Cyber-scammers cashing in

11 October 2022

It’s not just homeowners and investors who have benefited from Australia’s recently booming property market. Scammers have been pocketing millions from rising house prices, duping both unsuspecting agents and vendors.

Real estate businesses have long been an attractive target for cybercriminals. One breach can open the door for hackers to steal a treasure trove of personal and financial information. And sophisticated schemes involving phishing, ransomware and malware have evolved to a point where breaches are now harder to detect than ever before.

Data shows that cyber-attacks have ramped up since the onset of the COVID-19 pandemic, coinciding with the transition to remote work. And while proptech in the real estate space may be increasing productivity, proper systems are needed to reduce the risk of data security breaches.


“It’s not a matter of agents becoming tech experts. It’s knowing what the risks are and putting systems in place and training staff to ensure that risk is lowered to the most acceptable level it can be.”

John Minns

NSW Property Services Commissioner

Hackers appeal

Real estate agents may handle large volumes of money, but it’s the way that they conduct their business that’s the drawcard for cybercriminals.

According to the Australian Competition and Consumer Commission, scammers are more easily able to intercept large one-off payments between parties because they don’t have a previous business history.

“Consumers involved in these transactions may be unfamiliar with each other’s way of speaking, business processes and payment details, so may be less likely to spot oddities in communications,” an ACCC spokesperson said.

Australians lost more than $2 billion in scams in 2021, which was more than double the amount recorded during the previous year. And among the types of fraud on the rise is payment redirection, also known as business email compromise, which causes havoc for businesses, including real estate businesses.

How does it work? Cybercriminals hack into a business or customer’s email account and send a payment request – usually one legitimately owed – which is unknowingly then paid into a fraudulent bank account.

Comparing property sector payment redirection scams reported to Scamwatch in the first half of 2022 with those in the first half of 2021, losses have risen 124.4 per cent from $1.2 million to $2.7 million. The number of reports in the same period have also risen 40.5 per cent from 37 cases in the first half of 2021 to 52 in the first half of 2022. Only a fraction of scams are believed to ever be reported, so the real figure could be far higher than current statistics suggest.

The ACCC strongly encourages anyone who is the victim of a cybercrime – such as a payment redirection scam – to contact ReportCyber for referral to and possible investigation by police.

“As agents, we’re in a position to take steps to protect consumers and, in doing so, enhance our services and build trust in the real estate process.”

Peter Matthews

Founder and CEO of Realtair

Risk factors

While it’s easy to assume the biggest players in the real estate industry are more likely to suffer from a cyber-attack, in fact it’s small to mid-size businesses with fewer defences that are more often targeted.

John Minns, the former NSW Property Services Commissioner, believes the threat is as large as the number of real estate agents who operate in the country.

Like most businesses, the property industry is heavily reliant on email for communication, which makes businesses more susceptible to phishing or inadvertently opening a malicious attachment, thereby crippling internal systems.

“With the right level of awareness, in almost every case, an agent who knows what they’re doing will recognise the scam for what it is and won’t click on the link or won’t send to the wrong address,” Mr Minns said. “However, I’ve seen incidents where a deposit was not only sent once to the wrong address, but actually sent to the wrong address twice – even with the buyers, banks and lawyers involved! And it’s unrecoverable.

“Empowering digital innovation and proptech is key to the real estate industry’s future, but the challenge is ensuring a proper framework of protection,” he said. “If cybercriminals see opportunities, they can and will go after them. Anywhere there’s a potential weakness or grey area, there will always be someone looking to exploit it.

“It’s not a matter of agents becoming tech experts. It’s knowing what the risks are, and putting systems in place and training staff to ensure that risk is lowered to the most acceptable level it can be.

“Further, agencies should ensure that any agreements they sign with tech providers ensure their clients’ interests and rights are protected, so the agency is not taking on potential risks that should sit with the provider.”

Combating the problem

It’s often more than one breach that makes a business vulnerable to an online attack, but lack of knowledge is no longer an excuse.

NSW Fair Trading requires all licensed agents to undertake mandatory training in best practices for cyber security in the current CPD year. It’s hoped that this will reduce the risk of fraudulent activity in the industry. And while this CPD unit takes just one hour to complete, it covers the key areas of concern, including passwords, identifying scams, securing a website and ensuring a safe environment for remote employees.

Peter Matthews, REINSW President and Founder and CEO of Realtair, who has been delivering the CPD unit to REINSW members, urges agents to be vigilant to protect both their business and customers.

“This CPD unit is not just about learning password management,” he explained. “What it really highlights is that we’re representatives of both buyers’ and sellers’ funds, yet we don’t have any control of the cyber security of any of these customers.

“We could have all these great measures in place internally, but the scary part is a lot of this fraud isn’t happening within real estate businesses. Rather, it’s happening in the customers’ homes. Their email is being intercepted or their computer is being taken over, and some of these cybercriminals are acting as customers.”

