it's theoretically possible to "intercept" and manipulate an email in flight, but it's extremely complex and unlikely, also spoofing doesn't make sense because they're not just impersonating someone else, they're hijacking a conversation.
what's more likely is that the real estate agency has their email compromised, the email trail and attached documents are being manipulated, sent items deleted.
https://www.accc.gov.au/media-release/beware-of-fake-invoices-from-scammers-impersonating-businesses
This is where my mind went as well. Not really a hack but an insider that has manipulated the system from the inside.
It goes without saying that as much as it’s good to know the real estate agent are looking into it I would be reporting this to the police to investigate.
I don't know how many times people have to be told this but always call them. You can email bank details but follow it up with a call, not more emails.
EDIT: sorry ignore me. I misread the OP as saying mum can't see the emails, not the RE. Definitely seems like the RE is compromised.
More likely the mum since it's her account which sent the follow up mail
Attackers compromise accounts and sit on them waiting for a transaction they can edit the bank details on
If the agency was compromised, wouldnt they also need access to my mums email? They would need to send and delete emails between the two accounts. Also they would need to know exact time of settlement to intercept and change the receipt.
I'm speculating based off what information is in your story, but the reason your mother can't find that sent email is because [it never existed, instead the agency's inbox is being manipulated](https://www.youtube.com/watch?v=GM-e46xdcUo). The agency was hacked and scammed (speculation) not your mother. You should report this, also don't believe anything the agency is telling you because right now they might be in a lot of trouble.
I mean a scammer could just delete the items from the sent folder/recycling bin. If I were to do this I would as it buys me a bit of time, preventing the individual from finding my email trail and asking the bank to stop the transfer
All of that information would be in other emails they in this scenario have access to, wouldn't they? If we're assuming the simplest way to get this done... all that needs to happen is uninhibited access to an email account. This is super easy to imagine with a small business that isn't security conscious. No 2FA, possibly the same password for everything, possibly no forced password changes over time.
House sales are pretty much the only instance where deals this size are being made by people without degrees, senior leadership positions, and dedicated IT departments let alone security specialists/consultants.
>House sales are pretty much the only instance where deals this size are being made by people without degrees, senior leadership positions, and dedicated IT departments let alone security specialists/consultants.
as said in response bellow I work for fintech company that process 10,000 of invoices daily.
Your are completely right - most targets are small to mid businesses without dedicated IT department or any enforced policies, training or similar. Finance departments run of by a single person or a front desk. Business emails running on personal computers that get compromised, etc
Its enough to get into the mailbox via brute force or simply by gaining access to computer. Analyse emails for few weeks. Then coordinate attack by sending mass invoices to various clients , suppliers, B2B comms requesting update for a bank details and similar. It can go completely undetectable for few weeks or even months . Especially true for companies that have high number of clients/invoices.
What I am trying to say its not only "big deals" that are targeted few dozen of invoices for $1,000 odd dollars to various clients will amass similar amount .
No. It’s incredibly easy to spoof the sender of an email. If I knew your email address I could write a 2 line script that sent mails that had your from address. I don’t need access to your account to do that.
Incredibly easy to spoof yes, but those messages should really not ever make it through to any half-decent email providers inbox.
Gmail, Outlook, Yahoo, iCloud Mail, Fastmail… would all reject that outright or at least send it to spam for not meeting DKIM/SPF rules.
Uh no. It's trivial to pretend to be someone else when sending email. Literally just type that name / email into an email client and off you go.
What I think happened is that the REA is compromised. There is some malware on their network or an inside agent and that allowed them to see the first incoming email with the correct account details. Which they then followed up with fake emails with different account deets.
Also the servers hosting the email could be compromised. Unlikely for gmail, but if it's a smaller host... it's possible. Email is not encrypted or anything so it's the wild west out there.
There may or may not be a IP address of interest in the headers of the fake emails. Depending on how the scammer sent the email.
>Uh no. It's trivial to pretend to be someone else when sending email. Literally just type that name / email into an email client and off you go.
Any email provider that isn't complete trash will perform an SPF check, where it will look at the domain and the source address of the email. Every non-trash organization publishes a list of authorized source addresses in what's called a DNS record that's publicly available.
So you receive the email, your email provider makes sure it comes from an authorized source, if it doesn't the email is rejected or at least trashed. These sorts of basic email spoofing tricks won't work unless someone has either completely miscofnigured their SPF record which lists the authorized addresses or the recipients email system is completely misconfigured.
But I agree, in these situations it's almost always the dinky small business that's the culprit. You can rest assured Google aren't the ones with misconfigurations, it's the local real estate company.
to me in really doesnt matter whos email got comprimised.
Agency is meant to put money into your account. You directed them with the account they should put it in and they didnt. They received a follow up email from you saying no change it (not from you even though the email is)... this kind of scam has being going on for years. This should have been picked up and a phone call should have been made to you guys. Just really bad protocol with the RE agency.
Depending on the method a sent email can be “unsent”. In Outlook it takes thirty seconds and as long as the recipient hasn’t yet opened it they would have no idea they’d ever received it.
The agency's IT said the emails (fake account details and payment receipt) came from my mums and their agency's emails. Someone was able to access both emails and manipulate incoming/outgoing mail.
Sorry to state the obvious but it’s up to the police to investigate. There has been a theft and they would be better placed to determine who, what, when, how. Their investigation would also be the basis for any further legal action.
I would not take the REA’s word as it’s potentially an insider threat covering their tracks. The more time between your mother raising the issue and the police becoming involved means more time to cover their tracks if it’s an insider.
Police say they don't deal with cases involving money. I could lodge an online report with Cybercrime but there wouldn't be a response. It is a civil matter and if REAs wouldn't compensate, I'll need to take them to court.
Responsibility is on the REA to verify the account details with you via seperate communication method, usually via phone or in person to confirm the account details.
REA at fault, there’s grounds to take legal action with this.
This. Phishing email scams targeting realestate agencies has been a known problem for many years now. They should have the process in place to call your mother before transferring money. You need to go to police for advice as the agency will not admit fault.
Don’t rely on the agency to resolve this or believe them when they say yours was the only scam document they received. They did not even manage to do the basic security measure of calling your mum before making payment.
Likely your mum has emailed after hours and the hackers had full access to their email account overnight to copy your mums email and send a replica spoof email with an edited version of the document with their bank details.
Their process, they transferred to a document from a scammer, their fault
I’m sorry this happened.
