Article
How Conveyancing Scams Target Law Firms
On settlement day, one spoofed email can send a buyer's house deposit to a criminal — and leave the law firm carrying the fallout. How conveyancing fraud works, and how to stop it.

Picture the last hour before a property settlement. The buyer is refreshing their inbox, nerves jangling, waiting for one final email from the solicitor: the trust-account details to transfer the balance of a life's savings. The email arrives. The letterhead is right, the matter reference is right, the solicitor's name is right. There's a short, friendly note — "please note our updated account details below" — and a BSB and account number. The buyer transfers the money. And it's gone, to an account that was never the firm's, emptied and closed within the hour.
Nobody was careless, exactly. The email really did come from a compromised mailbox in the conveyancing chain. This is a payment redirection scam — the polite name for business email compromise pointed at a property deal — and in Australia it is not rare or exotic. It was the country's second-largest category of scam losses in 2025 at $166.8 million, and the national scam centre averages two reports a week tied specifically to real-estate transactions. Law firms sit right in the blast radius.
The attacker doesn't break the settlement. They wait for it, and redirect it.
Why property settlements are the perfect target
Start with the economics, because they explain everything else. Most fraud is a numbers game of tiny thefts — a stolen card here, a $200 gift-card scam there. A conveyancing redirection is the opposite: a single successful strike moves a deposit or settlement balance, which in this market means anywhere from tens of thousands to well over a million dollars, in one irreversible transfer. The attacker needs to win once, occasionally, to run a very profitable operation.
Now layer on what a property matter looks like from the outside. It's conducted almost entirely over email. It involves a large payment on a date everyone knows in advance. The parties — buyer, solicitor, agent, broker — often haven't met in person and don't recognise each other's voices. And there's a powerful script running: everyone expects account details to arrive by email near settlement, so an email with account details near settlement doesn't trip a single alarm. The scam isn't beating your defences. It's wearing the costume of a completely normal Tuesday.
How the attacker actually gets inside
The redirection is the last act. The quiet part comes first, and it usually starts with one phished password. Someone in the conveyancing chain — the solicitor, a paralegal, the agent, even the buyer — clicks a convincing login page and hands over their email credentials. No malware, no alarms; just a working username and password sold or used directly.
Here's the clever, patient bit. The attacker rarely strikes straight away. They log into the mailbox and read — sometimes for weeks — learning the firm's tone, the matters in flight, the settlement dates. Very often they quietly set up a mailbox rule: auto-file or delete replies containing words like "invoice", "trust", "account" or "settlement", so the real owner never sees the conversation the attacker is about to hijack. From the inside, they're not impersonating the firm. For the purposes of that email thread, they are the firm.
The strike, timed to the minute
When a settlement approaches, the attacker steps into the existing email thread — the genuine one, with its real history and signatures — and sends the buyer "updated" trust-account details, often with a plausible reason ("our usual account is undergoing an audit"). Because it's the same thread from the same address, it clears every instinctive check. The buyer pays. The money hits a mule account and is gone before anyone reconciles.
The timing is deliberate and cruel: right on settlement day, when everyone is stressed, moving fast, and desperate not to be the one who holds up the deal. Urgency isn't a side effect of the scam — it's the main ingredient, and property settlement supplies it for free.
The twist: it might not be your mailbox at all
So you lock down the firm's email perfectly — and you should. But here's the wrinkle that makes this genuinely hard: the compromised mailbox might belong to the other side. The buyer's personal Gmail. The real-estate agent. A mortgage broker. Any weak link in the chain lets the attacker forge the same email, and the loss still lands on your client and, by reputation and often by professional-indemnity claim, on your firm.
That's why the defence can't be purely technical and purely yours. It has to include the humans on the other end of the transaction — which is where the single most effective habit comes in, and it costs nothing.
"Just look for the dodgy grammar" is dead advice
For years the standard warning was to spot the clumsy English — the typos and odd phrasing gave scammers away. That advice is now worse than useless, and it's worth being clear about why. We built AI tools that produce flawless, perfectly formatted, on-brand English for free, and some of the keenest early adopters turned out to be the people writing the scams. The fake settlement email now reads exactly like your best paralegal wrote it — because, functionally, an AI trained on a million of them did. The tell is gone. The defence has to move from "does this look right?" to "have I verified this through a second channel?"
