an engineering firm and had previously made regular payments.

“The engineering firm sent an email to the strata accounts department informing them of a change to their banking details.

“The accounts department paid the next invoice of $200,000 to the new account. It wasn’t until a week later when the engineering firm sent a reminder invoice that the scam was discovered.

“John had cyber security insurance however the policy specifically excluded business email compromise and the money was unable to be recovered,” Mr Anderson said.

So, who is at fault?

Farrah Motley, Legal Principal, Prosper Law

“The only time when the business is actually liable for business email compromise is if they’ve been negligent in protecting their business systems,” explained Prosper Law legal principal Farrah Motley.

“Even more so if it’s occurred before and they don’t do anything and it happens again and again.

“So, they might have had insufficient password protection, lack of antivirus software, saving passwords that are easily accessible, using insufficient cyber security techniques; do they have two-factor authentication? No; Do they have an external agency monitoring their systems? No.

“It’s like there’s a chain of failure and they’re almost acting like you don’t care, then you’ve got a problem,” Ms Motley said.

Once a problem is identified, time is of the essence.

“There’s often quite a delay between when the problem actually happens and when someone’s taking the time to investigate.

“Everyone tends to spend a long time blaming each other but by that time, the digital trail that might allude to who was at fault, or whose systems have been compromised, is often lost,” Ms Motley said.

“As an example, Outlook is usually one of the culprits in the chain of compromise.

“It might have a retention rule that says, we’re going to keep the backend email records for 30 days, or whatever it is, and if you don’t jump on to that quickly, that 30 days has expired, and then you’ve lost the ability to get a conclusive answer, so, you really have to jump onto the investigation quickly,” she said.

“Because it’s an international problem, once the money’s gone, that’s it.”

Masks and spoofs

It’s not always money that’s at stake.

A franchise office of a major real estate organisation was hit by a ransomware attack last year that was brought to IDCare’s attention. As part of the attack, the ransomware group infiltrated sensitive data from the real estate office and published it on the dark web.

“Details published included sensitive corporate information such as the entire internal password collection of all staff along with hundreds of applications for rental properties with full name, email, phone numbers, current and previous addresses, bank details and other personal identifiable information (PII) exposed.

“Aside from the cost of trying to regain the IT network, the organisation also had to manage the data breach, with the associated cost and reputational damage,” he said.

On the occasion a business is not negligent, there are two techniques that could be at play.

Spoofing involves scammers finding a business email online and mimicking it closely.

“It might have a dot in the wrong place, or an extra letter somewhere and they’re pretending to be the agent and a customer doesn’t pick up on it,” Ms Motley said.

Alternatively, it could be masking.

“There might be a random email address from Russia and then they put a mask over it and it looks like the legitimate business email.

“You can’t tell unless you go into the email coding that it’s not actually coming from that email address.

“In that case it’s not the business’ fault and it’s not the customer’s fault so neither has legal rights against the other but unfortunately no one’s at fault except the scammer and nobody can find the scammer,” Ms Motley explained.

Nowhere to turn

CSCRC’s Ms Falk says the law is not necessarily on the consumers’ side.

“Unfortunately, as a buyer, the current condition is you need to satisfy yourself that you’re paying the money to the right entity.

“My advice to people is take the time, check with the real estate agent before you pay them, ring their front office up but not the number on the invoice sent to you, because again, that could be hacked; make sure you’ve got all the details and speak to someone there who knows the accountant or finance person.

“Make sure your settings are up to date on your email, make sure you have up to date antivirus, that you do check emails that come into you, that you do check the sender’s address and other giveaway clues, check punctuation, check spelling,” Ms Falk said.

“Remember in these kinds of things email is not your best friend, be suspicious of emails with bank details but be super suspicious of emails with bank details that have changed quickly and unexpectedly,” Ms Falk advised.

Ms Motley said since covid hit, the incidence of BEC has “exploded”.

“It’s almost scary how easy it is.

“I do think the government could be doing more to educate people and really get into people’s faces about this.

“Of all the people I know in my professional capacity who might have experienced business email compromise, it might not be significant amounts of money, but it is significant to them and there’s just no recourse, there’s no-one there to help you.”

Do you think you’ve been scammed?

1. Report the incident to ReportCyber.
2. Secure any compromised accounts.  
3. Alert other employees and clients. 
4. Domain names are your internet mail address and your online business identity. If your company has been impersonated, reach out on ReportCyber.  
5. If someone is using an email service to impersonate you (like Gmail or Outlook.com), report this to the provider. 

Source: Australian Competition and Consumer Commission

Prevention

• Enable two factor (2FA) or multi-factor authentication (MFA) on email accounts and call the relevant parties to verify bank account details for large transactions.
• Ensure your organisation has an up-to-date cyber security policy with appropriate controls, such as password managers and 2FA/MFA enabled.
• Ensure a policy of calling clients/businesses to confirm any bank/account changes. When taking out cyber security insurance, check the policy details to make sure business email compromise/email redirection payments are included.