I think it is a legal requirement from REA to call the recipient to confirm their bank details. If that didn't happen talk to your lawyer, you could sue REA.
The agency said we should call our bank as well but our bank said there is not much they can do apart from confirming no payment was received. We don't have access to the accounts involved.
Call bank ASAP.
Get everything in writing from bank.
I ended up having to see the bank.
The bank called bank hotline, even the hotline lied to the bank agent calling them.
Bank manager became involved emailing as well. My conveyancer also did.
After 4 months and because bank did nothing and in writing from my initial information I had ombudsman involved. I received my money back and $1000.
This was ANZ last January.
One of the two emails was compromised and the scammers were waiting for the right time because they knew the settlement date was approaching.
If your Mum uses gmail have her check her access logs, it’ll list dates, times, devices and IP addresses that were recently logged in.
If none of those look suss, it’s the agents email that was compromised and the scammers simply sent a spoofed email with different headers to the agent who would have seen it came from your mum (but inspecting the source would show the real email).
Anyway, good luck.
Sorry to reply again OP.
The account number sent to you have documentation.
I was on a cruise when informed by my conveyancer.
I initiated contact via app of bank as limited internet.
Your bank will try anything to get out of recovery. My initial contact was writing. When the bank person called on my behalf they tried denying but I had in writing and bank person could see in writing.
Go to bank tomorrow.
I don’t know that it’s a legal requirement, but my agency makes a point of drilling into us that you don’t accept account details without confirming them by another known means - phone call with the client ideally but at least sms to a known good number. I believe that it’s really hard to get your PI insurance to pay if you didn’t follow basic steps to confirm account details.
OP, this is on the agency. They need to make your mum whole.
The REA is sending money to the vendor in this situation. They 100% should have called her to confirm details before changing them (especially with 3 separate accounts being provided here).
Definitely the REA's fault and they should be held accountable.
>It's crazy to think spammers can spoof two exact emails and intercept emails between them. Strangely with all the transactions at the agency, they only targeted my mums transfer. Has this happened to anyone else? We've learnt a hard lesson to always follow up with a phone call to confirm the details before a large transaction.
Its not crazy at all. I work with fintech company that process 10,000 invoices a day and amount of emails we receive where scammers pretend to be providers, sending legit invoices from legit addresses, or advising for a bank account change is concerning . As many noted - we have system in place where we prevent this by verifying the request for Bank Details Change.
How it works is that they get into mailboxes of providers and analyse emails - who do they sent to and what. Then they target specifics. e.g. They will send invoices targeting existing clients, request refunds, etc, etc. They can be dormant for weeks or months until they identify right target
As someone noted - most likely REA email got compromised and they faked comms to them and subsequently to your mum.
So your mum sends an Bank Account , they intercept that. Delete that email (or mark it as read, etc) and fake another one that is exactly the same but with different bank details. Your mum email in that respect isn't compromised. That is easily identifiable if you request from REA a full email headers from email your mum supposedly sent.
Then they intercept response and sent to your mum a response she is expecting from REA mailbox.
All parties think everything is legit and especially from your side as email coming through are all legit coming from REA mailbox.
It's entirely their fault and you should seek compensation and REA should disclose to their clients that they had emails compromised
Police, Fair trading and your solicitor should all be on the case.
The agent's professional indemnity insurance would be picking up the tab in the first instance most likely.
All the rest of that story has got nothing to do with you to be honest.
All that matters is that they haven’t transferred your money.
They could be lying about all this by the way.
NAL, but I'm reading this as your mum didn't lose her deposit to scammers; the REA did. In that case, it must be their responsibility to resolve the issue.
You need to be extremely strict with the agency and let them know that they owe you the money. From your point of view, there was no scammer. You just haven’t been paid the deposit.
This isn’t a case of being scammed because you haven’t been. The agent just hasn’t paid you. If they transferred money to the wrong account, that’s their problem. They still owe you your money.
This exact scam happened to my parents but they were the buyers. They received an email on the day deposit was due to be paid from the REA asking to change the bank account. And was followed by calls claiming to come from the Agency urging payment to be made.
Luckily they did not follow through and called the agent themselves to confirm.
The REA email server had been hacked. They monitored email for a month to work out when deposits might be due and then temporarily redirected email to enact the scam.
You can bet it’s the REA internet security that is at fault here as that’s what scammers target. And your mum won’t be the only one at the agency.
100% lawyer up
Sender sent to wrong account, 100% on them not you and start saying that to them. Don't let them try to manipulate you into thinking you have to chase the money and there is nothing they can do, as far as you are concerned you are still waiting for the REA to deposit the money into your account and if they do not you will have to look at taking legal action against them..
Also yes it sound like it could be an inside job coming up with two exact spoof email addresses. Ask the REA if they have reported this scam to the police and if they say no ask why not? 25k is nothing to sneeze at.
Lawyer up. You have grounds to sue the REA due to them not checking with you.
They opened themselves to be exploited. And they were as a result.
Their client data was clearly breached and as a result you lost your deposit. They are 100% liable as a result.
Actually, she didn't lose her deposit, the real estate agent lost it as they didn't do their due diligence. The REA needs to cough up the money that they were scammed out of (just like if it was the other way around your mum would have to pay again) this is not your mums problem.
We should have kept a better eye on things but on the day we were following the main payment (95%) from the lawyers office. Once that came through and we got the deposit receipt we let our guard down.
Yeap, the sales agent took their cut from the deposit then transferred the rest, so they didn't lose their cut.
You didn’t lose anything. They made the transfer. The responsibility is with them. They still owe you the money because they’ve never paid you. They got scammed. You didn’t.
at least they got paid from that amount (and reduced the amount lost to scammers). definitely agree with the majority here that this is the REA's problem to fix. good luck.
I followed up with my real estate agent, when purchasing, their bank details. They treated me like I was wasting their time and had to wait 2 days foe a call back. REAL ESTATE AGENTS ARE SCUM.
Correct me if I'm wrong but I'm reading this as the agency lost the deposit, your mum didn't lose shit, they fucked up very clearly here.
If she was BUYING a place, and she deposited, she's got something to worry about, as it is - this isn't on her at all.
The real estate stuffed up here. Any bank details should absolutely be confirmed over the phone / in person, and the real estate should know this. You are not out 25k, the REA are.
It’s also far more likely the REA emails were the ones compromised, not your mother’s. They usually target businesses specifically.
