The Australian conveyancing industry should be alert to the alarming increase countrywide of invoice scamming, with business email compromise fraud costing unwary consumers $22 million in the past eight months.
According to the consumer watchdog the ACCC (Australian Competition and Consumer Commission) 27,698 false billing scams were reported to Scamwatch between January and September this year – a staggering 95 per cent jump from the same period last year – with criminals focusing on big purchase items such as renovations, cars and properties.
Scamwatch statistics show email fraud accounted for the most losses in false billing scams, with $17.5 million stripped from 10,000 unwary online victims, including first-home buyers Simon Elvins and his wife.
The couple, who spent 10 years saving for a deposit for their million dollar dream home in the Blue Mountains of NSW, was in the final stages of settlement when they fell victim to a hacker’s convincing email in May this year.
The email – purportedly from their conveyancer – contained correct information, including the trust account and account name that matched the conveyancing company they had engaged.
The Elvins had no idea the email – asking for $274,311.57 to complete their upcoming settlement – had, in fact, come from a cybercriminal.
“It all looked fine,” said Elvins. “So, I paid it in two amounts, because the amount was too large to do in one go.”
Elvins told Australian Conveyancer Magazine he did receive an email from the conveyancer confirming receipt of one payment. However, that claim has been denied by the conveyancer.
“We don’t know whether that email came from the scammer or not,” he said. When there was no news on the progress of the settlement after a week, he contacted his real estate agent and the conveyancer who both claimed they had not received any payment from him.
Then, when the real estate agent provided the couple with the correct account information, Elvins started to smell fraud. “I thought, ‘This account doesn’t look the same as the last one. Maybe they’ve got two accounts’ … the realisation that we had been scammed became quite clear,” said Elvins, who believes scammers must have hacked his conveyancer’s emails to concoct the fraudulent invoice.
Elvins contacted his bank, Westpac, immediately. Their fraud team contacted NAB – the scammer’s bank – but it was too late. A week had passed since Mr Elvins had transferred the settlement funds and the couple only managed to recover $270.72 of their savings.
They had been scammed for more than a quarter of a million dollars but estimate their aggregate losses will be closer to $825,000 when extra mortgage payments, more monies borrowed and other costs, including legal fees, are accounted for.
“Business email compromise is very prevalent, and conveyancers are particularly vulnerable,” Shameela Gonzalez, the director, strategy and consulting FSI Lead at CyberCX told Australian Conveyancer, adding there are mitigating strategies all conveyancers should put in place.
“In the conveyancing business, I would look at urgency. What could a cybercriminal say to your customer that would make them panic and not think things through and require them to make a payment immediately? What could the criminal threaten them with that would make a customer feel like there’s a need to not exercise their better judgement? That’s the thing that will result in direct financial loss.”
Gonzalez said the pecuniary losses to a conveyancer and their clients would be just the start of the damage business email compromise can cause.
“It’s the reputational damage that is really hard for organisations to come back from,” she said.
“If customers don’t feel like they can trust you anymore, they are not going to come back to you.” Which is certainly the case for Simon Elvins.
“I’m angry with the legal system, with the banks and the process of buying properties,” said Elvins, who is furious his conveyancer had no cybercrime insurance.
“There is also no recourse, with complaints to AFCA (the Australian Financial Complaints Authority) and NSW Fair trading claiming my complaint was out of their jurisdiction.
“I want my money back. We have been through hell. “We are first time buyers. The conveyancer should have held our hands and taken us through all the pitfalls. They should have insisted we call them and double check any bank details before we transferred any money.”
Gonzalez advised conveyancers to tell every client to always double- and triple-check any request for funds transfer – by phone or face-to-face – to ensure all account details are correct and corresponding before making a payment.
Meanwhile, the ACCC has been calling for the banks to introduce “confirmation of payee” – a system already adopted in the UK and Europe – to help stop the problem of business email compromise.
Some banks have started implementing their own measures to help mitigate the risks. CommBank has introduced NameCheck, which compares account details with names and highlights potential differences. While Westpac uses Verify, which presents customers with a scam risk rating when entering a new payee for the first time.
For more insights and tips on cyber awareness, download edition two of the Australian Conveyancer.