TL;DR

  • Real estate is a high-value fraud target: Property transactions involve the largest single payments most Australians ever make — settlement funds of $500,000–$5M are regularly wired based on email instructions, making real estate and conveyancing the highest-loss sector for payment redirection fraud in Australia.
  • Trust accounts and rental bonds create unique cybercrime exposure: Real estate agencies hold client trust accounts containing tenant bonds, deposit funds, and settlement amounts. A single trust account compromise can result in hundreds of thousands of dollars in client losses and immediate regulatory action from Fair Trading/Consumer Affairs.
  • Rental application fraud is surging: Real estate agencies receive rental applications containing identity documents (passport, driver's licence, payslips) that are extremely valuable to identity thieves — and agencies often store these insecurely or retain them longer than needed.
  • Privacy Act compliance is mandatory: All real estate agencies with turnover above AUD $3 million must comply with the Privacy Act — and agencies that handle tenancy data are often subject to state tenancy legislation that imposes additional obligations around data security.

Why Real Estate Businesses Are Cybersecurity Targets

Australian real estate agencies and property management businesses occupy a uniquely exposed position in the cybercrime ecosystem. They facilitate the largest transactions in most people's lives — property settlements regularly involve wire transfers of $500,000 to $5 million based on email instructions from conveyancers, agents, and solicitors — while operating with security practices that are often inadequate for the risks they carry. Payment redirection fraud targeting property settlement is one of the highest-loss cybercrime categories in Australia: attackers compromise a real estate agency's or conveyancer's email, then intercept settlement instructions to redirect funds to attacker-controlled accounts. By t

he time the fraud is discovered — typically when a buyer settles and the genuine seller does not receive funds — the money has been moved through multiple international accounts with no recovery path. Losses per incident regularly range from $200,000 to $2M. Beyond settlement fraud, real estate agencies hold extraordinary volumes of personal information: rental applications containing copies of passports, driver's licences, payslips, bank statements, and references for every applicant — not just successful tenants. This identity document collection is a goldmine for identity thieves, and the data is often stored indefinitely in shared email inboxes or unsecured cloud drives without proper access controls. The Office of the Australian Information Commissioner (OAIC) consistently includes real estate and property services among the sectors receiving breach notifications — and rental application data breaches represent an emerging enforcement priority given the sensitivity of the identity documents collected.​‌‌​​​‌‌‍​‌‌‌‌​​‌‍​‌‌​​​‌​‍​‌‌​​‌​‌‍​‌‌‌​​‌​‍​‌‌‌​​‌‌‍​‌‌​​‌​‌‍​‌‌​​​‌‌‍​‌‌‌​‌​‌‍​‌‌‌​​‌​‍​‌‌​‌​​‌‍​‌‌‌​‌​​‍​‌‌‌‌​​‌‍​​‌​‌‌​‌‍​‌‌​​‌‌‌‍​‌‌‌​‌​‌‍​‌‌​‌​​‌‍​‌‌​​‌​​‍​‌‌​​‌​‌‍​​‌​‌‌​‌‍​‌‌‌​​‌​‍​‌‌​​‌​‌‍​‌‌​​​​‌‍​‌‌​‌‌​​‍​​‌​‌‌​‌‍​‌‌​​‌​‌‍​‌‌‌​​‌‌‍​‌‌‌​‌​​‍​‌‌​​​​‌‍​‌‌‌​‌​​‍​‌‌​​‌​‌

The Top 3 Cybersecurity Threats for Real Estate

1. Payment Redirection Fraud and Conveyancing Scams

Payment redirection fraud targeting property transactions is the most financially devastating cybercrime for Australian real estate businesses. The attack is elegantly simple: attackers compromise the email account of a real estate agent, conveyancer, or solicitor involved in a property transaction, then monitor email communications until a settlement is imminent. They then send a convincing email — from a compromised legitimate account, or a spoofed domain — with "updated banking details" for the settlement funds. Buyers, sellers, or their conveyancers transfer hundreds of thousands of dollars to attacker-controlled accounts believing they are completing a legitimate settlement. The fraud is typically discovered when the genuine payee (seller, vendor's conveyancer) follows up on a late payment. By then, funds have been transferred internationally and are unrecoverable. The Australian Banking Association and ACCC have both documented this fraud pattern extensively, with real estate and conveyancing consistently the highest-loss sectors. A single fraudulent conveyancing email can result in losses that exceed an agency's annual revenue. Real estate agencies are legally responsible for the security of their email systems, and contributing to a settlement fraud through inadequate email security can result in civil claims from affected clients.