It’s a common scam. https://www.lawsociety.com.au/practising-law-in-NSW/trust-money-and-fidelity-funds/scam-alerts
They have hacked into your mums emails or into the agents. They set up rules to identify and alert themselves of various emails with key words $, deposit, funds, money etc. They track the account for a while and work out if they can replicate the emails correctly. When they do the fraud, they are very close, if not identical.
The agent has an obligation to confirm account details in person or by phone. These scams are widespread and there are warnings from solicitors and conveyancers on all correspondence.
Definitely talk it over with your mums solicitor/conveyancer.
If your mum is prepared to go to the papers or TV news, they absolutely love the combination of house deposit + scam + parent, can hit so many talking points in one story. I feel like there have been several stories like this.
The real estate agent might then be prompted to cough up the money faster if it turns out their own system was what was compromised and there is negative publicity building.
This is on them not your mum. I saw this in the RE insurance side of things. They are supposed to call to confirm emailed bank details. They owe her the money regardless.
Do you have access to the REA’s email account?? If not how are you believing a word they say?? They dropped the ball and wired the money to the wrong account and is now trying to shift blame.
What you've described sounds like the common middle man scheme. Happened to a council where I used to live, they paid a supplier invoice to a scammer who had intercepted the emails, $120k gone.
My settlement agent has a policy to email the invoice but you have to call to get the bank account details.
I'm sorry this happened to your Mum! You didn't say but this should still be reported to Police, don't just leave it up to the agency. Find more help.
This is on the real estate. How many times are businesses told to not ask for banking details/send banking details over email? Also, their email is compromised. That's on them. Time for a lawyer.
It’s not hard to spoof an email. Regardless, the REA is at fault for not verbally confirming the change of bank details over another method ie phone call. Ensure you fight them and take them to consumer affairs/VCAT.
That’s their fuckup, not yours or your mums.
So this is why the ring you and do the transfer on the phone to make sure it is goin to the rite account and not the scammers. That’s what the lawyers make me do when paying a lot of funds. No way they should of transferred with email confirmation
It is called a "Man in the middle" attack. Your mums PC/account or the RE is compromised. As you mentioned, always confirm bank details by phone, especially with big $ involved.
REA’s have indemnity insurance to cover things such as this. you’ll get your money, just may take a little while. Account details should also always be verified over the phone after an email has been received and prior to a transfer being done.
We were victims of a similar scam. We were to make a $30k purchase with a regular parts supplier we work with. After the order had been placed they emailed us advising they had a new account to transfer the money to.
Long story short, OUR system was compromised. We must have been fished/spoofed/and given them our email login details at some point, and when they saw we were about to make a bank transfer purchase they deleted the real email and send one from an email address that looked identical, but on closer inspection was slightly different.
I'm going to guess the REA is the victim of a similar scam. They have been compromised and have transferred the money to the scammed posing as your mother.
this was on the news before covid, I told my wife to email the details then call to confirm, or text the details
I cant remember which channel, most likely 9 and possibly on ACA
100% REA's would know about this scam
Had a similar attempt with my business emails. The scammer created a folder with a blank title and created mailbox rules to move incoming invoices to the folder so they could send dummy invoices to me. They also tried to email those who had invoices owing to change payment details.
Luckily I discovered this after a few questionable reply emails that I read before they were deleted.
This is why it pays to change passwords regularly
We phone suppliers for their account details confirmation.
Also Netbank shows up as matching the details and the name. If it doesn’t match, it says so. All banks need better means to protect people.
When we went through settlement our bank manager warned these types of scams can happen and ring the REA to confirm the account details for the deposits and not just off the email- even the REA understood my concerns when I said ' I just want to be reassured that the account details are theirs
One suggestion is to ask the REA to make you whole, otherwise their name should be shared more broadly with the community to prevent these types of incidents. Otherwise there is nothing stopping the next client of the REA from experiencing the same thing.
This is my take, not legal advice:
I've only heard of this happening a few times. Speak to your lawyer now, as the money is in trust is a very serious matter.
The agents trust accountant should have called to confirm bank details.
I've heard the AFP gets involved in this stuff.
Generally the agency should have insurance for this, if they don't, will be bad for them.
The AFP will ask for statements, and give you advice
this is quite common.
get in touch with the bank and police and follow their steps
the real estate should have cyber attack insurance (or something to that effect)
basically the insurance pays you out for the house, you move on with life and the investigation, the new owners have a house to move into and the onus is on the real estate for not checking after the fact they got 2 emails with different details
Similar thing happened to a fella I work with, seems to be a pretty common unfortunately.
You can see his story in the link below
https://www.facebook.com/share/v/QQC6YzneFpTgwb9p/?mibextid=xCWQen
Sorry to hear about this. Just document everything, attend a branch and report it there.
Going forward, always best to call the agent, obtain their BSB and account number and verify with their office if you are paranoid. Double check to see if the details match those on the contract.
Is your mum able to log into her email account and review logins from other locations etc?
I always get notifications when people try to log into my Hotmail accounts and I can see where in the world they tried from… it’s very frustrating.
It won’t change anything but I’d be curious to know where they did it from!
Just in case I would change the password and enable 2FA/MFA.
Also ask for a copy of the emails sent as an attachment. Then check the headers to see what server sent the message. Not my area but I'm vaguely familiar and can interpret if you like.
Regardless, sounding like REA is on the hook.
Yes, this is a thing and it happens. It’s not as common as other scams but this is 100% possible. I’ve heard of a bunch of stories about this and even My partners Buisness had this happen to them, email gets intercepted and bank details changed, the only thing that’s changed. Payment gets made to wrong account.
Always make a phone call to confirm details when transferring money.
I always visit the solicitor and have them give me their business card with the bank details of where money needs to be paid written on the back. Before paying I call their office to confirm the details. If you adopt a ZERO TRUST protocol for electronic communications you will never get scammed.
The REA should never have accepted an email instruction with bank details, this is outdated methodology. Always call to confirm.
To those that think their email is secure, glad you did not use the same password for your tiktok account.
What state are you in as I know laws vary but why did the REA not transfer the deposit funds to the settlement agent prior to settlement? Worked in property sales for years doing these kind of transfers and I’ve never heard of any payment from the REA going direct to the seller, it’s usually done as a DLC (deposit less commission) to the settlement agent, or if the commission is higher than the deposit the settlement agent pays this to the REA upon settlement. Sounds like a very odd situation.