One way agents can disempower hackers is to take transactions off channels such as email and phone, and instead use encrypted platforms. Not only are these platforms far more secure and infinitely less vulnerable to cyber-attacks, but they also offer convenience and transparency to consumers.

“As agents, we’re in a position to take steps to protect consumers and, in doing so, enhance our services and build trust in the real estate process.”

“Multi-factor authentication is just one piece of a critical plan to secure your organisation’s network and data. Integrating these technologies is important, but should not be relied upon as the only way to prevent malicious cyber-attacks.”

Martin Boyd

Director of Vertex Cyber Security

Lines of defence

Cyber-attacks aren’t easy to detect, but agencies can make it harder for cybercriminals.

Two-factor or multi-factor authentication is seen as the best way to combat the threat because it adds an additional layer of protection to online accounts. In addition to a username and password, it requires a code to be entered. This is commonly sent via text or SMS to a mobile phone, which acts as a digital fingerprint.

And while this extra step can seem like a chore, it’s becoming a necessity for security.

Martin Boyd, Director of Vertex Cyber Security, said agencies need to be agile as cyber threats are always evolving. This includes adopting security infrastructure to accommodate the shift between hybrid and remote work, which has become more popular since the pandemic.

Research shows that with brute force attacks, a standard eight-character password can be cracked in eight hours, even where that password includes numbers and special characters. As a result, he recommends passwords that are at least 12 characters long.

“With the growing popularity of multi-factor authentication on work devices, hackers have taken notice and are attempting to exploit vulnerabilities in these systems,” Mr Boyd said.

“There are some very good systems out there – but, unfortunately, they’re not all foolproof and we’ve been contacted by companies who have had their multi-factor authentication compromised in circumstances where their phone number was transferred to the hacker’s phone.

“So multi-factor authentication is just one piece of a critical plan to secure the network and data of your business. Integrating these technologies is important, but should not be relied upon as the only way to prevent malicious cyber-attacks.”

Staying ahead of the next scam

Never to miss a beat, cybercriminals are now targeting Australia’s tight rental market.

In an alarming trend detected by the ACCC, hackers are advertising fake rental properties and duping those desperate for a property.

“Such listings require tenants to pay deposits upfront, almost always without the ability to tour or view the property,” the spokesperson said. “In particular, they may promise to mail the keys to the property to the victim after receiving payment.”

Agents can play a role in alerting customers to the importance of signing a lease with a proper agent and doing their due diligence, such as checking the street address and not paying their deposit upfront.

5 ways to boost cyber security

1. Data back-up

A must for all businesses. Multiple back-up methods are advised daily to a portable device or cloud storage. In addition, data should be backed up at the end of each week, quarterly and yearly. External drives should also be stored off-site, in case of a break-in or damage such as fire or flooding. If backing up to a cloud system, it’s advisable to use encryption when transferring and storing data. This converts data into a secret code before it’s sent over the internet.

2. Security software

Computers, laptops and mobile devices should all have cyber security software installed, including anti-virus, anti-spyware and anti-spam filters. These are in addition to a firewall that protects a business’ internal system from ingoing and outgoing information from the internet. Employees will still need to be cautious about opening a spam email or clicking on a link that can expose the business to viruses and malware.

3. Passphrases

Have trouble remembering your computer password? A passphrase could be a solution. These are not only easier to recall but harder for cybercriminals to hack, as they contain more than 10-characters. A passphrase uses a string of words – like a sentence – to allow authentication. They must also include spaces, special characters and punctuation. But, just like passwords, choose something that isn’t easy to guess.

4. Two-factor or multi-factor authentication

This works by adding an extra layer of security to accounts. After adding a username and password, a person must also verify who they are by providing an additional piece of information. This could be a personal identification number (PIN), keystroke pattern or answers to a ‘secret question’. It might also require an ID card, security token or a code to be sent to a mobile device or email. In advanced systems, it might include a fingerprint, iris scan or voice recognition. This security process has become a popular way to better protect users and resources.

5. Penetration testing

Think your security systems are impossible to crack? Businesses can employ cyber experts to perform an authorised attack on their system, just as a hacker would do. Penetration testing highlights vulnerabilities and provides solutions to strengthen security. Testing needs to be done properly, as it may expose the business to some risks, such as exposure to sensitive material and system crashes.

For more information go to


CPD COURSE – Cyber Security and Fraudulent Activity

Want to learn more about cyber security? Enrol in the Cyber Security and Fraudulent Activity CPD course.

You’ll learn:

  • Best practice for cyber security
  • Ways to identify and reduce the risk of fraudulent activity
  • How to strengthen security when making and using passwords
  • Use of security systems to protect login details
  • How to identify phishing emails and the risks they pose
  • How to protect trust accounts and IT systems from future attacks

CPD hours: 1 hour of Compulsory CPD

Duration: 1 hour

Format: Online or face-to-face

Assessment: Multiple choice questions

Register today at

Want more?