What is settlement payment fraud and how does it specifically target conveyancers?

Settlement payment fraud, also called business email compromise in this context, targets the email-driven payment instruction workflow that is central to conveyancing. Attackers gain access to a conveyancing email thread, through a compromised conveyancer account, a spoofed domain that looks like the conveyancer's, or a compromised client inbox. They monitor the correspondence and learn the property address, the expected settlement date, and who the parties are. In the days immediately before settlement, when clients are expecting payment instructions, the attacker sends modified instructions with substituted BSB and account numbers. The email appears to come from a familiar address and references the correct property details. A typical Sydney or Melbourne residential settlement is between $500,000 and $1.5 million. Once transferred, funds are moved quickly across multiple accounts. Recovery is rarely straightforward.

Does DMARC actually stop settlement payment fraud?

DMARC stops one specific mechanism: an attacker sending email from a domain that looks exactly like your domain. If your firm is conveyancer.com.au and an attacker sends email that appears to come from conveyancer.com.au, a correctly configured DMARC policy in enforcement mode prevents that email from reaching the client's inbox. DMARC does not stop an attacker who has genuinely compromised your email account and is sending from it, or an attacker using a lookalike domain like conveyancer-au.com. The full protection requires DMARC in enforcement mode, MFA on every email account to prevent account compromise, and a process-level rule that bank account details are always verbally confirmed before payment is made. DMARC is one layer. It is not sufficient on its own.

Are conveyancers covered by the Privacy Act?

Conveyancers with annual turnover above $3 million are covered entities under the Privacy Act 1988 and must comply with the Australian Privacy Principles. Below that threshold, the main pathway into coverage is a Commonwealth contract. Most standard conveyancing practice does not bring smaller firms into scope through that route, but if you handle tax file numbers for clients or provide services connected to a Commonwealth program, coverage may apply regardless of turnover. From 1 July 2026, the AML/CTF reforms will also apply Privacy Act obligations to personal information handled for AML/CTF compliance purposes, regardless of your annual turnover.

What should a conveyancer's payment verification process look like?

The most important control is a standing practice of verifying any bank account details by telephone using a number sourced independently before payment is made. The number should come from an earlier, verified communication or a publicly listed source, not from the email containing the payment instructions. The verification call should be documented. A client who receives payment instructions by email should also be told at the outset that bank details will never change and that they should call immediately if they receive unexpected payment instructions. This process-level control addresses the fraud vectors that DMARC and MFA cannot reach on their own.

Industries · Legal · Conveyancers

Cyber security for Australian conveyancers.

Settlement payment fraud is the dominant cyber threat facing Australian conveyancers. Attackers monitor conveyancing email threads and substitute payment details in the days before settlement. A typical residential transaction is $500,000 to $1.5 million.

IronSights helps conveyancers prevent it, and prepares practices for AML/CTF Tranche 2 obligations from 1 July 2026. ISO 27001 certified, Sydney-based.

Book a cyber security review→Speak with an expert

Threat context

Why conveyancers are targeted.

Conveyancers handle the largest single transactions most Australians will ever make. The combination of large, time-sensitive payments and an email-driven workflow creates conditions that attackers have learned to exploit systematically. Settlement payment fraud affecting Australian conveyancing practices is not a sophisticated attack. It does not require advanced technical capability. It requires access to a conveyancing email thread and patience.

The mechanism is consistent: an attacker gains access to the email correspondence surrounding a property transaction, through a compromised conveyancer account, a spoofed domain that looks like the conveyancer's firm, or a compromised client inbox. They monitor the thread until the right moment, which is typically in the three to seven days before settlement, when buyers are expecting to receive payment instructions. The attacker then sends modified payment instructions with substituted BSB and account numbers. The email appears to come from a familiar sender and references the correct property and settlement details.

AUSTRAC data and Australian Cyber Security Centre reporting have both identified conveyancing as a sector with elevated BEC exposure. The Australian Banking Association has published guidance specifically addressing conveyancing payment fraud. It is a known, documented threat with a consistent pattern. The controls that address it are also consistent: DMARC in enforcement mode, MFA on every email account, and a standing practice of verifying payment details by telephone before any transfer.

From 1 July 2026, the AML/CTF Tranche 2 reforms bring conveyancers providing designated services into AUSTRAC's regime as reporting entities. The compliance obligations are substantial: an AML/CTF program, customer due diligence, suspicious matter reporting and record-keeping. Practices that have not started implementing those obligations are likely to find that the lead time is longer than they expect.

