Protecting your real estate business from scam activity and fraud
/21 June 2023
As technology and internet capabilities advance, it is crucial for real estate businesses to understand the ways in which they can prepare and protect personal and financial information to keep their business, clients, and tenants safe.
Fraud can arise in many forms, including through email correspondence and attachments, e-signed leases, electronic use of documents, and online banking. Agencies and their staff are increasingly susceptible to high-tech fraud that is more difficult to detect.
Agencies are facing ‘business email compromise’ (BEC) scams in Australia
Cybercriminals are targeting the property and real estate sector to conduct business email scams. Everyone involved in the buying, selling, and leasing of property must be vigilant when communicating via email, particularly during settlement periods. The Australian Cyber Security Centre (ACSC), which leads the Australian Government’s efforts to improve cyber security, has observed a growing trend of cybercriminals targeting the property and real estate sector to conduct business email compromise (BEC) scams in Australia.
In a BEC scam, cybercriminals pose as legitimate businesses to send fraudulent emails to their customers or clients. In a property-related BEC, cybercriminals unlawfully gain access to emails or impersonate businesses to deceive individuals attempting to buy, sell or lease property.
Western Australia Consumer Protection has reported that in the past two days, WA ScamNet received one report from a real estate agent who advised they’d lost a total of $43,080, and two reports from settlement agents who lost a total of $64,468.28. The targets were tricked into transferring trust account funds by scammers posing as the bank.
The ACSC has provided a medium alert to the property industry on their website warning of an increase in BEC scams targeting the real estate industry.
Cybercriminals will impersonate parties to a property transaction (such as real estate agents or conveyancers) and insert illegitimate bank details for settlement or rental payments. Victims assume this request is legitimate and will unknowingly send ¬payment to the cybercriminal’s bank account.
The ACSC website contains useful information that assists all businesses in protecting their data and information from attacks and fraudulent activities.
The role of policies and procedures
All agencies need to have policies and procedures in place to ensure that all the data they collect is stored correctly and protected. These policies and procedures should cover:
Password requirements
Email security
Device security and use of personal devices
Transferring data
Working remotely
Acceptable uses
Security requirements
Disciplinary action
Protecting the personal information of clients
Australians have high expectations of businesses when it comes to adequately protecting their personal information and data, including real estate agencies. All agencies, regardless of size, have an obligation to keep their data private and secure. This ensures agents and business owners are operating ethically and helps to build trust and upholds the reputation of the individual and the agency.
Non-compliance and breaches in relation to data privacy can result in:
Potential severe financial penalties – the Federal Court can impose fines of up to $2.1 million per contravention
Compensation payments
Loss of revenue
Reputational damage and
Loss of client trust
Consider the personal and sometimes sensitive information that a real estate agency stores and holds. Cybercriminals seek to steal any personal detail such as an individual’s name, signature, address, telephone number, date of birth, bank account details, and commentary or opinion about clients and customers.
What types of scams are out there?
Hackers can be both computer experts and/or malicious computer criminals that use a range of methods to hijack your computers and access the data. Hackers are not always external to the agency they can sometimes be internal such as agency staff, contractors, or ex-employees whose access has not been disabled.
The following are the common hacking methods in use today.
Intrusion: Unauthorised individuals or organisations trying to gain access to computer systems to steal information
Malware – Virus/Worm/Trojan Horse: Programs that infect your machine and carry codes that can destroy the data on the computer or device or allow the intruder to take control over any device
Phishing: The practice of using email, SMS, robocalls, or fake websites to lure you into providing personal information
Spyware: Software that sends information from your computer to a third party without your consent
Spam: Programs designed to send a message to multiple users, mailing lists, or email groups to elicit personal information or account details. Spam often presents in the form of unsolicited emails or phone calls in an attempt to get you to buy something or share private information.
Ransomware: Normally loaded onto a computer via a download/attachment/link from an email or website. This software is designed to restrict users from accessing their computers or device. Followed by a demand for payment for the software to be removed. Once Ransomware is uploaded to your computer/tablet/phone it is very difficult to remove it without removing all the data. Solution - if you see a pop-up, Press Ctrl + F4 on your keyboard to close it.
Public Wi-Fi: Remember these may not be trustworthy. They could share your information with other companies that operate in countries without any data protection. You may not know who is watching you whilst you’re online.
Insecure or illegitimate websites: While making sure the sites you visit are secure is important, you should also be sure that a site is legitimate before entering a username, password, or any other personal information. Paying close attention to the site’s URL in your browser’s location field, for example, can help you be certain that you are on a legitimate site rather than an imposter or cloned site.
Agents can subscribe to updates from Australian cyber security agencies (see resources below) to stay up to date on new and emerging scams.
Training, education and promotion of cyber security
Enrol with us to Complete online, self-paced cyber security training with your team.
Did you know that here at The Australian Real Estate Training College, we offer online, self-paced continuing professional development (CPD) training around Cyber Security and Fraudulent Activity? Even if your state or territory does not require registered agents to complete CPD to maintain a real estate licence or registration, we highly recommend enrolling to complete the short course.
The courses below have been developed under federal law and apply to all states and territories.
Topics covered include:
Protecting yourself and your agency
Understanding risks and vulnerabilities
Protecting the personal data of your clients
Password security
How to identify scams
Secure websites
Working remotely
System backups
Security software
Training, education and promotion of cyber security
Essential cyber security techniques
No matter what your role is in an agency or the agency you work for, today cyber security is relevant to every single person. It doesn’t matter what security infrastructure you have, if you do not take steps to safeguard the human error or mistakes, you will have a breach, and hackers not only understand this - they also rely on it.
Cybersecurity is everyone's business! Cyber security is not a task that can be marked off a to-do list. Many staff do not worry enough about cyber security because they think it is the job of the IT department or licensee in charge (LIC). The best way to promote cyber security is to start at the top with the LIC and managers. LICs can create change in the agency and the attitude of staff but they must first know and understand the importance of data and information security.
State, territory, and Australia-wide resources for businesses
Victoria (Consumer Affairs Victoria):
Tasmania (Consumer, Building and Occupational Services):
Western Australia (Department of Mines, Industry Regulation and Safety):
Northern Territory (NT Consumer Affairs):
NSW (NSW Fair Trading):
ACT (Access Canberra):
Queensland (QLD Fair Trading):
South Australia (SA.GOV.AU):
Federal fraud-prevention agencies:
When in doubt about anything relating to the security of data held by your agency, call the Australian Cyber Security Hotline on 1300 CYBER1 (1300 292 371).
