Cyber Security for Real Estate Agents: Stopping the Scams That Target Property Transactions

Real estate agents and property managers sit at the intersection of high-value transactions, time pressure, and multiple parties exchanging sensitive information. That combination makes the property industry one of the most actively targeted sectors for cybercrime in Australia — and the consequences for victims can be catastrophic.

This post is for principals, sales agents, property managers, and conveyancers who want to understand the specific threats targeting their industry and what they can do to stop them.

Why Real Estate Is a Prime Target

Think about what a property transaction involves: large sums of money (often hundreds of thousands of dollars) moving between multiple parties under tight deadlines, with bank details exchanged via email, and everyone under pressure to get to settlement on time. That's a perfect environment for fraud.

Criminals specifically target real estate transactions because the financial gains per successful attack are enormous — a single redirected settlement payment can net an attacker more than many businesses earn in a year. And the time pressure of settlement means victims often don't realise something is wrong until the funds have already moved.

The #1 Threat: Settlement Scams and Payment Redirection Fraud

This is how a typical settlement scam works:

1. An attacker compromises the email account of a real estate agent, conveyancer, or solicitor — often through a phishing attack or by guessing a weak password on an account with no MFA
2. The attacker monitors the inbox silently for days or weeks, reading emails about upcoming settlements
3. Just before settlement, the attacker sends an email — appearing to come from the agent or conveyancer — telling the buyer that bank account details have changed and providing new (fraudulent) account numbers
4. The buyer, trusting the email because it looks legitimate, transfers their deposit or settlement funds to the fraudulent account
5. The money is moved quickly through multiple accounts and is often unrecoverable

The email looks convincing because it often comes from the real account (after it's been hacked), uses correct names, and references real details about the transaction. Buyers have no reason to be suspicious.

Australian buyers have lost their entire deposit — and in some cases their full settlement funds — to this scam. The financial devastation is compounded by the fact that the property transaction still needs to proceed, often leaving victims without funds to complete.

Property Management Threats

Settlement fraud isn't the only risk. Property managers face their own specific threats:

• Owner bank detail changes: An attacker impersonates a landlord and emails the property management team to change the bank account rent is paid into. The same verification principles apply — never change bank details based on an email alone.
• Rental scams: Fraudulent listings or fake tenancy applications designed to harvest personal information or money from prospective tenants — which can reflect poorly on your agency.
• Unauthorised access to property management platforms: If your Console Cloud, PropertyMe, or Rex CRM account is compromised, an attacker can access owner and tenant personal information, financial details, and property records at scale.

Key Controls Every Agency Needs

The Golden Rule: Never Confirm Bank Details by Email Alone

This is the most important thing you can implement, and it costs nothing. Establish a firm agency policy: any communication involving bank account details — whether new details or a change to existing details — must be verbally confirmed by phone before any funds are transferred. Call back on a number you already have on file, not a number provided in the same communication as the bank details.

Put this policy in writing and train every person in your agency on it. Put it in your email signature on relevant communications. Tell your clients about it so they expect it. Make it a standard part of your settlement process.

MFA on Email and All Platforms

The most common way settlement fraud begins is through a compromised email account. Enable multi-factor authentication on your agency's email accounts (Microsoft 365 or Google Workspace), your property management software, your CRM, and DocuSign or any other platforms you use. This alone dramatically reduces the risk of your account being used as the entry point for fraud.

Email Security: DMARC and DKIM

DMARC and DKIM are email authentication standards that make it much harder for attackers to impersonate your agency's email domain. Ask your IT provider or email administrator to configure DMARC, DKIM, and SPF for your domain. This helps prevent emails that appear to come from your agency but don't actually originate from your mail server.

Train All Staff on Payment Verification

Your settlement fraud policy only works if everyone follows it. Make payment verification procedure part of onboarding for new staff, and revisit it at least annually. Role-play the scenario — what does a fraudulent bank detail change email look like? What do you do when a client calls to ask why you're asking to verify their details? Preparation removes hesitation at the critical moment.

What Buyers and Sellers Should Know

Consider adding a short note to your agency's settlement communications advising buyers and sellers never to transfer funds based solely on an email — and to call your office directly on the number from your website (not a number in the email) if they receive any communication about bank details. This sets expectations and gives clients a framework to protect themselves even if your systems are compromised.

Settlement fraud is a severe and growing threat to Australian property buyers. The real estate industry has the ability to significantly reduce its impact by implementing consistent verification procedures and securing the email systems that criminals rely on exploiting.