Report to the bank ASAP. This is the only way we got our money back (same situation as yours.)
The scammers bank account was frozen and it took a few weeks but the money was recovered.
Best of luck - it’s such an awful experience. I hope you can recover the money.
Also I don’t think your mother is necessarily liable for this. There may have been a security breach with the agents system. Don’t let them walk away without trying to resolve the issue.
This is an example of why you should never exchange financial information via email. In this instance clearly the mother’s email account has been compromised, they got her password, probably because it’s the same as every other password she uses, and sat and waited. Once the email went out with her details, all they needed to do was send another with alternate details. Then delete the email from the sent folder and delete any pertinent responses. This would have been avoided by the use of MFA on the email account. The REA should know better than to exchange information in this manner, but if it was OPs mother’s account that was compromised liability is really hers. The reality is unfortunately, that many people in this world struggle to understand IT at any level and need to be made to conform to security standards for their own protection.
Really simple one here - the real estate agent was scammed. Your mum gave the right details and she never received her money, and still hasn’t.
Everything else has nothing to do with your mum, who is still awaiting her money. If the REA isn’t paying, report them to your state body. They can tell them the story about the fraudulent account - sucks to be them but if they want to continue trading and not be prosecuted then they pay you.
I’d not get too close to this one, just pursue the money, which is their responsibility to hold and pay to your mum.
Police should already have this on record, and never, ever frame it like your mum was scammed again. Framing is:
“REA not paying my mum her deposit, claiming something about fraud”.
Your mum didn’t get scammed. The REAL did. They sent the money to the wrong place.
Anyone with 1/16th of a brain would feel red flags is they get a different bank account just before money is to be sent, let alone a THIRD bank account.
If you get a notification that your email has been hacked/is on a hack list. Change your password immediately. You might think your emails are not important but some scammer might be monitoring traffic waiting for the day to strike. I once bought a new game and then could not login to my emails for a bit. Thought I was typing the password wrong, then got distracted and left it 2 days. Came back reset password to see someone had bought 3 more games via my account using my email to reset the password on my gaming account and downloaded the games. These were the days of serial numbers so they got 3 games for free. I am diligent after that.
Scammers can get into your email and set up rules to redirect mail to and from an account. They then modify the pdf and change the account details into their account.
My partner had a largish some of money deposited to his account from a family trust wind up.
The solicitor asked twice via phone to confirm banking details.
This has become a more common than you think scam, regardless of whose email was scammed.
Check that emails aren’t being forwarded to another email address and a copy kept in your mums, so she doesn’t know it’s happening. Most people change passwords but forgetting to check emails aren’t being forwarded.
The whole thing is wrong.
The REA was taken in by scammers.
The REA sent the deposit to the wrong account.
The REA should be the one lodging a police complaint against the (unknown?) scammer and fessing up to being scammed.
The REA and their bank should be the parties trying to recover the incorrectly-transferred funds.
The REA is muddying the waters with claims of unread and intercepted emails... any changes to a contract (like bank account details) would require both parties to literally sign off on the changes.
The REA'S failure to pay the deposit is technically a separate issue.
Your mum's only issues here are the non-payment of the deposit, and the REA'S non-responsiveness to follow up requests. If the REA got scammed then that's their problem and not your mums.
A bit late to this but it reads like a classic case of a BEC scam. Business Email Compromise is a scam where attackers gain access to an email account and passively wait for an opportunity/deal like this.
From your OP it's hard to tell if the Compromise is on the OP end or the agents. As a precaution, change your email accounts password anyway and look for any mail rules in your mailbox settings such as auto forwarding etc.
Considering both money and a cyber attack are involved, you need to get the police involved and also report here https://www.cyber.gov.au/report-and-recover/recover-from/hacking
If only we had some technology where you could speak directly to the person to confirm the bank details in the email. Maybe this is too hard for real estate agents. 100% their fault.
OP, you're going to need to verify that your Mom's email hasn't been compromised.
Edit: it's unlikely on your side as the other comments have said, but it's easy enough to verify. The police are going to be involved sooner or later and I'd assume they'll investigate both sides.
* Whos is your mums email provider?
* Does she have MFA on?
Send me a DM if you want a hand, I work in cyber security (I can send proof and details in a MD) if you want a hand.
The real estate would of had original email and bank account number. The 5% would have been done at exchange as in 4 weeks before settlement. Sounds dodgy to me. Real estate needs looking in to by contacting real estate Institute
If settlement money went in
Why didn't 5% exchange go in
The deposit was held at the agents trust account before settlement. On the settlement day, the main sum were transferred from buyers bank to mums lawyer then her account. Separately, the agent attempted to transfer the deposit from their trust account directly to my mums account.
Agent at fault then. Their insurance should pay. I would seriously ring Real Estate Institute of Australia. I would let Real Estate know this.
When real estate was going to transfer money they should have called to verify bank details or put through your solicitor. I smell a rat.
Talk to your Mum's Lawyer/Conveyancer as well - this is what she pays them to do. But the others are right - it's the REAs fault and its their job to sort it out. If you have a receipt from them with the correct details of your Mum's account you have nothing to worry about.
it's theoretically possible to "intercept" and manipulate an email in flight, but it's extremely complex and unlikely, also spoofing doesn't make sense because they're not just impersonating someone else, they're hijacking a conversation. what's more likely is that the real estate agency has their email compromised, the email trail and attached documents are being manipulated, sent items deleted. https://www.accc.gov.au/media-release/beware-of-fake-invoices-from-scammers-impersonating-businesses
This is where my mind went as well. Not really a hack but an insider that has manipulated the system from the inside. It goes without saying that as much as it’s good to know the real estate agent are looking into it I would be reporting this to the police to investigate.
I don't know how many times people have to be told this but always call them. You can email bank details but follow it up with a call, not more emails. EDIT: sorry ignore me. I misread the OP as saying mum can't see the emails, not the RE. Definitely seems like the RE is compromised.
More likely the mum since it's her account which sent the follow up mail Attackers compromise accounts and sit on them waiting for a transaction they can edit the bank details on
If the agency was compromised, wouldnt they also need access to my mums email? They would need to send and delete emails between the two accounts. Also they would need to know exact time of settlement to intercept and change the receipt.
I'm speculating based off what information is in your story, but the reason your mother can't find that sent email is because [it never existed, instead the agency's inbox is being manipulated](https://www.youtube.com/watch?v=GM-e46xdcUo). The agency was hacked and scammed (speculation) not your mother. You should report this, also don't believe anything the agency is telling you because right now they might be in a lot of trouble.
