Real estate agent email hacked but buyer pays the price

If you have bought or sold a property recently, you probably received a warning about relying on emails directing you to pay money to a particular bank account without first checking with the sender that the email has not been altered.

Given the amount of money involved, real estate transactions are a prime target for cyber criminals who are seeking to exploit vulnerabilities in email systems to divert funds into fraudulent accounts. Criminals use a range of techniques, including phishing emails and malware, to gain access to email accounts and then lie in wait for emails containing bank account details.  When the opportunity arises, the cyber criminal simply alters the bank account details prior to receipt by the unsuspecting recipient and directs the funds to their own account.

A recent NSW case[1] illustrates the ease with which criminals can make undetectable changes to emails and provides a practical reminder of why parties to real estate transactions need to be vigilant when transferring funds.

How was the fraud perpetrated?

A contract for the sale of a residential property was exchanged on 1 February 2020. The contract provided for payment of a 10% deposit – an initial deposit by 1 February and the balance of $54,600 by 12 February 2020.  The form of contract used provided for payment of the deposit either by cash (up to $2,000) or cheque.

Before exchange, the agent directed the buyer to pay the initial deposit by EFT into the agent’s trust account. The agent provided the buyer with account details and the buyer paid the initial deposit by EFT.  On 7 February 2020, the agent emailed the buyers reminding them to pay the balance deposit and again setting out their trust account details.  Two days later, the buyer received (what appeared to be) another email from the agent attaching an invoice for the remainder of the deposit. This email purported to be part of an email chain, including the email of 7 February 2020 and requested payment to a fraudulent bank account.  The BSB and account number in the 7 February email had also been changed to match the details of the fraudulent account in the 9 February email.

The buyer paid the balance deposit by EFT to the fraudulent account (without noticing the change in BSB and account details from the previous payment) and sent a screen shot confirming the transaction to the agent. The agent also failed to notice the different account details in the confirmation.

The seller subsequently served a termination notice. The buyer commenced proceedings seeking enforcement of the contract on the basis that the agent had directed that the deposit be paid by EFT, that this direction was given on behalf of the seller, and that therefore the buyer had satisfied the obligation to pay the deposit. The success of the buyer’s claim therefore depended upon the court accepting that the real estate agent was acting as the seller’s agent to direct payment of the deposit by EFT.

Was the agent authorised to direct payment by EFT?

Under the common law, a real estate agent appointed to find a buyer does not have implied authority to bind the seller to a contract or to vary the terms of a contract signed by the parties. Any authority to this effect must be expressly stated either in the terms of the agency appointment or in the terms of the contract of sale.

Further, unless altered by the terms of the contract, a real estate agent who acts as a stakeholder does not receive the deposit in their capacity as agent for the seller. A separate tripartite contract exists between the agent as stakeholder and the buyer and seller in relation to the money held by the agent.

In this case, the contract of sale did not require or authorise the payment of the deposit by EFT. Further, the agency appointment did not authorise the real estate agent to act on behalf of the seller when directing or accepting payment of the deposit as stakeholder under the contract. Any direction by the agent about methods of payment was therefore in the agent’s capacity as stakeholder only.

As a result, the buyer was in breach for not paying the deposit in accordance with the terms of the contract or as directed by the seller and the seller was entitled to terminate the contract. Whether the real estate agent was liable to the buyer in its capacity as stakeholder was not considered by the court.

Is a buyer in Queensland in the same position?

The authority of a Queensland real estate agent under the general law is the same as in NSW. This is not altered by the approved form of agency appointment in Queensland. Therefore, an email from a real estate agent directing the buyer to pay to a specified account is usually given by the agent in its personal capacity as Deposit Holder and not as agent of the seller.

However, unlike the form of contract commonly used in NSW, the Reference Schedule of the REIQ Contracts includes provision for the BSB and account details of the Deposit Holder’s trust account to be included.  This raises some further questions about where the loss might lie.

If the account details were fraudulently altered before the seller signed the contract, arguably by signing the contract, the seller authorises the buyer to pay the deposit to the nominated account.  The buyer may therefore be entitled to claim that it had complied with the contract. However, where the fraudulent alteration is made after the contract is signed by both parties (i.e. an email from the agent sending the fully signed contract to the parties is hacked and the account details are fraudulently altered on the copy of the contract attached to the email) the result may be different.

Key Takeaway

The key lesson from the case is that email is not a particularly secure form of communication.  Parties to real estate transactions should be wary about relying on account details conveyed by email (whether in the body of the email or an attachment to an email such as a contract or invoice).  When sending large amounts of money, always confirm the details of the account personally with the sender of the email, even if you have previously received an email from the same person.

Authored by:

Professor Sharon Christensen, Consultant
Chloe Johnston, Solicitor