2. Trust Account Compromise and Rental Bond Fraud

Real estate agencies operating trust accounts — holding rental bonds, deposit payments, and settlement funds on behalf of clients — are regulated entities under state-based Property and Stock Agents Acts. A cyber-attack that compromises trust account banking details or the agency's accounting software can enable fraudulent withdrawals, redirection of tenant bond refunds to attacker-controlled accounts, and manipulation of trust account records. The consequences are severe: state fair trading regulators (NSW Fair Trading, Consumer Affairs Victoria, etc.) can immediately investigate trust account irregularities, freeze operations, and impose serious disciplinary penalties including licence cancellation. Principal licensees are personally liable for trust account compliance and may face civil action from affected tenants and landlords. In a variation of trust account fraud, attackers target property management agencies by compromising a landlord's email account and then sending "new banking details" to the agency — redirecting future rental income to the attacker. Monthly rental payments of $2,000–$5,000 may be redirected for months before the landlord notices a non-payment and investigates.​‌‌​​​‌‌‍​‌‌‌‌​​‌‍​‌‌​​​‌​‍​‌‌​​‌​‌‍​‌‌‌​​‌​‍​‌‌‌​​‌‌‍​‌‌​​‌​‌‍​‌‌​​​‌‌‍​‌‌‌​‌​‌‍​‌‌‌​​‌​‍​‌‌​‌​​‌‍​‌‌‌​‌​​‍​‌‌‌‌​​‌‍​​‌​‌‌​‌‍​‌‌​​‌‌‌‍​‌‌‌​‌​‌‍​‌‌​‌​​‌‍​‌‌​​‌​​‍​‌‌​​‌​‌‍​​‌​‌‌​‌‍​‌‌‌​​‌​‍​‌‌​​‌​‌‍​‌‌​​​​‌‍​‌‌​‌‌​​‍​​‌​‌‌​‌‍​‌‌​​‌​‌‍​‌‌‌​​‌‌‍​‌‌‌​‌​​‍​‌‌​​​​‌‍​‌‌‌​‌​​‍​‌‌​​‌​‌

3. Rental Application Identity Data Theft

Every rental application processed by an Australian real estate agency contains a rich collection of identity documents: passport or driver's licence copies, payslips, bank statements, employment letters, and references. For a large property management agency processing 500+ applications per year, this represents an enormous stockpile of identity documents with indefinite data retention — often stored in email inboxes, shared drives, or agency management software without encryption or proper access controls. This data is extraordinarily valuable to identity thieves, who can use it to: open fraudulent credit accounts and loans, access government benefits, apply for passports in stolen identities, and conduct ATO fraud using stolen TFN and payslip combinations. A single breach of a property management agency's application database can expose the identity documents of thousands of rental applicants. Under the Privacy Act, collecting and holding this data creates obligations — APP 4 (unsolicited personal information), APP 5 (notification of collection), APP 11 (security of personal information), and APP 11.2 (destruction or de-identification of data no longer needed) — that many agencies do not currently meet.

Compliance Requirements for Real Estate

Privacy Act 1988 (Cth) and Australian Privacy Principles (APPs) Real estate agencies with annual turnover above AUD $3 million must comply with the Privacy Act, including APP 11 (security of personal information) and the Notifiable Data Breaches (NDB) scheme. Critically, agencies that collect identity documents as part of rental applications must also comply with APP 11.2 — which requires destroying or de-identifying personal information that is no longer needed for the purpose for which it was collected. Many agencies retain rental application documents indefinitely, creating unnecessary data liability. The Privacy and Other Legislation Amendment Act 2024 (effective 11 December 2024) increased maximum penalties to AUD $50 million for serious or repeated breaches.

State Property and Stock Agents Acts Each state and territory has legislation governing real estate agent licensing and trust account management. In NSW, the Property and Stock Agents Act 2002; in VIC, the Estate Agents Act 1980; in QLD, the Property Occupations Act 2014. These Acts impose strict obligations around trust account management, audit, and security. A cyberattack that results in trust account irregularities is a regulatory matter as well as a cybersecurity matter, and can trigger immediate licence suspension or cancellation.