Common risks

What we see when we work with conveyancers.

Settlement payment fraud via email interception

The most financially damaging attack type in Australian conveyancing. An attacker in the email thread, through a compromised account or spoofed domain, waits for the days before settlement and sends modified payment instructions with substituted BSB and account numbers. Clients expecting payment instructions at that point in the process often transfer without calling to verify. A typical residential transaction is $500,000 to $1.5 million.

Domain spoofing

Attackers register domains that appear similar to a conveyancer's firm domain. conveyancers.com.au and conveyancers-au.com.au look similar enough in an email header that clients in a stressful transaction do not always notice. DMARC protects the conveyancer's own domain but not lookalike domains. Awareness training for clients and staff is the control that closes this gap.

Conveyancing software credential theft

Conveyancing management platforms are targeted through phishing campaigns and credential-stuffing using data from earlier breaches. A compromised credential exposes client matter records, settlement dates, property details and the correspondence history that an attacker can use to make fraudulent payment instructions appear credible. MFA where available on these platforms is the most direct mitigation.

AML/CTF compliance gaps ahead of Tranche 2

From 1 July 2026, conveyancing services become designated services under the AML/CTF Act. Practices without documented customer due diligence processes, transaction monitoring procedures and an AML/CTF program will be non-compliant from that date. The lead time for implementing a compliant program is longer than most practices expect.

Inadequate client communication protocols

Most conveyancing fraud succeeds because there is no standing practice of verbally verifying payment details before transfer. A firm's email-based payment instruction workflow, without a process requiring telephone confirmation from an independently sourced number, is the gap that enables fraud regardless of the technical controls in place.

How we help

Services for conveyancing practices.

The controls that prevent settlement payment fraud are well understood. So is the path to AML/CTF Tranche 2 readiness. We help you implement both.

Microsoft 365 security

DMARC, DKIM and SPF configuration in enforcement mode, on every staff account, policies to prevent sign-in from unrecognised locations and devices, and admin account separation. These are the controls that directly address the email-based attack vectors affecting Australian conveyancers.

Penetration testing and phishing simulation

simulations that mimic the DocuSign, court notification and payment instruction lures used against Australian conveyancing practices. External network tests to identify any external-facing services with known vulnerabilities. Thirty-day free retest included.

Audit and assurance

An and a against AML/CTF Tranche 2 requirements, with a clear picture of what your practice needs to address before 1 July 2026. The output is a practical roadmap, not a compliance checklist.

Incident response

Available 24 hours a day. If a settlement payment fraud event occurs, we support containment, forensic investigation, assessment and PI insurer notification. We understand the time pressure that settlement dates create and the regulatory obligations that run alongside them.

Compliance

Regulatory obligations for conveyancers.

AML/CTF

Tranche 2 from 1 July 2026

The Anti-Money Laundering and Counter-Terrorism Financing Amendment Act 2024 extends the AML/CTF regime to conveyancing services from 1 July 2026. Conveyancers providing designated services will be reporting entities with obligations to maintain an AML/CTF program, conduct customer due diligence, report suspicious matters and keep records. Privacy Act obligations will also apply to personal information handled for AML/CTF purposes regardless of annual turnover.

Privacy Act

APP obligations and the NDB scheme

Conveyancers with annual turnover above $3 million are covered entities under the Privacy Act and the Australian Privacy Principles. From 1 July 2026, the AML/CTF reforms will bring additional Privacy Act obligations for personal information handled in that context regardless of turnover. A breach involving settlement correspondence, client identity documents or financial records will almost always meet the NDB serious harm threshold.

Professional Standards

State-based licensing and conduct obligations

Conveyancers operate under state-based licensing schemes. In NSW, the Conveyancers Licensing Act 2003 imposes conduct obligations. Professional indemnity insurance requirements apply in every state. A payment fraud event that results in client financial loss has implications for licensing, PI cover and professional conduct standards simultaneously.

Common questions

Asked by conveyancers like you.

Not in this list? Call us on 1300 004 766 or book a 30-minute consultation. No obligation.