I mean a scammer could just delete the items from the sent folder/recycling bin. If I were to do this I would as it buys me a bit of time, preventing the individual from finding my email trail and asking the bank to stop the transfer
All of that information would be in other emails they in this scenario have access to, wouldn't they? If we're assuming the simplest way to get this done... all that needs to happen is uninhibited access to an email account. This is super easy to imagine with a small business that isn't security conscious. No 2FA, possibly the same password for everything, possibly no forced password changes over time. House sales are pretty much the only instance where deals this size are being made by people without degrees, senior leadership positions, and dedicated IT departments let alone security specialists/consultants.
>House sales are pretty much the only instance where deals this size are being made by people without degrees, senior leadership positions, and dedicated IT departments let alone security specialists/consultants. as said in response bellow I work for fintech company that process 10,000 of invoices daily. Your are completely right - most targets are small to mid businesses without dedicated IT department or any enforced policies, training or similar. Finance departments run of by a single person or a front desk. Business emails running on personal computers that get compromised, etc Its enough to get into the mailbox via brute force or simply by gaining access to computer. Analyse emails for few weeks. Then coordinate attack by sending mass invoices to various clients , suppliers, B2B comms requesting update for a bank details and similar. It can go completely undetectable for few weeks or even months . Especially true for companies that have high number of clients/invoices. What I am trying to say its not only "big deals" that are targeted few dozen of invoices for $1,000 odd dollars to various clients will amass similar amount .
No. It’s incredibly easy to spoof the sender of an email. If I knew your email address I could write a 2 line script that sent mails that had your from address. I don’t need access to your account to do that.
Incredibly easy to spoof yes, but those messages should really not ever make it through to any half-decent email providers inbox. Gmail, Outlook, Yahoo, iCloud Mail, Fastmail… would all reject that outright or at least send it to spam for not meeting DKIM/SPF rules.
Interesting. I’ll try today and report back.
Uh no. It's trivial to pretend to be someone else when sending email. Literally just type that name / email into an email client and off you go. What I think happened is that the REA is compromised. There is some malware on their network or an inside agent and that allowed them to see the first incoming email with the correct account details. Which they then followed up with fake emails with different account deets. Also the servers hosting the email could be compromised. Unlikely for gmail, but if it's a smaller host... it's possible. Email is not encrypted or anything so it's the wild west out there. There may or may not be a IP address of interest in the headers of the fake emails. Depending on how the scammer sent the email.
Most modern email providers will support dkim which will stop old-school post spoofing.
>Uh no. It's trivial to pretend to be someone else when sending email. Literally just type that name / email into an email client and off you go. Any email provider that isn't complete trash will perform an SPF check, where it will look at the domain and the source address of the email. Every non-trash organization publishes a list of authorized source addresses in what's called a DNS record that's publicly available. So you receive the email, your email provider makes sure it comes from an authorized source, if it doesn't the email is rejected or at least trashed. These sorts of basic email spoofing tricks won't work unless someone has either completely miscofnigured their SPF record which lists the authorized addresses or the recipients email system is completely misconfigured. But I agree, in these situations it's almost always the dinky small business that's the culprit. You can rest assured Google aren't the ones with misconfigurations, it's the local real estate company.
to me in really doesnt matter whos email got comprimised. Agency is meant to put money into your account. You directed them with the account they should put it in and they didnt. They received a follow up email from you saying no change it (not from you even though the email is)... this kind of scam has being going on for years. This should have been picked up and a phone call should have been made to you guys. Just really bad protocol with the RE agency.
Depending on the method a sent email can be “unsent”. In Outlook it takes thirty seconds and as long as the recipient hasn’t yet opened it they would have no idea they’d ever received it.
That only works for internal corporate emails.
[удалено]
The agency's IT said the emails (fake account details and payment receipt) came from my mums and their agency's emails. Someone was able to access both emails and manipulate incoming/outgoing mail.
Sorry to state the obvious but it’s up to the police to investigate. There has been a theft and they would be better placed to determine who, what, when, how. Their investigation would also be the basis for any further legal action. I would not take the REA’s word as it’s potentially an insider threat covering their tracks. The more time between your mother raising the issue and the police becoming involved means more time to cover their tracks if it’s an insider.
Police say they don't deal with cases involving money. I could lodge an online report with Cybercrime but there wouldn't be a response. It is a civil matter and if REAs wouldn't compensate, I'll need to take them to court.
Did you speak to your local police? I wouldn't trust. This is a type of fraud, definitely a police matter.
[удалено]
Not only that but there's no point in hacking both. Only one party needs to be compromised for this to work.
I think your mum’s email was compromised. The scammer will do their best to delete any trace left
Much more likely it was the REA.
100%
100% this
Responsibility is on the REA to verify the account details with you via seperate communication method, usually via phone or in person to confirm the account details. REA at fault, there’s grounds to take legal action with this.
This. Phishing email scams targeting realestate agencies has been a known problem for many years now. They should have the process in place to call your mother before transferring money. You need to go to police for advice as the agency will not admit fault. Don’t rely on the agency to resolve this or believe them when they say yours was the only scam document they received. They did not even manage to do the basic security measure of calling your mum before making payment. Likely your mum has emailed after hours and the hackers had full access to their email account overnight to copy your mums email and send a replica spoof email with an edited version of the document with their bank details. Their process, they transferred to a document from a scammer, their fault I’m sorry this happened.
I think it is a legal requirement from REA to call the recipient to confirm their bank details. If that didn't happen talk to your lawyer, you could sue REA.
The agency said we should call our bank as well but our bank said there is not much they can do apart from confirming no payment was received. We don't have access to the accounts involved.
REA is trying to shift the blame. This has nothing to do with the bank, so understandably the bank won't do anything. Lawyer up.
Nothing to do with the vendors bank. REA's bank knows where it went.
So the REA wires the funds to the wrong account and now it's your problem? Lol Sue them.
Call bank ASAP. Get everything in writing from bank. I ended up having to see the bank. The bank called bank hotline, even the hotline lied to the bank agent calling them. Bank manager became involved emailing as well. My conveyancer also did. After 4 months and because bank did nothing and in writing from my initial information I had ombudsman involved. I received my money back and $1000. This was ANZ last January.
