© 2025 OBIQUITECH

Cybersecurity Blind Spots in Conveyancing Firms

Cybersecurity Blind Spots in Conveyancing Firms

November 26, 2025 | 4:40 am

and How Criminals Exploit Them

Part 1 of the 5 part series: Future-Proofing Your Conveyancing Practice

Today we start a new series of posts for NSW based Conveyancing firms – Future-Proofing Your Conveyancing Practice. Based on the impending AML/CTF reforms, it will dive into what you need to get in place in time for these changes coming into effect next year, and how some basic cybersecurity best practices will set you up well to be able to meet your forthcoming obligations.

Let’s get straight into it!

Conveyancers have become an increasingly attractive target for cybercriminals — and not by coincidence. You sit at the intersection of high-value transactions, predictable communication patterns, strict settlement timelines, and often lean internal IT processes. To a cybercriminal, this combination is the perfect storm.

Yet many conveyancing practices still assume: “We’re small — why would anyone target us?”

Unfortunately, the attackers already know exactly why.

Why Conveyancers are Prime Targets

Cybercriminals look for three things:

High-Value transactions

Property settlements routinely involve hundreds of thousands of dollars, and then some. One fraudulent email at the right moment can redirect an entire deposit.

Predictable workflows

Your processes follow a pattern:

  • Contract preparation / draft contract issued
  • ID verification & client due diligence (CDD)
  • Contract review & negotiation
  • Exchange of contracts (plus deposit paid)
  • Post-exchange/pre-settlement checks: searches, inspections, finance approval
  • Settlement day: final instructions, fund transfer, title registration
  • Post-settlement compliance/record-keeping (for AML/CTF and cybersecurity)

Attackers study these workflows and time their attacks for maximum impact.

Heavy reliance on email

Many conveyancing firms still use standard email for:

  • Bank account instructions
  • Identity and documents
  • Contracts and certificates
  • Settlement statements

Email is simply not built for this kind of security.

How a Typical Settlement Fraud Works (Step-by-Step)

  1. Criminal gains access to one side’s email account, usually via stolen passwords, unpatched software, weak multi-factor authentication (MFA) settings or session hijacking (which can bypass MFA)
  2. They watch quietly, often monitoring an inbox for weeks waiting for settlement dates, invoices, or trust account instructions
  3. They inject one fake message at the perfect moment, often containing “updated bank details”, “urgent changes to settlement funds”, or similar
  4. Funds are transferred into the criminal’s account, and are quickly laundered offshore
  5. The conveyancer wears the reputational damage, even if the firm did nothing “wrong”. Clients will usually blame them.

The Blind Spots Most Conveyancers Don’t Realise They Have

MFA isn’t actually turned on for everyone

This is surprisingly common. Your admin account might have MFA enabled, but what about:

  • Staff
  • Part-time team members
  • Shared mailboxes
  • Mobile devices
  • Bookkeepers or contractros

It’s not uncommon for half or more of users to be unprotected.

Missing or misconfigured email security

There are some basic email security settings which you should have in place (SPF/DKIM/DMARC). Most SMBs never touch these settings, or aren’t aware they exist – yet they’re a critical part of preventing fake emails that look like they come from your company.

For example, without DMARC, cybercriminals can spoof your email address and insert fake settlement instructions that look completely legitimate.

Trust account workflows rely on insecure communication

Emailing bank account instructions is the most exploited attack vector in Australian property fraud.

Yet it’s still standard in many practices.

Stored client IDs are poorly protected

Scans of passports, driver’s licences, visas, and bank statements are often sitting in:

  • Email attachments
  • Local downloads folders
  • Non-encrypted server shares
  • Cloud storage with public link sharing enabled
  • Insecure backups

From the 1st of July 2026, AML/CTF obligations will apply to conveyancers as “tranche 2” entities, and regulators will expect you to demonstrate secure handling and long-term retention (7 years) of client identification and transaction records.

Lack of client cybersecurity awareness

If your conveyancing firm has addressed all these weak spots, can you be sure that all your clients have as well? They can also be the point of entry for cybercriminals.

Many conveyancing firms do not offer their clients cybersecurity awareness training.

AML/CTF 2026: Why Cybersecurity Now Matters More

The upcoming AML/CTF reforms will require conveyancers to demonstrate:

  • Secure storage of identification documents
  • Reliable record-keeping
  • Reasonable measures to prevent fraud
  • Systems that ensure the integrity of client communications

We expect AUSTRAC to take a dim view of firms still using unsecured email for identity and financial data.

What Conveyancers Should Do Now

We’ve written an AML/CTF 2026 Readiness Checklist for NSW Conveyancers. Click here to download your free copy.

Final Thoughts

The risk to conveyancers is not hypothetical. Cybercriminals are actively targeting firms of all sizes, and in most cases a small step like enforcing proper MFA or securing email authentication could have prevented the breach.

If you’re unsure where your blind spots are, we offer a free Conveyancer Cyber Hardening Assessment – an audit tailored specifically to NSW conveyancers. Simply click this link to start that conversation.

Stay safe out there, and look out for the next post in this series – AML/CTF 2026: What Conveyancers Need to Know – and the IT Changes Required.

Tags:

Previous

Comments are closed

© 2025 OBIQUITECH. Created with ❤ using WordPress and Kubio