What is settlement payment fraud and how does it specifically target conveyancers?
Settlement payment fraud, also called business email compromise in this context, targets the email-driven payment instruction workflow that is central to conveyancing. Attackers gain access to a conveyancing email thread, through a compromised conveyancer account, a spoofed domain that looks like the conveyancer's, or a compromised client inbox. They monitor the correspondence and learn the property address, the expected settlement date, and who the parties are. In the days immediately before settlement, when clients are expecting payment instructions, the attacker sends modified instructions with substituted BSB and account numbers. The email appears to come from a familiar address and references the correct property details. A typical Sydney or Melbourne residential settlement is between $500,000 and $1.5 million. Once transferred, funds are moved quickly across multiple accounts. Recovery is rarely straightforward.
Will conveyancers be covered by the AML/CTF reforms from 1 July 2026?
Conveyancing services are listed as designated services under the Anti-Money Laundering and Counter-Terrorism Financing Amendment Act 2024. From 1 July 2026, conveyancers providing those services will be reporting entities under AUSTRAC with obligations to maintain an AML/CTF program, conduct customer due diligence, report suspicious matters and keep records. Privacy Act obligations will also apply to personal information handled for AML/CTF purposes regardless of annual turnover. Conveyancers who are not currently covered by the Privacy Act should review their position before that date.
Does DMARC actually stop settlement payment fraud?
DMARC stops one specific mechanism: an attacker sending email from a domain that looks exactly like your domain. If your firm is conveyancer.com.au and an attacker sends email that appears to come from conveyancer.com.au, a correctly configured DMARC policy in enforcement mode prevents that email from reaching the client's inbox. DMARC does not stop an attacker who has genuinely compromised your email account and is sending from it, or an attacker using a lookalike domain like conveyancer-au.com. The full protection requires DMARC in enforcement mode, MFA on every email account to prevent account compromise, and a process-level rule that bank account details are always verbally confirmed before payment is made. DMARC is one layer. It is not sufficient on its own.
Are conveyancers covered by the Privacy Act?
Conveyancers with annual turnover above $3 million are covered entities under the Privacy Act 1988 and must comply with the Australian Privacy Principles. Below that threshold, the main pathway into coverage is a Commonwealth contract. Most standard conveyancing practice does not bring smaller firms into scope through that route, but if you handle tax file numbers for clients or provide services connected to a Commonwealth program, coverage may apply regardless of turnover. From 1 July 2026, the AML/CTF reforms will also apply Privacy Act obligations to personal information handled for AML/CTF compliance purposes, regardless of your annual turnover.
What should a conveyancer's payment verification process look like?
The most important control is a standing practice of verifying any bank account details by telephone using a number sourced independently before payment is made. The number should come from an earlier, verified communication or a publicly listed source, not from the email containing the payment instructions. The verification call should be documented. A client who receives payment instructions by email should also be told at the outset that bank details will never change and that they should call immediately if they receive unexpected payment instructions. This process-level control addresses the fraud vectors that DMARC and MFA cannot reach on their own.

Related insights.

Threat intelligence

Settlement fraud in Australian conveyancing

How attackers intercept conveyancing email threads and substitute payment details, and the controls that stop it.

Cyber security obligations for Australian legal practices

Privacy Act, Legal Profession Uniform Law and AML/CTF Tranche 2 reforms. What each framework requires and who it applies to.

The Essential Eight for Australian legal practices

No mandatory cyber framework applies to conveyancers, but the Essential Eight is the relevant benchmark for PI insurers and professional conduct purposes.

AML/CTF Tranche 2: what conveyancers need to do before 1 July 2026

The designated services that bring conveyancers into AUSTRAC's regime, and what a compliant AML/CTF program looks like.

Also in legal

IronSights works across the legal sector.

Law Firms →Microsoft 365 and LEAP hardening, ransomware readiness, Privacy Act compliance.Family Lawyers →Sensitive data protection, role-based access controls, NDB notification planning.Criminal Defence →Privilege protection, informant file security, phishing simulation and MFA enforcement.

Start with a review

A structured security review tells you exactly where your practice stands.

We assess your email security configuration, identity controls, payment verification processes and readiness for AML/CTF Tranche 2. The output is a practical, prioritised roadmap you can act on before 1 July 2026.

ISO 27001 and ISO 9001 certified. NSW Master Security Licence 000109187. Microsoft certified security engineers. Australian-owned. Sydney-based.

Book a cyber security review →Call 1300 004 766