Client Resources | Advice Library | 1300 334 566 |

Hackers steal house deposit: estate agents and conveyancers cyber security

Wednesday, July 08, 2020

Given the recent Australian Government announcement that “a sophisticated state-based actor” has targeted Australian governments and companies, it is essential now, more than ever, that Australian’s are conscious of cyber security.


The Australian Cyber Security Centre (“ACSC”) states that the state-based actor used spear phishing techniques such as, emails with links to malicious files and email tracking services to identify when emails are opened.


In response, the ACSC has recommended governments, corporations and individuals:

  1. ensure security patches are applied to internet-facing infrastructure and that the most updated version of software and operating systems are used; and


  1. use multi-factor authentication to all internet-accessible remote access services (i.e. web and cloud-based emails).



However, it’s not just large corporations and government agencies that are being targeted by hackers – so too are conveyancers.


The recent case of Deligiannidou v Sundarjee [2020] NSWSC 437 exemplifies the importance of maintaining a high standard of digital security and vigilance, particularly in relation to financial information.


The purchasers entered into a contract to purchase a property for $560,000.00 from the vendors on 1 February 2020. The purchasers were required to pay an initial deposit of $1,400.00 by 1 February 2020 and the remaining balance of the deposit being $54,600.00, by 12 February 2020 (“remaining deposit”). The contract specified the deposit was to be paid by cash or cheque, not electronic funds transfer (“EFT”).


The purchasers’ real estate agent (the “agent”) suggested that to secure the property, the purchasers pay the initial deposit into the agent’s trust account. The purchasers transferred the initial deposit via EFT to the trust account. The agent the sent the purchasers a reminder email to pay the remaining deposit to the abovementioned trust account.  

On 9 February 2020 the purchasers received an email (the “fraud email”), from a hacker pretending to be the agent, enclosing different bank account details (the “fraud account”). The hacker also changed the trust account details previously mentioned by the agent in the email chain, to the fraud account details.


On 14 February 2020 the agent notified the purchasers that she had not received the deposit.

The vendors subsequently attempted to terminate the contract for the purchasers failure to pay the remaining deposit.

The purchasers commenced proceedings against the vendor and asserted that pursuant to Clause 25(ii) of the Exclusive Agency Agreement, the agent was authorised to do everything necessary to facilitate the purchase of the property by the purchasers.


The Clause was as follows:

“The Principal acknowledges that, at all material times:…(ii) the Agent acts under the direction, management and control of the Principal to facilitate the real estate transaction between the Principal and the purchaser;”.


The purchaser’s application for interim relief was dismissed, on the following grounds:

  • appointment of an agent does not authorise an agent to bind the vendor to terms with the purchaser;
  • the agent was not authorised to bind the vendor in relation to the deposit, the agent was only authorised to receive the deposit and direct the purchaser to pay the deposit;
  • Clause 25(ii) was merely an acknowledgment by the vendors that the agent acts under their discretion, management and control.  

This case highlights the importance of being vigilant and taking additional steps to maintain digital security, particularly within the real estate industry.


Property Exchange Australia Ltd, also known as “PEXA”, recommends the following best-practice security measures be implemented:

  • “Verbally confirming bank account details with clients and/or utilising PEXA Key for the secure exchange of details;
  • Not using public Wi-Fi for business;
  • Regularly updating your software and completing patching; and
  • Connecting to your company’s VPN where applicable.”

For more information on the Australian Government announcement visit