April 24, 2023

How my recent scam experience can be a valuable lesson for property professionals

Recently, the inevitable happened in my house – one of us got scammed. My teenager was on Steam, an online gaming platform, and called out, “Dad I’m on a call and they’re saying I need to pay money to them, or I’ll be reported for fraud. I don’t understand”. I popped into his room and read through the chat thread, unmuting “Tom” to ask him what was required. Tom quickly realised he was dealing with an adult and no longer a child. He basically said, “we’ll close the account if you don’t pay the $247 USD”. I hung up, we high fived and thought wow, close call, we caught that just in time. An embarrassed and upset 15-year-old realised they don’t know everything online and certainly need to be more careful. Dad saves the day!

As I got back to what I was doing, I hear the tone all parents dread, “Dad…”. Knowing something was wrong, I went back upstairs to find a very upset teenager whose account had been closed with no access permitted. I couldn’t understand. I asked him had anything been clicked on or have you shared personal details. Yes, there it was, a link sent by Tom from Steam Support asking to log in and verify details. The page that had been clicked on was a carbon copy of the Steam Support page. An email and password were entered and that was it, Tom and his team of scammers (yes, it was a team) had my teenagers details, changed the password and I expect the email too. All games in Steam were gone, the account logged out and as a result, an expensive lesson in cyber security awareness for the 15-year-old.

This was a smart scam against kids. How did it work?

In the platform, random accounts say, “sorry, I reported you accidentally to Steam Support because you have a doppelganger account. They have bought games from me and not paid”.
My teenager: “sorry, I don’t understand. I haven’t bought any games from you”.
Random account: “yeah, I know. It was someone else, but I reported you before I realised. I’m sorry bro, my bad”.
Simultaneously, Tom from Steam Support makes contact. For those not familiar with Steam, imagine multiple text messages coming through at the same time. In addition, Tom starts a voice call.
Referring to my teenagers callsign, Tom says the account has been reported by user ‘X’. My teenager says, “yes, but user ‘X’ said it was the wrong person and there’s another account”. Tom says, “yes, he has notified us, but we have to confirm your account is correct”.
The chat displays purchase details (these are all publicly available in Steam as you can see what games other users have bought) and a quick calculation by Tom concludes the games will cost $247 USD.
Unknowingly supporting the scam, my teenager did a check on his account and realised that’s the correct amount.
Now the drop:
Part 1 – Tom says, “I’ve just sent you a link to log in to Steam Support and we’ll confirm this is the correct account”. My teenager does as asked and enters his email and password. Part 2 – “I now need you to pop in the card details you paid for the games with. We’ll confirm this against the purchases and then we can close this complaint. If you don’t, we’ll unfortunately have to report you for fraud…”, said Tom.

Luckily, my teenager had the sense to pause at this point and call out to me. I don’t think he would have put in the card details but who knows, these scammers have no ethics and can be very convincing. We were lucky. A few hundred dollars of games lost, an upset teenager and a damaged ego, but a lesson I think will ensure they don’t fall for this again. Well, hopefully.

This situation isn’t ideal, and it shows the level of sophistication cybercriminals are reaching and how unethical they are.

Imagine this scenario in the process of a property transaction.

You’ve been searching for your new family home and have pre-approval from the bank. You go to an open home on a Saturday morning and love the house. The agent at the open home has copies of the contract (you wish they were digital copies) and you want a copy to share with your lawyer.
You email the agent asking for a copy of the contract. The agent shares one with you but unbeknown to you both, someone has been a victim of a phishing attack and emails are being monitored for key phrases and correspondence.
You speak to your lawyer on Monday morning who confirms you can make an offer and pay the initial deposit. You reach out to the real estate agent who emails you their trust bank details – the correct ones. These key words trigger alerts and a high level of awareness for a number of cybercrime syndicates monitoring keystrokes and checking for words, such as ‘bank details’.
You pay $5000.00 on Monday morning, sign the contract with your lawyer (wishing you could also do this digitally), scan and send it to the agent.
An hour later, you receive the magical call, “the vendor has accepted your offer and has signed the contract. Congratulations, you’ll need to pay the remaining $105,000.00 this week please”.
Pleasingly, you see a copy of the signed contract in your emails. A second email quickly follows. On the surface, it looks like it’s from the same email address as it has the same branding and agent details. The email states ‘for the remaining balance of the $105,000.00 deposit, please pay it to this bank account to ensure no delay or impact on the transaction’. This is the fraudulent bank account.
You call the agent to acknowledge the email and confirm you’ve paid the balance of funds for the deposit. He thanks you, unbeknown to him there has been a follow up email with new bank details. He explains the money will be in the account in the next two days and your lawyer will be informed. His job is done and he’s now onto his next sale.
By Friday, the funds still aren’t received in the agent’s account. He follows up to see what the delay is, only to realise the funds are gone. Everyone is concerned with who is at fault and what has happened.

This is the reality every week for property transactions in Australia. The same as the gaming platform which impacted my teenager, the level of sophistication and understanding of how monies change hands in the sale and purchase of property is clearly understood by cybercriminals, both here and around the world. As a professional involved in the sale and purchase of property, should you be concerned? Yes. You need to be diligent and aware of these issues. You need to provide services to your clients that protect them, yourself, and your business. At times this can seem unachievable but there are best practices you can put in place without disrupting too much of your workflows. Likewise, we should be doing the same in our homes as with our loved ones.

It’s important now more than ever that we’re all vigilante when it comes to cyber security, both at home and in our workplace.

Three key actions that can help prevent many of the challenges are:

Never share bank account details via email or similar unsecure channels. It’s safer to use a third-party provider, such as Securexchange, to ensure information is shared in a secure and protected manner.
Where available, set up multi-factor authentication to log into portals connected to your environment and where data may be shared.
Talk to your family and your work teams regularly about the challenges of cyber security and being cyber secure. The more often this occurs, the more likely you’ll start to build a cyber safe culture and a framework to protect your business and homes from this growing threat we all face.

Author: Lee Bailie

Lee Bailie is Head of Property Australia at InfoTrack. His key goal is to ensure InfoTrack provides clients with market leading and innovative technology for stakeholders involved with property transactions. Lee is an experienced leader and has strong background in the information technology and professional services industry.

Protect yourself and your clients with Securexchange