After a long career helping businesses with their finances, Lily was surprised to find out she had become a victim of fraud.
The retired bookkeeper lost about $26,000 to scammers in June when she sold her two-bedroom apartment in southern Sydney.
Although Lily received most of the sale proceeds, her real estate agent accidentally transferred the deposit (paid by the purchaser) to a scammer.
"For me, a retired disability pensioner, I rely on this money to live in Australia," Lily (who did not wish to disclose her surname) said.
"I worked so hard for 25 years until my vision got so bad that I couldn't work, so I had to retire early.
"Now I'm trying to save for the future, but the money is gone."
Lily suffers from a degenerative eye condition which renders her legally blind. She relies on NDIS support workers to assist her with daily activities such as walking, light exercise and attending medical appointments.
She has been trying to recover the missing funds from her agent, who insists they were not at fault.
Property sector being targeted
Lily and her agent, HT Wills Real Estate, were the targets of a payment redirection scam (also known as a "man in the middle scam").
It usually involves scammers breaking into a business' email account. Alternatively, fraudsters might impersonate a business by sending emails from an almost identical email address.
The scammers then target victims who may already be expecting to make a payment (for example, to a plumber or web designer), so are therefore unlikely to scrutinise the invoices.
The victim typically does not realise anything is wrong until they receive a notice of late payment from the person they thought had already been paid.
The most commonly targeted industries are real estate, legal and construction, according to the Australian Competition and Consumer Commission (ACCC).
However, the regulator said car dealerships, travel companies and their customers were increasingly being targeted.
Anatomy of a payment scam
Here is the email exchange between Lily and her agent, which led to her losing $26,000. It also includes messages that the scammer sent from her account:
- On June 13, HT Wills asked for Lily's bank account number. She promptly replied with her ING details.
- Six minutes later, the scammer sent an identical email to the agent from Lily's email account, but included details of an ANZ account instead
- On June 17, the agent sent a follow-up email to Lily, asking which bank account was the correct one
- HT Wills received details of a new bank account (this time, an ING account which did not belong to Lily). The agency then transferred the funds to the scammer's account
Unfortunately for Lily, she was unaware those messages were being sent from her account.
She only found out when she compared email chains with HT Wills, and noticed there were significant differences.
Lily believes her financial losses could have been prevented if the agent had phoned her to confirm her details.
"I feel so angry, upset and frustrated because the agents know I'm vision impaired," she said.
"I put all my trust in them, but now they leave me in the dark."
This incident has also affected her health. Lily said the agent was initially "sympathetic" but had since stopped returning her calls.
"I couldn't understand why they treat me this way. I can't sleep properly. I can't eat properly. I can't have a normal life. Every minute for me is suffering."
When approached for comment, HT Wills referred ABC News to its lawyer, who wrote in an email:
"We confirm that an incident has occurred impacting one of our clients, HT Wills.
"The incident is still being investigated with the assistance of external expert advisors and we are communicating with our client to support them and resolve the matter."
"We are not in a position to make any further comments at this time."
Profitable to target Australians
Dan Halpin, a former policeman and intelligence officer, said: "I don't believe that relying on email confirmation is anywhere near appropriate."
Mr Halpin now runs his own fraud investigation agency, Cybertrace.
He advises businesses in these situations should verify their client's identity by "picking up the phone to ask for information that no-one else would be aware of", for instance, details of the contract.
He also warned Australians were particularly vulnerable to online scams and the return on investment for cyber criminals was "quite high".
"At our agency, we speak to scammers. They tell us that they're actually increasing the number of staff allocated to scamming Australians," he said.
"They know that the Australian authorities lack the capability and the willingness to pursue them overseas."
Mr Halpin said scammers were more afraid of foreign law enforcement agencies.
He singled out German police and the United States' Federal Bureau of Investigation (FBI) in particular, as they tended to be "more proactive" when it came to conducting raids across the world, extraditing offenders, and securing convictions with jail sentences.
The cyber fraud investigator said Australian state police had "very little interest in pursuing anything cyber, and especially if it's outside of their jurisdiction and overseas".
Mr Halpin used to work for the New South Wales and Queensland police services, the Australian Federal Police (AFP), and the Australian Security Intelligence Organisation (ASIO).
'Conflicting' data on scams
The ACCC has provided the ABC with its latest data on scams, which appear to show an improving trend.
In the last financial year (July 2023 to June 2024), the ACCC's Scamwatch division received 288,604 reports of scams from victims — a slight drop (0.6 per cent) compared to the previous year.
But the total amount lost to scammers was $330.2 million.
This was a 41 per cent fall compared to the preceding financial year's losses ($559.9 million).
An ACCC spokesperson said the "decrease in losses" was "consistent" with what the watchdog had recently seen, but it would need to conduct further analysis.
However, Mr Halpin was sceptical about any conclusions being drawn from those statistics.
"While Scamwatch data suggests fewer victims and losses, Cybertrace has observed an increase in scam reporting during the same period," he said.
"In my view, this conflicting data arises because fewer victims are reporting to the government, not because there are fewer victims overall.
"Many victims are coming directly to us and bypassing government reporting altogether."
'Take the time to call'
But when focusing specifically on payment redirection scams (like the one that targeted Lily and her real estate agent), there are signs the situation may be worsening.
Last week, West Australian Finance Minister Sue Ellery released a statement with new data from her state.
"Eleven WA victims have reported losing a total of $503,285 so far this year to payment redirection scams. This exceeds the $501,028 lost by 29 victims in 2023," Ms Ellery said.
However, when looking at the country as a whole, Australians reported losing $16.2 million to payment redirection scams in 2023 (which, according to the ACCC, was a 3 per cent increase over the previous year).
"If you receive an invoice via email, take the time to call the business on a number you have found yourself to confirm that the payment details are correct," ACCC deputy commissioner Catriona Lowe said.
That advice is also recommended by the Real Estate Institutes of NSW, Victoria, Queensland and WA.
Queensland's peak real estate industry body has even gone as far as inserting a cyber crime warning on its sale of land contracts.
"That warning advises all parties to the contracts to telephone the recipient of funds to verbally confirm the account details before sending funds if they have received bank account details via email," said Antonia Mercorella, chief executive of the Real Estate Institute of Queensland.
Mr Halpin said while the processes would drastically increase the workload for employees, they were a necessary cost, especially when large sums of money were at stake.
"In most cases of someone being scammed, it's very unlikely that they will ever recover any of their money," he said.