Why Conveyancers Are the #1 Target for Settlement Fraud in Melbourne

In the world of cybercrime, conveyancers represent an almost perfect target. You handle transactions worth hundreds of thousands to millions of dollars. You communicate primarily by email. And the entire transaction hinges on a single payment made at a specific moment in time — a payment that, once transferred, is extremely difficult to recover.

How Settlement Fund Interception Works

The attack begins weeks before settlement. Criminals compromise either the conveyancer's email account or the buyer's email account — and sometimes both. They monitor all communications, learning the names of all parties, the property address, the settlement date, and the expected amount. In the days leading up to settlement, the attacker sends an email appearing to come from the conveyancer, advising the buyer to use "new bank account details due to a banking issue." The buyer transfers their entire deposit to the criminal's account. Losses in single Melbourne incidents have exceeded $500,000.

Why This Attack Is So Effective

Settlement fund interception works because it exploits the legitimate anxiety buyers feel around settlement. Buyers are already stressed, often moving from their existing home, and they have been conditioned throughout the process to respond promptly to instructions from their conveyancer. The urgency of the transaction — "settlement is tomorrow" — prevents careful verification. And because the email comes from a compromised legitimate account, there is no suspicious sender address to notice.

The Critical Protection: Phone Verification

Implement this rule without exception: no bank account details will be provided or accepted by email only. Any communication about where to send settlement funds must be verbally confirmed on a phone number established at the beginning of the engagement — never a number from an email. This policy should be communicated to clients at the first meeting, documented in your engagement letter, and reinforced at every subsequent contact. Put it in bold in every email: "We will NEVER change bank account details by email. Always call us to verify."

Protecting Your Email Account

Multi-factor authentication on your email account is the most important technical protection. Even if a criminal obtains your password through phishing or a data breach, they cannot access your account without also having your phone. For practices using Microsoft 365 or Google Workspace, additional security controls are available — including conditional access policies that block logins from unusual locations, and email security filters that detect phishing attempts.

DMARC Configuration

Configure DMARC, DKIM, and SPF on your practice's domain. These email authentication protocols prevent criminals from using your domain name in emails to your clients. When properly configured, an email claiming to be from your domain but not sent from your mail servers will be blocked or flagged by the recipient's email system. Many conveyancing firms have not implemented these protocols, making it easy for criminals to send convincing spoofed emails using their brand.

Client Education Is Also Your Responsibility

Beyond securing your own systems, client education is part of your duty of care. Tell clients explicitly at the start of the engagement: "If you receive any email from us providing new or changed bank account details, do not act on it. Call our office immediately to verify." This simple instruction, if followed, prevents the fraud even when your email account is compromised.

IntrusionX specialises in protecting Melbourne conveyancers — we understand the specific threat landscape and have helped multiple practices implement the technical and procedural controls that protect both the practice and its clients. Contact us for a free assessment.

Industry-Wide Awareness

The Australian Institute of Conveyancers, the Law Institute of Victoria, and PEXA have all published guidance on settlement fraud and email security. Being aware of and following industry guidance demonstrates professional diligence and provides useful reference material for staff training. Conveyancers who discuss cybersecurity at their local professional association meetings or share this guidance with colleagues are contributing to collective defence — a practice where the entire industry is more secure because information about attacks and effective responses is shared openly. IntrusionX works with professional associations and individual conveyancing practices — contact us for information about our professional services security programs.