State Tenancy Legislation Residential tenancy legislation (Residential Tenancies Act in each state) governs the handling of bond money and imposes obligations around data handling in tenancy transactions. Rental application information collected under tenancy legislation must be used only for the stated purpose and must be secured appropriately.

Anti-Money Laundering and Counter-Terrorism Financing Act (AML/CTF) — AUSTRAC Real estate services — including real estate agents who receive payments from purchasing property — are designated services under the AML/CTF Act 2006. From 31 July 2026, real estate agents will have expanded AML/CTF obligations including customer due diligence, transaction monitoring, and suspicious matter reporting. AUSTRAC compliance requires secure record-keeping of customer identification and transaction data, adding another dimension to data security obligations for the sector.

Cyber Security Act 2024 From 30 May 2025, real estate agencies with turnover above AUD $3 million must report ransomware payments to the ASD within 72 hours.

The lilMONSTER Security Checklist for Real Estate

  1. Implement a mandatory verbal verification process for all payment instructions — No settlement payment, banking detail change, or trust account transfer should be actioned based solely on an email instruction. Any request to change payee banking details must be verified by calling the requesting party on a phone number already on record — not a number provided in the email. This single control prevents the majority of settlement fraud and trust account fraud.

  2. Enable MFA on all email accounts — especially principal and settlement-related accounts — Email compromise is the primary mechanism for both settlement fraud and trust account fraud. Enable MFA on Microsoft 365 or Google Workspace for every agency email account. Configure anti-phishing and impersonation protection. Use separate email domains for settlement communication that are strictly guarded.

  3. Implement a data retention policy for rental applications — and delete what you don't need — Rental application documents should be retained only as long as legally required. For unsuccessful applicants, delete identity documents within 30 days of the decision. For successful tenants, retain only what is required for the tenancy relationship. Use a secure document management system with encryption at rest, not shared email inboxes, for application document storage. This dramatically reduces your data breach liability.

  4. Secure your property management software with role-based access controls — Platforms like PropertyMe, Palace, Inspect Real Estate, and Console Cloud hold your entire client and property universe. Enable MFA on all accounts, apply role-based access so staff see only the properties and clients they manage, and immediately revoke access when staff leave. Review and audit access permissions quarterly.

  5. Train all staff on payment fraud and email security — tailored to real estate scenarios — Real estate-specific phishing training should include: fake settlement instruction emails, landlord banking detail change fraud, and rental application data handling. Property managers and principals who handle financial transactions should receive training quarterly, not just annually.

  6. Configure email security to flag external domain impersonation — Many real estate settlement frauds use domains that closely resemble the agency's own domain (e.g., "realestateco-au.com" instead of "realestateco.com.au"). Configure your email security gateway to flag or block emails from domains that closely resemble your own domain. Microsoft 365 and Google Workspace both provide this capability in their business security plans.

  7. Conduct annual cybersecurity assessments and register AML/CTF obligations — Review your security posture annually, with specific focus on payment process controls and rental application data security. If your agency handles property purchase transactions (not just rentals), confirm your AML/CTF obligations with AUSTRAC and implement required customer due diligence processes before the July 2026 deadline.

How Much Does Cybersecurity Cost for a Real Estate Business?

Prevention costs for a mid-sized Australian real estate agency (5–30 staff):

  • Email security with MFA (Microsoft 365 Business Premium): AUD $4,000–$15,000 per year.
  • Property management software security hardening: AUD $1,000–$5,000 one-time; included in platform subscription maintenance.
  • Staff training (payment fraud + data handling): AUD $2,000–$6,000 per year.
  • Annual security assessment: AUD $3,000–$10,000.
  • Total annual investment: AUD $10,000–$35,000 for a solid security baseline.

The cost of a single settlement fraud event typically ranges from AUD $200,000 to $2M — often exceeding an agency's entire annual revenue. Trust account fraud that triggers a fair trading investigation can result in licence suspension, forcing the agency to close immediately. Professional indemnity claims from affected clients can run for years. Cyber insurance for real estate agencies (AUD $3,000–$10,000 per year) is strongly recommended and is increasingly required by professional indemnity insurers as a condition of coverage.

