As the mandatory switchover to online settlements draws closer,
our clients and other solicitors often ask us what this means
for them. In this article, we will cover:
Briefly, how traditional property settlements work.
The differences between traditional and online settlements.
How did the recent hacks happen?
Other examples of cyber-attacks on conveyancers and
property lawyers, and why the PEXA hacks were no different.
We outline signs of stress that suggest PEXA and the
conveyancing industry will not cope when online settlements
become mandatory from 1 October.
Some final thoughts on what vendors, purchasers and
practitioners should do in the world of online settlements.
Each party brings important documents (for example, the
transfer of land and discharge of mortgage documents for the
Titles Office, the certificate of title, and the forms used to
calculate stamp duty at the State Revenue Office) and/or bank
The parties then check all the details on the documents to
ensure that it is all correct and signed property, and ensure
that the funds are all going to the right people.
There is minimal opportunity for fraud because a fraudster
would need to impersonate and waylay one of the parties, produce
convincing physical forgeries, and also have a way to deposit
and clear a bank cheque that is not made out to them.
The basic concept behind an online settlement is the same, only
that the settlement 'location' is an online platform called PEXA
(think of it as for example, eBay or Amazon), the documents are
created and signed online (think of it as pressing the 'check
out' button) and the funds are all transferred electronically
instead of being on bank cheques. It is a bit like the
difference between buying a book at a department store compared
to buying it online.
Practitioners log into PEXA using a login and password.
The second layer of security is a physical USB key held at the
solicitor or conveyancer's office with its own password, that
must be inserted into the practitioner's computer when signing
off the transaction documents or the financial figures.
Practically, the main differences when it comes to security
There has been a lot of recent press about two vendors who lost
over $1 million when their PEXA settlements were compromised by
From what we have read, these matters came about from hackers
compromising the practitioners' email systems.
Once the fraudster had access to the practitioner's email
accounts, they could log into the PEXA platform, change the
account details for the destination funds, and relied on the
practitioner not doing a final check of the account details
before they inserted their physical security USB and signed off
on those details.
Somewhat impressively, they pulled this off on a fairly
technical platform without being detected. I would guess
that the fraudsters had someone on the team that was no stranger
to property settlements.
PEXA has since introduced some extra measures to make this sort
of attack a little harder: it is now more obvious if the account
details have been changed, and it is more difficult to create
new accounts on the platform. After initially denying all
liability, PEXA are also introducing a consumer guarantee to
fully cover innocent buyers or sellers if this comes up again in
future, but those details are not yet available as of the time
Cyber security is a hot topic amongst lawyers right now,
particularly property lawyers who routinely deal with the
transfer of client funds. I have heard that it is also of great
concern to real estate agents.
A quick look through the recent publications by the insurer for
solicitors reveals numerous articles and real examples of fraudsters impersonating
clients or solicitors, with or without hacking an email system.
A classic scenario is a hacker who gains access to a solicitor's
emails, and knowing that the solicitor is holding funds on
behalf of a client, sends an email that looks like it came from
that client instructing the solicitor to transfer those funds to
the hacker's account.
I can tell you that we receive at least one phishing or
suspicious email a week at Kai Legal. Some are very
obvious, but there have been some that impressed me in how close
they looked to the real thing. The time and effort that
went into crafting these scams indicate that the success rate
and expected pay-off for the fraudsters must be fairly good.
In our view, the recent attacks on PEXA are just a variant on
numerous types of phishing and hacking attacks already targeted
at conveyancers and solicitors. Online settlements allow
fraudsters a new avenue to attack, but good processes and proper
care provide an adequate defence. Practitioners must stay
vigilant, and adopt sensible security policies such as always
requiring verbal or face-to-face confirmations of account
details for funds transfers.
Our real concerns about PEXA are over whether the platform and
the industry is ready to go all-digital from 1 October.
Our main concerns fall within a few broad categories:
Online settlements are the inevitable future. Overall,
they are more efficient than traditional settlements, and the
issues we raise here can be addressed.
However, as a practitioner on the ground, we are seeing real
signs of stress in the system, and by making it mandatory on 1
October, there seems to be real potential for overload. We
advise caution, and encourage the government to push back the
launch date and use more gradual measures to transition
practitioners to online settlements. For example, all
transfers over a certain dollar value could be made mandatory
from 1 October, and that threshold could be reduced every four
months until all transfers are online.
In the meantime, if you are buying or selling property over the
next year, we strongly recommend that you ask your solicitor or
conveyancer how much experience they have with PEXA
settlements. There will be a major period of re-adjustment
for the Victorian conveyancing industry over the next 6-12
months, and you do not want to be stuck with someone with little
experience of this new world.
Kai is an experienced commercial and property lawyer.
Kai signed his firm up to the online settlements system in
2015, making Kai Legal one of the first cohort of firms to
transact online. In the three years since, Kai Legal has conducted over
100 settlements and other caveat or mortgage registrations
online, well before the Titles Office required that these transactions be processed online-only.
Call us on +61
3 9041 7733 if you would like to find out more.
You can see our related services for property purchases on our
Kai Legal publications provide general information, and are not
legal advice. These are not complete summaries of the law, and
only touch on select points and scenarios that may be relevant
to our readers.
This article is current as of 5 July 2018.
© Kai Legal 2018
3 9041 7733
+61 3 9015 6430
343 Little Collins Street
Photography courtesy of unsplash.com
Site designed and built by Kaifucius Pty Ltd.