It's worth a pause on how we got here. We took the most significant financial moment in most people's lives — buying a home — and moved it entirely onto email, a system with no built-in way to prove who actually sent a message. Then we handed everyone a tool that writes a perfect impersonation on request. We can run a nation's property settlements this way. Whether we should have, without building the verification step in first, is a question the industry is, uh... answering the expensive way.
The defence is layered, not a single wall
No one control stops this, because it attacks people, process and technology at once. You defend it the same way — in layers, so that any single failure is caught by the next.
- Verify every account detail by phone — this is the one that actually works. Any bank details, and any change to them, get confirmed by calling the firm on a number you already have (never the number in the email). Tell clients in writing at the start of the matter: "our trust-account details will never change by email; if you receive such an email, phone us before paying a cent." That one sentence, sent early, defeats the entire scam.
- Turn on multi-factor authentication everywhere — every mailbox in the firm, no exceptions. A phished password on its own then buys the attacker nothing, which cuts off the whole attack at its root. Microsoft's research puts MFA's effectiveness against account compromise above 99%.
- Authenticate your outbound email with SPF, DKIM and DMARC configured properly, so attackers can't spoof your domain to your clients — and so your legitimate mail isn't the thing that trains people to trust look-alikes.
- Watch the mailboxes. Managed detection and response flags the tell-tale signs of compromise — a new mailbox rule that hides "invoice" and "settlement" emails, a login from an unusual country — often before a cent moves.
- Train the whole firm, then test it. The person who processes a trust payment matters more than any firewall. Structured security awareness training turns staff from the soft target into the alarm that catches what the filters miss.
None of this is exotic or expensive. It's MFA, a correctly configured Microsoft 365 tenant, monitoring, and one firm-wide habit about verifying payments. The firms that get hit are almost never the ones that couldn't afford the defence — they're the ones who hadn't turned it on yet.
What this means for a NSW law firm
For an Australian practice this isn't only a financial risk — it's a professional one. The Law Society of NSW and your professional-indemnity insurer both expect you to be protecting client funds and communications, and trust-account rules leave little room for "we got tricked". A redirection incident can mean notifying clients, notifying your insurer, a hit to the firm's reputation in a referral-driven business, and hard questions at your next PI renewal. This is exactly the scenario our IT support for law firms is built around — the email hardening, monitoring and staff training that keep a settlement from becoming a claim. It's the text-based cousin of the voice-cloning fraud we cover in the deepfake CEO scam, and it shares its DNA with the tax-time ATO email scams that spike every July: same playbook, different costume.
Frequently asked questions
What is a conveyancing or payment redirection scam?
It's a form of business email compromise where a criminal, having gained access to a mailbox somewhere in a property transaction, sends the buyer fake "updated" bank details near settlement so the funds go to the criminal instead of the solicitor's trust account. In 2025 it was Australia's second-costliest scam category by dollar losses.
Who is liable if a client's settlement money is stolen this way?
It depends on where the compromise occurred and the facts of the matter, but even when the breached mailbox wasn't the firm's, a law practice can face reputational damage, a professional-indemnity claim and awkward questions from the Law Society. Prevention is dramatically cheaper than arguing liability after the money's gone.
How can our firm actually prevent it?
Layered defence: MFA on every mailbox, properly configured email authentication (SPF, DKIM, DMARC), mailbox monitoring via managed detection and response, staff training, and one non-negotiable habit — verify every bank detail by phone on a known number, and warn clients in writing up front that your trust details never change by email.
The scam email had no spelling mistakes — how would we spot it?
You increasingly can't, by eye — AI writes flawless fakes now. That's exactly why the defence has shifted from "does it look right?" to verifying payment details through a separate channel every single time, regardless of how legitimate the message appears.
Local IT and cyber security support across NSW
Chewing IT provides IT support, email hardening and cyber-security for law firms across the Central Coast, Newcastle, Lake Macquarie, Hornsby and the wider Sydney North Shore. Most work is delivered remotely with same-day turnaround, and on-site support is dispatched from our Wyong office on the Central Coast and our Hornsby office in Sydney.
Not sure whether a spoofed settlement email would get past your firm? Get in touch for a straight conversation about protecting your trust account — before a criminal tests it for you.