One of the two emails was compromised and the scammers were waiting for the right time because they knew the settlement date was approaching. If your Mum uses gmail have her check her access logs, it’ll list dates, times, devices and IP addresses that were recently logged in. If none of those look suss, it’s the agents email that was compromised and the scammers simply sent a spoofed email with different headers to the agent who would have seen it came from your mum (but inspecting the source would show the real email). Anyway, good luck.
Sorry to reply again OP. The account number sent to you have documentation. I was on a cruise when informed by my conveyancer. I initiated contact via app of bank as limited internet. Your bank will try anything to get out of recovery. My initial contact was writing. When the bank person called on my behalf they tried denying but I had in writing and bank person could see in writing. Go to bank tomorrow.
I don’t know that it’s a legal requirement, but my agency makes a point of drilling into us that you don’t accept account details without confirming them by another known means - phone call with the client ideally but at least sms to a known good number. I believe that it’s really hard to get your PI insurance to pay if you didn’t follow basic steps to confirm account details. OP, this is on the agency. They need to make your mum whole.
This is such a common scam that insurers bang on about, agency deeeeeffinitely dropped the ball here
My REA never did this.
You put this on the REA? I call the REA to make sure that the bank details on the email matches theirs. Take responsibility.
LMFAO IT IS 100% the senders fault. They still owe her the money. They could be in on the scam for all she knows.
The REA is sending money to the vendor in this situation. They 100% should have called her to confirm details before changing them (especially with 3 separate accounts being provided here). Definitely the REA's fault and they should be held accountable.
This is very common with REA and they should know better and make the call. It’s on them
>It's crazy to think spammers can spoof two exact emails and intercept emails between them. Strangely with all the transactions at the agency, they only targeted my mums transfer. Has this happened to anyone else? We've learnt a hard lesson to always follow up with a phone call to confirm the details before a large transaction. Its not crazy at all. I work with fintech company that process 10,000 invoices a day and amount of emails we receive where scammers pretend to be providers, sending legit invoices from legit addresses, or advising for a bank account change is concerning . As many noted - we have system in place where we prevent this by verifying the request for Bank Details Change. How it works is that they get into mailboxes of providers and analyse emails - who do they sent to and what. Then they target specifics. e.g. They will send invoices targeting existing clients, request refunds, etc, etc. They can be dormant for weeks or months until they identify right target As someone noted - most likely REA email got compromised and they faked comms to them and subsequently to your mum. So your mum sends an Bank Account , they intercept that. Delete that email (or mark it as read, etc) and fake another one that is exactly the same but with different bank details. Your mum email in that respect isn't compromised. That is easily identifiable if you request from REA a full email headers from email your mum supposedly sent. Then they intercept response and sent to your mum a response she is expecting from REA mailbox. All parties think everything is legit and especially from your side as email coming through are all legit coming from REA mailbox. It's entirely their fault and you should seek compensation and REA should disclose to their clients that they had emails compromised
Police, Fair trading and your solicitor should all be on the case. The agent's professional indemnity insurance would be picking up the tab in the first instance most likely.
All the rest of that story has got nothing to do with you to be honest. All that matters is that they haven’t transferred your money. They could be lying about all this by the way.
NAL, but I'm reading this as your mum didn't lose her deposit to scammers; the REA did. In that case, it must be their responsibility to resolve the issue.
You need to be extremely strict with the agency and let them know that they owe you the money. From your point of view, there was no scammer. You just haven’t been paid the deposit. This isn’t a case of being scammed because you haven’t been. The agent just hasn’t paid you. If they transferred money to the wrong account, that’s their problem. They still owe you your money.
This exact scam happened to my parents but they were the buyers. They received an email on the day deposit was due to be paid from the REA asking to change the bank account. And was followed by calls claiming to come from the Agency urging payment to be made. Luckily they did not follow through and called the agent themselves to confirm. The REA email server had been hacked. They monitored email for a month to work out when deposits might be due and then temporarily redirected email to enact the scam. You can bet it’s the REA internet security that is at fault here as that’s what scammers target. And your mum won’t be the only one at the agency. 100% lawyer up
Geez that’s scary! I probably would have fallen for that if I didn’t read this!
Sender sent to wrong account, 100% on them not you and start saying that to them. Don't let them try to manipulate you into thinking you have to chase the money and there is nothing they can do, as far as you are concerned you are still waiting for the REA to deposit the money into your account and if they do not you will have to look at taking legal action against them.. Also yes it sound like it could be an inside job coming up with two exact spoof email addresses. Ask the REA if they have reported this scam to the police and if they say no ask why not? 25k is nothing to sneeze at.
Lawyer up. You have grounds to sue the REA due to them not checking with you. They opened themselves to be exploited. And they were as a result. Their client data was clearly breached and as a result you lost your deposit. They are 100% liable as a result.
She never got the money so it’s on the sender to send it correctly. Definitely chase this up.
Actually, she didn't lose her deposit, the real estate agent lost it as they didn't do their due diligence. The REA needs to cough up the money that they were scammed out of (just like if it was the other way around your mum would have to pay again) this is not your mums problem.
wouldn't this be something to check on settlement day? also, selling agent got paid their fees no doubt...
We should have kept a better eye on things but on the day we were following the main payment (95%) from the lawyers office. Once that came through and we got the deposit receipt we let our guard down. Yeap, the sales agent took their cut from the deposit then transferred the rest, so they didn't lose their cut.
You didn’t lose anything. They made the transfer. The responsibility is with them. They still owe you the money because they’ve never paid you. They got scammed. You didn’t.
at least they got paid from that amount (and reduced the amount lost to scammers). definitely agree with the majority here that this is the REA's problem to fix. good luck.
I followed up with my real estate agent, when purchasing, their bank details. They treated me like I was wasting their time and had to wait 2 days foe a call back. REAL ESTATE AGENTS ARE SCUM.
Correct me if I'm wrong but I'm reading this as the agency lost the deposit, your mum didn't lose shit, they fucked up very clearly here. If she was BUYING a place, and she deposited, she's got something to worry about, as it is - this isn't on her at all.
The real estate stuffed up here. Any bank details should absolutely be confirmed over the phone / in person, and the real estate should know this. You are not out 25k, the REA are. It’s also far more likely the REA emails were the ones compromised, not your mother’s. They usually target businesses specifically.
