Business Email Compromise: Why Real Estate Agencies Are Prime Targets

Business Email Compromise (BEC) is the most financially damaging cyber threat facing Australian Real Estate agencies. Unlike ransomware, which is loud and disruptive, BEC attacks are quiet, precise, and designed to steal specific sums of money during high-value transactions.

How BEC Attacks Work in Real Estate

A BEC attack targeting a Real Estate agency typically follows a predictable pattern. First, the attacker gains access to an email account, usually through a phishing email that harvests the victim's Microsoft 365 or Gmail credentials. The attacker then monitors the inbox silently, watching for high-value transactions.

When a settlement approaches, the attacker strikes. They send an email to the purchaser, vendor, or conveyancer that appears to come from the agency but contains fraudulent bank account details. The email often references the correct property address, transaction amount, and parties, with details gathered from the monitored inbox.

The victim, believing they're following legitimate settlement instructions, transfers funds to the fraudster's account. By the time the fraud is discovered, the money has typically been moved through multiple accounts and is unrecoverable.

The Scale of the Problem

The ACCC's Scamwatch data consistently identifies BEC as one of the highest-value scam categories, with the Real Estate and property industry among the most targeted sectors. Individual losses frequently exceed $100,000, and cases exceeding $500,000 are not uncommon.

Real estate agencies are attractive targets because they regularly handle large financial transactions, deal with time-pressured clients, and often have weaker IT security than the legal and financial firms they transact with.

Why Standard Email Security Isn't Enough

Many agencies assume that having Microsoft 365 or a reputable email host means their email is secure. It isn't.

The default Microsoft 365 configuration does not enable the email authentication standards that prevent domain impersonation. Without DMARC, DKIM, and SPF properly configured, attackers can send emails that appear to come from your agency's domain, even without compromising your account.

Multi-factor authentication is also not enabled by default. An attacker who obtains your staff member's password through phishing has full access to that email account and can monitor settlement transactions at leisure.

What Effective BEC Protection Looks Like

A hardened Microsoft 365 environment for a Real Estate agency includes: MFA enforced for all accounts without exception, including shared mailboxes; Conditional Access policies that block access from unexpected locations; DMARC, DKIM, and SPF records correctly configured to prevent domain spoofing; Microsoft Defender for Office 365 with Safe Links and Safe Attachments to catch phishing attempts; and regular staff awareness training so your team can recognise social engineering attempts.

Additionally, your agency should implement a verbal verification policy for any change of payment details received via email. A phone call to a known number (not one provided in the suspicious email) takes seconds and can prevent six-figure losses.

The Role of Your IT Provider

BEC protection is not a product you can buy. It's a configuration and culture challenge. Your IT provider should be proactive in reviewing your Microsoft 365 security configuration, not just keeping your computers running.

Everything ICT conducts Microsoft 365 security assessments specifically designed for Real Estate agencies. We identify configuration gaps, implement the appropriate controls, and provide staff training that reflects the specific social engineering tactics used against the property industry.