FAQ

For a small real estate agency (under 10 staff), a solid security baseline costs AUD $5,000–$15,000 per year. The most critical and cost-effective controls — MFA on email accounts and a verbal verification process for payment changes — cost almost nothing to implement and prevent the most financially devastating attacks. Cyber insurance (AUD $3,000–$8,000/year) is also strongly recommended given the scale of potential losses from a single settlement fraud event.

Payment redirection fraud targeting property settlement is the most financially devastating threat — a single fraudulent settlement instruction email can result in losses of $500,000–$2M with no recovery path. The solution is deceptively simple but must be non-negotiable: verify any change to payee banking details by calling the requesting party on an existing phone number before transferring any funds. No exceptions, regardless of stated urgency.

ISO 27001 is not currently mandatory for Australian real estate agencies, but it is a relevant framework for large agencies managing significant volumes of personal data (rental applications, tenant records, sales records) or operating trust accounts for high-value property portfolios. For agencies that aspire to manage commercial property portfolios with institutional investors, or that provide property services to government, ISO 27001 certification demonstrates data security maturity. The data retention obligations under the Privacy Act align closely with ISO 27001's information lifecycle management requirements.

Annual security assessments — which may include limited penetration testing of email systems and agency management software — are recommended for real estate businesses. The focus should be on: email security (the primary attack vector for settlement fraud), agency management platform access controls, and rental application data storage security. Agencies processing large volumes of property transactions (over $100M per year) should consider formal penetration testing annually.

If personal information (rental application identity documents, tenant records, client financial data) is compromised, you must assess the breach and notify the OAIC and affected individuals within 30 days if serious harm is likely — penalties up to AUD $50 million apply. If trust account funds were affected, you must immediately notify your state fair trading regulator (NSW Fair Trading, Consumer Affairs Victoria, etc.) — failure to do so can result in licence cancellation. Engage your professional indemnity insurer immediately, as coverage for client losses from settlement fraud or trust account irregularities is often available but requires prompt notification. The reputational damage from a publicised settlement fraud — affecting a client's most significant financial transaction — can permanently damage an agency's reputation in its local market.

References

[1] Office of the Australian Information Commissioner (OAIC), "Notifiable Data Breaches Report: January to June 2024," OAIC, September 2024. [Online]. Available: https://www.oaic.gov.au/privacy/notifiable-data-breaches/notifiable-data-breaches-publications/notifiable-data-breaches-report-january-to-june-2024

[2] Australian Signals Directorate, "Annual Cyber Threat Report 2024–25," ASD/ACSC, Canberra, Australia, October 2025. [Online]. Available: https://www.cyber.gov.au/about-us/view-all-content/reports-and-statistics/annual-cyber-threat-report-2024-2025

[3] Australian Competition and Consumer Commission (ACCC), "Scamwatch Annual Report 2023–24," ACCC, 2024. [Online]. Available: https://www.scamwatch.gov.au/research-and-resources/statistical-data

[4] IBM Security, "Cost of a Data Breach Report 2024," IBM Corporation, 2024. [Online]. Available: https://www.ibm.com/reports/data-breach

[5] Australian Government, "Privacy and Other Legislation Amendment Act 2024 (Cth)," Federal Register of Legislation, 2024. [Online]. Available: https://www.legislation.gov.au

[6] AUSTRAC, "AML/CTF reform: Real estate sector," Australian Transaction Reports and Analysis Centre, 2024. [Online]. Available: https://www.austrac.gov.au/business/reform

[7] Australian Banking Association, "Preventing payment scams," Australian Banking Association, 2024. [Online]. Available: https://www.ausbanking.org.au/scams/

[8] Real Estate Institute of Australia (REIA), "Cybersecurity guidance for real estate professionals," REIA, 2024. [Online]. Available: https://www.reia.com.au

[9] Australian Government, "Cyber Security Act 2024 (Cth)," Federal Register of Legislation, 2024. [Online]. Available: https://www.legislation.gov.au

[10] NSW Fair Trading, "Trust accounting requirements for real estate agents," NSW Government, 2024. [Online]. Available: https://www.fairtrading.nsw.gov.au/trades-and-businesses/business-essentials/trust-accounts

Need help securing your Real Estate business? Book a free consultation with lilMONSTER — we specialise in cybersecurity for Australian real estate agencies and property managers.

Ready to strengthen your security?

Talk to lilMONSTER. We assess your risks, build the tools, and stay with you after the engagement ends. No clipboard-and-leave consulting.

Get a Free Consultation