It’s a common scam. https://www.lawsociety.com.au/practising-law-in-NSW/trust-money-and-fidelity-funds/scam-alerts They have hacked into your mums emails or into the agents. They set up rules to identify and alert themselves of various emails with key words $, deposit, funds, money etc. They track the account for a while and work out if they can replicate the emails correctly. When they do the fraud, they are very close, if not identical. The agent has an obligation to confirm account details in person or by phone. These scams are widespread and there are warnings from solicitors and conveyancers on all correspondence. Definitely talk it over with your mums solicitor/conveyancer.
If your mum is prepared to go to the papers or TV news, they absolutely love the combination of house deposit + scam + parent, can hit so many talking points in one story. I feel like there have been several stories like this. The real estate agent might then be prompted to cough up the money faster if it turns out their own system was what was compromised and there is negative publicity building.
This is on them not your mum. I saw this in the RE insurance side of things. They are supposed to call to confirm emailed bank details. They owe her the money regardless.
its possible the REA mail account and service was the one compromised. Headers on the fake email will show whose account was compromised.
Do you have access to the REA’s email account?? If not how are you believing a word they say?? They dropped the ball and wired the money to the wrong account and is now trying to shift blame.
What you've described sounds like the common middle man scheme. Happened to a council where I used to live, they paid a supplier invoice to a scammer who had intercepted the emails, $120k gone. My settlement agent has a policy to email the invoice but you have to call to get the bank account details. I'm sorry this happened to your Mum! You didn't say but this should still be reported to Police, don't just leave it up to the agency. Find more help.
Thanks for that. We reported to the police. They say the lack of a third spoof email is odd but still might be a cybercrime.
Sue the shit out of them
REA should be investigating their emails service as potentially breached. I've demonstrated to others how easily it is to be spoofed and breached.
This is on the real estate. How many times are businesses told to not ask for banking details/send banking details over email? Also, their email is compromised. That's on them. Time for a lawyer.
Sounds like your mum didn’t lose her deposit. Rather the REA did. As others mentioned it’s super easy to send an email pretending to come from anyone.
See if your state's fair trading officing handles real estate agents, specifically trust account mismanagement
It’s not hard to spoof an email. Regardless, the REA is at fault for not verbally confirming the change of bank details over another method ie phone call. Ensure you fight them and take them to consumer affairs/VCAT. That’s their fuckup, not yours or your mums.
So this is why the ring you and do the transfer on the phone to make sure it is goin to the rite account and not the scammers. That’s what the lawyers make me do when paying a lot of funds. No way they should of transferred with email confirmation
That’s the real estate agents fault. They should called to confirm the bank details
It is called a "Man in the middle" attack. Your mums PC/account or the RE is compromised. As you mentioned, always confirm bank details by phone, especially with big $ involved.
REA’s have indemnity insurance to cover things such as this. you’ll get your money, just may take a little while. Account details should also always be verified over the phone after an email has been received and prior to a transfer being done.
We were victims of a similar scam. We were to make a $30k purchase with a regular parts supplier we work with. After the order had been placed they emailed us advising they had a new account to transfer the money to. Long story short, OUR system was compromised. We must have been fished/spoofed/and given them our email login details at some point, and when they saw we were about to make a bank transfer purchase they deleted the real email and send one from an email address that looked identical, but on closer inspection was slightly different. I'm going to guess the REA is the victim of a similar scam. They have been compromised and have transferred the money to the scammed posing as your mother.
All too common now :(
this was on the news before covid, I told my wife to email the details then call to confirm, or text the details I cant remember which channel, most likely 9 and possibly on ACA 100% REA's would know about this scam
Had a similar attempt with my business emails. The scammer created a folder with a blank title and created mailbox rules to move incoming invoices to the folder so they could send dummy invoices to me. They also tried to email those who had invoices owing to change payment details. Luckily I discovered this after a few questionable reply emails that I read before they were deleted. This is why it pays to change passwords regularly
If you are in WA contact WA Scamnet alternatively, cyber.gov.au or the ACCC. Sometimes they have contacts at the bank and may be able to help.
We phone suppliers for their account details confirmation. Also Netbank shows up as matching the details and the name. If it doesn’t match, it says so. All banks need better means to protect people.
It’s easy to tell who got scammed. One of you will have a rule in place in outlook that the scammers placed to intercept mail
When we went through settlement our bank manager warned these types of scams can happen and ring the REA to confirm the account details for the deposits and not just off the email- even the REA understood my concerns when I said ' I just want to be reassured that the account details are theirs
Which state?
NSW
One suggestion is to ask the REA to make you whole, otherwise their name should be shared more broadly with the community to prevent these types of incidents. Otherwise there is nothing stopping the next client of the REA from experiencing the same thing.
This is my take, not legal advice: I've only heard of this happening a few times. Speak to your lawyer now, as the money is in trust is a very serious matter. The agents trust accountant should have called to confirm bank details. I've heard the AFP gets involved in this stuff. Generally the agency should have insurance for this, if they don't, will be bad for them. The AFP will ask for statements, and give you advice
this is quite common. get in touch with the bank and police and follow their steps the real estate should have cyber attack insurance (or something to that effect) basically the insurance pays you out for the house, you move on with life and the investigation, the new owners have a house to move into and the onus is on the real estate for not checking after the fact they got 2 emails with different details
Similar thing happened to a fella I work with, seems to be a pretty common unfortunately. You can see his story in the link below https://www.facebook.com/share/v/QQC6YzneFpTgwb9p/?mibextid=xCWQen
Sorry to hear about this. Just document everything, attend a branch and report it there. Going forward, always best to call the agent, obtain their BSB and account number and verify with their office if you are paranoid. Double check to see if the details match those on the contract.
Is your mum able to log into her email account and review logins from other locations etc? I always get notifications when people try to log into my Hotmail accounts and I can see where in the world they tried from… it’s very frustrating. It won’t change anything but I’d be curious to know where they did it from!
Yeah we checked access. There was a list of overseas unsuccessful attempts but the successful logins seemed to be legitimate.
Just in case I would change the password and enable 2FA/MFA. Also ask for a copy of the emails sent as an attachment. Then check the headers to see what server sent the message. Not my area but I'm vaguely familiar and can interpret if you like. Regardless, sounding like REA is on the hook.
The REA owes your mum money. It’s none of your business apart from the fact they haven’t paid.
Yes, this is a thing and it happens. It’s not as common as other scams but this is 100% possible. I’ve heard of a bunch of stories about this and even My partners Buisness had this happen to them, email gets intercepted and bank details changed, the only thing that’s changed. Payment gets made to wrong account. Always make a phone call to confirm details when transferring money.
