PEXA and Sympli Security — What Every Melbourne Conveyancer Must Know

Electronic settlement platforms like PEXA and Sympli have transformed property conveyancing in Victoria, making settlements faster and more reliable. But they have also created a new and extremely high-value target for cybercriminals: your platform credentials and the settlement transactions you conduct through them. A compromised PEXA or Sympli account provides access to property transactions worth hundreds of thousands to millions of dollars.

Why Your PEXA and Sympli Credentials Are Valuable

Access to a conveyancer's PEXA or Sympli account provides attackers with the ability to view active transaction details — amounts, parties, settlement dates, and bank account details. In some scenarios, compromised credentials can be used to attempt to modify settlement directions or lodge fraudulent documents. Even read-only access provides attackers with the precise information they need to conduct convincing social engineering attacks against your clients — knowing exactly what a legitimate settlement instruction should look like makes fake ones far more convincing.

How Credentials Get Stolen

The most common methods are phishing emails that mimic PEXA or Sympli system notifications — password expiry notices, security alerts, new workspace invitations — that direct you to a fake login page. Credential-stealing malware installed on staff computers captures login details as they are typed. Password reuse — if you use the same password for your PEXA account as for other accounts that have been exposed in data breaches, attackers may already have your credentials and be using them without your knowledge. And credential stuffing — automated testing of breached credential pairs against PEXA and similar platforms.

The Client Communication Risk

Beyond direct platform access, conveyancers face the adjacent risk of email compromise targeting their client communications. When a conveyancer's email is compromised, attackers can monitor all communications, learn settlement details, and then send convincing fake emails — from the genuine account or a lookalike account — providing fraudulent bank account details for settlement funds. Client losses in individual Melbourne incidents have exceeded $500,000.

What to Do

Enable multi-factor authentication on your PEXA and Sympli accounts immediately — this is available and should be enabled for every user without exception. Use unique, strong passwords for these accounts that are not used for any other service. Be extremely suspicious of any email claiming to be from PEXA or Sympli — navigate directly to the platform's website by typing the URL yourself rather than clicking links. Review who in your practice has access to which workspaces and remove access that is no longer needed. And implement a clear policy that bank account details for settlement transactions will always be verbally confirmed before any funds are directed. IntrusionX can conduct a full security assessment for Melbourne conveyancing practices — contact us for a free consultation.

The PEXA Platform Security Features You Should Enable

PEXA provides security features within the platform itself that every conveyancer should use. These include activity notifications that alert you to any login or action in your workspace, IP restriction settings that limit access to known locations, and session timeout settings. Review these settings in your PEXA account and ensure they are configured for maximum security. PEXA also provides guidance for practitioners on security best practices — their support team can walk you through the available security options if you are not familiar with them.

Incident Response for Conveyancers

If you believe your PEXA or Sympli credentials have been compromised, act immediately. Contact PEXA's support team to flag the potential compromise and temporarily suspend your account if necessary. Change your password and check for any transactions you did not initiate. Contact your PI insurer to document the potential security incident. And contact IntrusionX for immediate incident response support — the actions taken in the first hours after a suspected compromise significantly affect the final outcome. IntrusionX can also help you review and strengthen your conveyancing practice security after an incident.