Although there has been a number of frauds in conveyancing transactions over recent years, an incident involving a former MasterChef contestant hit the headlines over the weekend and has caused a panic in the conveyancing and real estate industry.
Apart from the celebrity aspect, the other thing about this incident which has attracted plenty of attention is that it appears to have been the first fraud perpetrated on Property Exchange Australia (PEXA).
PEXA is a part-private, part-public organisation which conducts settlements of electronic conveyancing online. This method of so-called ‘electronic conveyancing’ is different from the traditional settlement method whereby all parties’ representatives physically attend a settlement room to exchange deeds and bank cheques.
These days, despite some resistance from traditionalists, the majority of conveyancing transactions are now settled electronically. But while there is no doubt that electronic conveyancing will prevail going forward, the question is how best can we protect our clients in this new world?
How’d they do it…?
In the recent PEXA fraud, a fraudster seemed to have hacked into a conveyancer’s PEXA account and changed the client’s account details from what the conveyancer had originally entered to that of their own account.
For all cash transactions, PEXA requires a physical PEXA-key and digital signature to be used at settlement but does not appear to require that level of authentication when changing account details. No doubt that gap will be closed up shortly but a new one is likely to emerge.
The real concern is how the hacker obtained the conveyancer’s username and password because that would be the gateway to further frauds on PEXA. This would appear to have been obtained via an email phishing scam.
My own firm gets targeted by these scams at least weekly. Most of the time, it is quite easy to pick the scams. An email comes from an obscure address, saying they want to sell a property and asking for a quote but not leaving a phone number to call back them on. They also tend to propose transactions where there no other counterparties involved e.g. they propose not to use a real estate agent and say they have no mortgagee on the deal.
We normally ignore those emails, insisting on a phone conversation before moving further. But apparently if the email exchanges continue the fraudsters send a ‘link’ to a site to download containing some relevant legal documents, and clicking on that link allows the hacker to gain access to the client’s email.
From thereon in, they can impersonate the conveyancer by asking for monies from clients and sending bogus account details. We are aware of at least once incident like this in the last year. And now it would appear that they are using this method to acquire PEXA login details.
What to do?
We are constantly monitoring the potential for these kind of risks occurring and thinking of ways to address them. While there is no perfect shield, it does appear that transactions which comprise of solely or mostly email exchanges with clients rather than face-to-face or telephone exchanges are most vulnerable. As a policy in our firm, we will never give out or ask for bank account details via email unless that request is followed up with telephone conversation confirming the same.
The other thing that we recommend to our client is a policy of ‘title insurance’. This is a useful and fairly inexpensive policy which covers a number of risks that pop up in conveyancing transactions including fraud and forgery.And of course, we must all remain extremely vigilant and alert to the fact that fraudsters (as they have done throughout history) will continue to come up with ingenious ways of scamming people.
But as one final thought: what role do the banks have in this? Surely if a payment has been made through an act of fraud to a particular account other than the client, the relevant deposit-holding bank should be able to tell the police who it was who opened the account? Isn’t that why they do their identification checks?