But this is exactly what happened to a Sydney home buyer.

The home buyer, let’s call him Steven, is one of IDCARE’s clients who contacted us after discovering he had been a victim of what we call business email compromise or payment redirection scams.

It is the compromise of an email which leads to a person sending money intended for a business to a cybercriminal’s account instead and it is costing Australians millions each year.

As reflected in the Australian Property Investor magazine this month, the Australian Competition and Consumer Commission’s Targeting Scams Report found Australian businesses lost a staggering $227m to “payment redirection” or business email compromise scams in 2021.

For Steven, it started when he sent the mortgage broker an email asking “what’s the next step” after finalising a contract to purchase the home.

Within hours he received an email back that looked to be from his mortgage broker, telling him he needed to pay the $15,000 stamp duty into a specified Australian bank account.

There were no red flags for Steven. The email address looked correct and even the terminologies his mortgage broker normally used had been duplicated by the cybercriminal.

He sent the $15,000 to the nominated bank account.

Luckily for Steven, he phoned his mortgage broker a few hours later to check he had received the payment.

The mortgage broker said he would never ask for payment of stamp duty, and he had no idea what Steven was talking about.

Steven immediately phoned his bank which advised they would investigate it, but it could take days or even weeks for a result.

Steven didn’t have days or weeks. He would lose the property he had his heart set on as he didn’t have a spare $15,000 for stamp duty in another bank account.

Thankfully, this is one story that has a happy ending. Because Steven phoned his bank quickly after making the transaction and because it was a transaction to another Australian bank, he was able to get his money back within days.

Had it been sent to a cryptocurrency wallet, as is often the request from scammers, the money would have been gone.

But how was Steven able to get an email that appeared to be from his mortgage broker? And whose email was compromised?

The mortgage broker advised he had no evidence of compromise his end and told Steven his email had been compromised. It’s possible the mortgage broker’s email had been spoofed. Working out who is liable can be a complicated legal matter.

It is a terrifying situation, and it could have been so much worse if Steven hadn’t checked quickly. But there were a few steps he could have taken to prevent the situation from arising.

Firstly, Steven did not have two-factor authentication set on his email making it easier for hackers to access and potentially see emails he was sending.

Setting up two-factor authentication on your emails and social media accounts is a no-brainer. Just do it. It literally takes two minutes (we have a video on our site that proves this).

This would reduce the risk of unauthorised access to his account, although it would not protect him from receiving emails from external accounts that have been hacked.

Secondly, Steven should have phoned his mortgage broker to check the bank account details were correct.

If you are transferring large sums to a bank account you haven’t used before, it really pays to take this step.

A simple phone call to confirm account details will stop business email compromises from being successful.

Kathy Sundstrom is a former Sunshine Coast Daily journalist who now works at identity and cyber support service IDCARE.

More Coverage

Expert’s tip to save potential victims from ‘relentless’ cybercrime

Kathy Sundstrom

The new Instagram scam targeting small businesses revealed

Kathy Sundstrom

Originally published as Cybersecurity: Financial scam to watch out for in your emails