Context: The perfect storm for deposit scams

Australia’s property market is a prime target for payment fraud because settlement flows are high-value, time-bound and often coordinated over email. Public guidance underscores the threat: Moneysmart warns that “scammers will look at the latest market and investment trends for opportunities,” and the Australian Securities and Investments Commission (ASIC) has flagged sophisticated invoice fraud where criminals “mirror” legitimate business details to redirect funds. During the pandemic, rental scams spiked as fraudsters demanded upfront deposits sight unseen — a playbook now recycled against buyers and investors during conveyancing. The University of Sydney points to the broader backdrop: more than 200,000 scam reports were lodged with the ACCC in 2022, signalling both scale and momentum.

Operationally, the weak points are clear: intercepted email threads between agents, conveyancers and buyers; spoofed invoices with altered account numbers; SMS impersonation of trusted contacts; and rushed, end-of-week settlements that compress checks. For agencies and conveyancers, the business impact is twofold — potential legal exposure and a reputational hit that can depress listings and buyer conversion.

Decision: Treat safe settlement as a commercial strategy

In early 2024, a mid-tier Australian real estate group (composite case, reflecting sector guidance from ASIC/Moneysmart) reframed payment security as a growth lever. The executive team launched a “Safe Settlement” programme with three mandates:

• Reduce deposit-redirection risk through process redesign and layered controls.
• Make security visible to clients as a trust feature, not hidden plumbing.
• Quantify ROI in avoided losses, insurer outcomes and conversion uplift.

The decision criteria were classic business-case hygiene: measurable risk reduction, minimal friction at critical customer moments, and a path to insurer premium benefits.

Implementation: A layered control stack that buyers actually use

The programme replaced ad hoc email attachments and last-minute instructions with a hardened, data-led workflow:

• Verified payment rails and escrow checks: Buyers received account details only via a secure portal; no payment information was emailed. Payment accounts were verified against independently sourced contact numbers for the receiving firm (not numbers in the email thread) and reconfirmed on the day of transfer.
• Compulsory call-back protocol: Any request to change bank details triggered a call-back to a pre-validated landline or primary mobile listed in the engagement letter. Staff used numbers sourced from the firm’s website or ASIC Connect registers, not from the message.
• Email authentication and domain hygiene: The group implemented SPF, DKIM and a strict DMARC policy to reduce spoofing. Staff were trained to spot lookalike domains and suspicious reply-to headers.
• Secure document delivery: Contracts and invoices moved to a client portal with one-time codes and activity logs. PDF invoices removed embedded account numbers; the portal displayed account details only after multi-factor authentication.
• Anomaly alerts: Lightweight rules-based monitoring flagged language shifts (urgent tone, after-hours changes), unusual payee names, and mismatches between invoice metadata and client records.
• Human-in-the-loop approvals: Two-person sign-off for issuing or amending account details; audit trails retained for insurer and legal defensibility.
• Client education as a product feature: Every buyer received a one-page checklist — never trust emailed account details, always call a verified number, and never accept last-minute changes without the portal prompt. This reframed security as part of the premium service.

Technically, nothing exotic — but the strength was in orchestration and making the secure path the easiest path.

Results: The economics of stopping a single bad transfer

To quantify returns, the executive team built a model anchored to conservative assumptions (illustrative; calibrate to your data):

• Throughput: 1,000 transactions per year
• Average deposit: A$70,000 (example only; often ~10% of purchase price)
• Attack attempt rate: 1% of transactions affected by targeted redirection efforts
• Success rate without controls: 10% of attempts
• Success rate with controls: 2% of attempts (80% reduction)
• Programme cost (year 1): A$180,000 (portal/licensing, training, admin time, DMARC rollout)

Expected loss without controls = 1,000 × 70,000 × 1% × 10% = A$700,000/year.
Expected loss with controls = 1,000 × 70,000 × 1% × 2% = A$140,000/year.
Loss avoided ≈ A$560,000/year.
ROI (year 1) ≈ (560,000 − 180,000) ÷ 180,000 ≈ 211%.

Secondary effects included fewer settlement delays (fewer disputed transfers), improved insurer stance on cyber cover excesses, and a measurable marketing edge: the group’s “Safe Settlement” positioning featured in listing presentations and social proof. While uplift will vary, internal tracking noted shorter sales cycles in segments where trust is a top-3 decision factor.

Market context and regulatory signals

Public agencies are sharpening guidance. ASIC’s May 2024 alert on fake bond and term deposit scams highlights how criminals “mirror” legitimate business addresses and branding — the same playbook now applied to conveyancing invoices. Moneysmart’s advice remains unequivocal: “Scammers will look at the latest market and investment trends for opportunities,” which today include digital property transactions and self-directed investing. For SMSF trustees eyeing direct property, the government’s Moneysmart portal also flags the rules, costs and risks — relevant because concentrated exposures can magnify the impact of a single misdirected payment.

On the innovation front, the National AI Centre (NAIC) is tasked with helping industry unlock AI’s economic benefits, while the National AI Plan outlines pathways to adoption. The regulatory conversation is equally live: legal analyses caution that overly rigid controls can chill innovation. The strategic takeaway for agencies is pragmatic — deploy risk-based, explainable AI (for anomaly detection and identity verification), but keep human checks at decision gates.

Technical deep dive: What actually stops the fraud

Deposit redirection is a business email compromise (BEC) variant. Controls that matter most:

• Channel integrity: Never share payment details over email or SMS. Use a portal with MFA and activity logging.
• Out-of-band verification: Validate account details by calling independently sourced numbers. Lock this into policy.
• Identity and brand protection: Enforce DMARC at p=reject, monitor for lookalike domains, and retire dormant domains attackers could exploit.
• Payment confirmation: Where available, use payee name-display features and small-value test transactions before full transfer.
• People and process: Train for social engineering cues; simulate attacks quarterly; require two-to-authorise any change to bank details.

The art is balancing friction. Security that adds 60 seconds but removes ambiguity pays for itself at the first prevented misdirection.

Lessons: A playbook for principals and boards

• Make trust a product: Market secure settlement as a core benefit; don’t bury it in terms and conditions.
• Codify the last mile: Most losses happen at the final instruction change. Hard-gate any variance with call-backs and dual approvals.
• Close the email gap: DMARC plus a client portal eliminates the riskiest behaviours (PDF invoices with bank details).
• Measure what matters: Track attempted redirections, escalations, training completion, and time-to-settle. Tie to insurer conversations.
• Collaborate: Align protocols with conveyancers, lenders and buyers. Shared checklists reduce weakest-link risk.

Future outlook: The trust dividend for early adopters

Generative AI will supercharge impersonation (voice clones of conveyancers, flawless brand mimicry). The counter is layered verification, visible client education, and explainable AI for anomaly detection. Early movers can bank a trust dividend — higher conversion, lower disputes, tighter insurer terms — while laggards will absorb rising fraud costs and brand damage. With national AI initiatives supporting responsible adoption, and regulators focused on outcomes, the competitive line is clear: institutionalise safe settlement now, or compete on price against firms that compete on trust.