I always visit the solicitor and have them give me their business card with the bank details of where money needs to be paid written on the back. Before paying I call their office to confirm the details. If you adopt a ZERO TRUST protocol for electronic communications you will never get scammed. The REA should never have accepted an email instruction with bank details, this is outdated methodology. Always call to confirm. To those that think their email is secure, glad you did not use the same password for your tiktok account.
What state are you in as I know laws vary but why did the REA not transfer the deposit funds to the settlement agent prior to settlement? Worked in property sales for years doing these kind of transfers and I’ve never heard of any payment from the REA going direct to the seller, it’s usually done as a DLC (deposit less commission) to the settlement agent, or if the commission is higher than the deposit the settlement agent pays this to the REA upon settlement. Sounds like a very odd situation.
Report to the bank ASAP. This is the only way we got our money back (same situation as yours.) The scammers bank account was frozen and it took a few weeks but the money was recovered. Best of luck - it’s such an awful experience. I hope you can recover the money. Also I don’t think your mother is necessarily liable for this. There may have been a security breach with the agents system. Don’t let them walk away without trying to resolve the issue.
This is an example of why you should never exchange financial information via email. In this instance clearly the mother’s email account has been compromised, they got her password, probably because it’s the same as every other password she uses, and sat and waited. Once the email went out with her details, all they needed to do was send another with alternate details. Then delete the email from the sent folder and delete any pertinent responses. This would have been avoided by the use of MFA on the email account. The REA should know better than to exchange information in this manner, but if it was OPs mother’s account that was compromised liability is really hers. The reality is unfortunately, that many people in this world struggle to understand IT at any level and need to be made to conform to security standards for their own protection.
Really simple one here - the real estate agent was scammed. Your mum gave the right details and she never received her money, and still hasn’t. Everything else has nothing to do with your mum, who is still awaiting her money. If the REA isn’t paying, report them to your state body. They can tell them the story about the fraudulent account - sucks to be them but if they want to continue trading and not be prosecuted then they pay you. I’d not get too close to this one, just pursue the money, which is their responsibility to hold and pay to your mum. Police should already have this on record, and never, ever frame it like your mum was scammed again. Framing is: “REA not paying my mum her deposit, claiming something about fraud”.
Did you look at the email headers, or just the return email address?
never email your personal account details like bsb/acc#, it's not secure!
Your mum didn’t get scammed. The REAL did. They sent the money to the wrong place. Anyone with 1/16th of a brain would feel red flags is they get a different bank account just before money is to be sent, let alone a THIRD bank account.
If you get a notification that your email has been hacked/is on a hack list. Change your password immediately. You might think your emails are not important but some scammer might be monitoring traffic waiting for the day to strike. I once bought a new game and then could not login to my emails for a bit. Thought I was typing the password wrong, then got distracted and left it 2 days. Came back reset password to see someone had bought 3 more games via my account using my email to reset the password on my gaming account and downloaded the games. These were the days of serial numbers so they got 3 games for free. I am diligent after that.
Scammers can get into your email and set up rules to redirect mail to and from an account. They then modify the pdf and change the account details into their account.
Until banks start implementing payee name validation, I'm going to be old fashioned and stick with bank cheques for large payments.
My partner had a largish some of money deposited to his account from a family trust wind up. The solicitor asked twice via phone to confirm banking details. This has become a more common than you think scam, regardless of whose email was scammed.
Sounds like she’s still owed 5%
Check that emails aren’t being forwarded to another email address and a copy kept in your mums, so she doesn’t know it’s happening. Most people change passwords but forgetting to check emails aren’t being forwarded.
The whole thing is wrong. The REA was taken in by scammers. The REA sent the deposit to the wrong account. The REA should be the one lodging a police complaint against the (unknown?) scammer and fessing up to being scammed. The REA and their bank should be the parties trying to recover the incorrectly-transferred funds. The REA is muddying the waters with claims of unread and intercepted emails... any changes to a contract (like bank account details) would require both parties to literally sign off on the changes. The REA'S failure to pay the deposit is technically a separate issue. Your mum's only issues here are the non-payment of the deposit, and the REA'S non-responsiveness to follow up requests. If the REA got scammed then that's their problem and not your mums.
A bit late to this but it reads like a classic case of a BEC scam. Business Email Compromise is a scam where attackers gain access to an email account and passively wait for an opportunity/deal like this. From your OP it's hard to tell if the Compromise is on the OP end or the agents. As a precaution, change your email accounts password anyway and look for any mail rules in your mailbox settings such as auto forwarding etc. Considering both money and a cyber attack are involved, you need to get the police involved and also report here https://www.cyber.gov.au/report-and-recover/recover-from/hacking
If only we had some technology where you could speak directly to the person to confirm the bank details in the email. Maybe this is too hard for real estate agents. 100% their fault.
Why do I feel like the REA’s in on it
OP, you're going to need to verify that your Mom's email hasn't been compromised. Edit: it's unlikely on your side as the other comments have said, but it's easy enough to verify. The police are going to be involved sooner or later and I'd assume they'll investigate both sides. * Whos is your mums email provider? * Does she have MFA on? Send me a DM if you want a hand, I work in cyber security (I can send proof and details in a MD) if you want a hand.
The real estate would of had original email and bank account number. The 5% would have been done at exchange as in 4 weeks before settlement. Sounds dodgy to me. Real estate needs looking in to by contacting real estate Institute If settlement money went in Why didn't 5% exchange go in
The deposit was held at the agents trust account before settlement. On the settlement day, the main sum were transferred from buyers bank to mums lawyer then her account. Separately, the agent attempted to transfer the deposit from their trust account directly to my mums account.
Agent at fault then. Their insurance should pay. I would seriously ring Real Estate Institute of Australia. I would let Real Estate know this. When real estate was going to transfer money they should have called to verify bank details or put through your solicitor. I smell a rat.
Agent 100% at fault here please do NOT let this go. If the tables were turned, do you think they would let you off?
Talk to your Mum's Lawyer/Conveyancer as well - this is what she pays them to do. But the others are right - it's the REAs fault and its their job to sort it out. If you have a receipt from them with the correct details of your Mum's account you have nothing to worry about.
Sounds more like something shonky going on with the agent…. Probably more of a company theft issue.
Her email has been hacked or the REAs have. It sounds Iike hers. Do you have two factor authentication ? Gross negligence on the part of the REA
Boomers are so stupid 🤣🤣🤣