Payment-redirection fraud in property settlements: who bears the loss, and how to prevent it

Introduction

Few moments in a property transaction are as exposed as the days before settlement. Large sums are moving, multiple parties are emailing back and forth, and everyone is working to a fixed date. That is exactly the window criminals look for. Payment-redirection fraud, driven by business email compromise (BEC), is among the most-targeted scenarios in Australian property, hitting deposits, settlement funds and trust accounts.

When it works, the money leaves before anyone notices. The buyer pays the deposit or balance to an account that looks legitimate but belongs to a fraudster. The agent, conveyancer or developer is left explaining where the funds went, and a fast, coordinated legal and banking response can determine whether the funds are recovered at all.

This article explains how the fraud works, the legal exposure for the parties involved, the immediate steps that matter, and how property developers, funds and agencies can build the contractual and verification habits that materially reduce the risk.

How payment redirection works in a property deal

The mechanics are simple, and that is what makes them effective. The criminal does not need to break encryption or defeat a bank. They need an email account.

A typical sequence runs like this:

• A fraudster gains access to an email account in the transaction chain, often a small agency, a conveyancer, a developer’s sales team or even the buyer’s own inbox, frequently after a phishing email or a reused password is compromised.
• They sit quietly and read. They learn the deal: the property, the price, the settlement date, the names of the people involved and the tone in which they write.
• At the right moment, they send an email that looks entirely normal, attaching new bank details or claiming the previous account is being audited and asking that funds go elsewhere. The email may come from the genuine compromised account, or from a lookalike domain that is one character different.
• The buyer pays the deposit or settlement balance into the fraudster’s account. By the time the real recipient asks where the money is, it has been moved through several accounts and often offshore.

A variation targets trust accounts, where criminals impersonate a party to redirect funds that an agency or law practice holds on trust. Either way, the loss can be substantial and the recovery window is short, often a matter of hours.

The legal exposure: who bears the loss

The hardest question after a redirection is who carries the loss, and the honest answer is that it depends on the facts. There is no fixed rule that puts the loss on the buyer, the agent, the conveyancer or the developer in every case.

What a court or insurer looks at includes how the fraudster gained access, whose systems or accounts were compromised, what each party did to verify bank details, what the contract and the parties’ communications said about payment, and whether any party was negligent in the steps it took or failed to take. A party that sent unverified bank details by email, or that ignored a clear warning sign, may find itself more exposed than one that followed a careful verification process. Equally, careful conduct is not a guarantee against loss: depending on the facts and the contract, the loss can still fall on a party that did everything reasonably expected of it. The allocation of loss is fact-dependent, and parties should not assume the money is simply gone, nor that someone else will automatically absorb it.

There are usually several overlapping issues to work through: the contractual position between the parties to the sale; potential claims in negligence; the position of the banks that sent and received the funds; the availability of cyber or professional indemnity insurance; and, where personal information was accessed in the compromise, privacy obligations as well. Getting legal advice early, before positions harden and the recovery window closes, materially improves the outcome.

 Immediate response: the first hours decide the outcome

If funds have been misdirected, the priority is to try to freeze and recover the money while it is still traceable, and to preserve the evidence and the legal position at the same time.

Practical first steps include:

• Contact the sending bank immediately and ask it to attempt a recall, and to alert the receiving bank. The sooner a bank acts, the better the chance of holding funds before they are withdrawn or moved on.
• Report the incident: Report to police and lodge a report through ReportCyber (the national cybercrime reporting tool), which can support tracing and any later claim.
• Preserve evidence: Keep the fraudulent emails, headers, bank confirmations and a timeline of who did what and when. Do not delete anything and do not tip off the attacker by replying.
• Secure the compromised account: Reset passwords, enable multi-factor authentication and check for mailbox rules that may have been quietly forwarding or hiding the criminal’s messages.
• Coordinate the legal response: Tracing, demands to banks, insurer notifications and any claims between the parties move faster and more effectively when a lawyer is directing them. Where personal information was accessed, the lawyer also assesses whether the privacy and data-breach obligations are triggered.

This is where coordination matters. Banks, insurers, forensic providers and the parties to the deal all need to act in the same direction within a short window, and a lawyer leading that response keeps the steps aligned and the legal position protected.

Prevention: contracts and verification that reduce the risk

Most redirection losses are preventable with two layers: better contract terms and a strict verification process that everyone in the chain actually follows.

On the contractual side:

• State clearly in the contract and engagement documents how bank details will be provided and verified, and that bank details will never be changed by email alone.
• Include data-handling and breach-notification obligations in agreements with agents, conveyancers and service providers, so each party knows its responsibilities if an account is compromised.
• Set out a clear escalation path if a payment instruction looks unusual.

On the process side:

• Verify bank details by an independent channel: Before paying any deposit or settlement amount, confirm the account details by calling a known, trusted phone number, not a number contained in the email itself, and never act on changed details without that call.
• Treat any change to payment details as a red flag: A request to send funds to a new or “temporary” account, or claims that the usual account is being audited, should stop the payment until verified.
• Train the people who handle funds: Sales teams, finance staff and trust-account operators should know the pattern and the verification rule, because the fraud succeeds by exploiting urgency and trust.
• Harden the email environment: Multi-factor authentication, phishing-resistant settings and monitoring reduce the chance that an account is compromised in the first place.

We treat these measures as legal-risk reduction, not just IT hygiene. A party that took reasonable steps to verify payments and secure its systems is in a far stronger position if a dispute over the loss arises later.

The privacy angle, and why agencies are under more scrutiny

A redirection is rarely just a payments problem. To run the fraud, criminals usually access an inbox full of personal information: buyers’ and investors’ names, contact details, financial information and identity documents. If that information is accessed without authorisation, the incident may be a notifiable data breach as well as a fraud, with obligations to assess the breach and, where the serious-harm threshold is met, to notify the OAIC and affected individuals.

Real estate agencies should also note that the regulator is paying closer attention to the sector. The Office of the Australian Information Commissioner began its first proactive privacy compliance sweep in January 2026, examining around 60 organisations across six in-person sectors, including real estate agencies. The clear signal is that agencies are expected to be able to demonstrate how they collect, hold and protect personal information, not just react after something goes wrong.

How GRM LAW helps

GRM LAW advises property developers, agencies, conveyancers and property funds on both prevention and response. We run our cyber practice as a legal program, not an IT service: privileged breach response when an incident hits, and the contracts, verification processes and governance that reduce the risk beforehand. Our property and agency Vertical Cyber Program delivers a gap assessment, a policy and contract build, and quarterly reviews built around how property transactions move money, ensuring your business is protected against evolving payment-redirection threats.

For response, our incident response coordination brings the banks, insurers, and forensic providers together under one legal lead so the recovery effort stays fast and well directed. The practice is supervised by founding partner Gavin McInnes, an Accredited Specialist in Business Law, and is run by the same partners who already structure property deals for our clients. If you want to pressure-test how your transactions move money, contact GRM LAW’s cyber and privacy lawyers for a 30-minute scoping call.

The practice is supervised by founding partner Gavin McInnes, an Accredited Specialist in Business Law, and is run by the same partners who already structure property deals for our clients. If you want to pressure-test how your transactions move money, a 30-minute scoping call is the simplest place to start.

Frequently Asked Questions

Disclaimer: This is general information only and is not legal advice. For advice on your circumstances, contact GRM LAW.