Cyber scammers targeting real estate sector: researcher

Cyber scammers have figured out that the Australian real estate industry is a potential gold mine for social engineering attacks, according to Alex Tilley, a senior security researcher at SecureWorks.

Tilley, who was also formerly a senior technical analyst at the Australian Federal Police, told CIO Australia that fake invoices are being sent out by scammers posing as real estate agents and law firms asking for payment from a customer. He said many victims are not realising they have been scammed until the actual invoice from the agent comes through.

Tilley said it was an increasing problem but could not provide a figure on the number of agencies that had been affected. He said scams started getting more common in Australia in the last half of 2017 but had been going on for a couple of years overseas.

In 2016, an LG Hooker agency in Kallagnur in Queensland was the victim of a cyber scam when a property manager opened an email purporting to be from an energy retailer. Once opened, malicious ransomware was executed, which brought down the agency’s 30 computers and a server.

Last October, two property buyers in South Australia lost almost $1 million after falling victim to scammers using bogus email details to pose as conveyancers.

“Crooks are going to where the money is and have figured out there’s a lot of money involved in real estate transactions and [cyber] protections that are placing on them aren’t exactly top notch,” said Tilley. “They [crooks] get in the middle of transactions and take the invoices. The [real estate] industry isn’t ready for it.”

Tilley said there have been a “couple of cases” where scammers gain access to emails through Outlook and it was only due to bad spelling that agents knew something was wrong.

“Somehow crooks gain access to the email addresses of real estate agents who are using only single factor authentication. They get access and will typically wait for 30 days or so for the logs to roll and start reading the emails to figure out which deals the agent or conveyancer is involved in. They will figure out the timing of the deal and inject themselves into the email chain purporting to one person or another,” he said. “The first thing you know, you’re getting an email saying you have breached your contract because the money has not been sent.”

Tilley said like banks, real estate agents and conveyancers are great targets because they transfer large amounts of money at any one time.

“The using of bank cheques can help but more and more, we are moving towards a digital economy and we can’t use older technology for security control.”

He recommended that people confirm bank details by phone before completing transactions.

“It’ll add two minutes to your day but could save your customers hundreds of thousands of dollars.”