Cybersecurity is a global problem.  

We reside in an interconnected world and it is a shared responsibility for every SME and large organisation to be cyber conscious and a firm’s cyber defence platform must be a “safe haven” to operate from to give peace of mind to the client and the practitioner in the protection of:

  1.  the firm’s data.
  2. the client’s data.
  3. data shared with business associates.
  4. data shared with suppliers and firms we do business with.
  5. data that flows into the firm from various sources.

Remember a client is living and breathing their conveyance during the 6-week period until Settlement. There are large amounts of money to disburse and nothing creates more mistrust with a client then when their settlement money is not deposited in the correct account. 

Legal and conveyancing firms need to have strong cybersecurity practices in place to protect their email and business systems from being hacked and used to commit fraud.  One way is to employ Two-factor Authentication (2FA) on your email service to prevent cybercriminals hacking in and easily committing payment redirection fraud.  

Some firms have now installed their own Secure Document Exchange (SDX) portal where documents can be exchanged safely and with a time-stamped audit trail, so they no longer need to send important documents as attachments with emails.

Conveyancing due diligence is not only about investigations into Title, Contract Special Conditions, Area Zonings, Building Approvals, Surveys, Special levies and Client Identities but the actual financial transactions of the conveyance, i.e. the money deposits to a client’s account/s remember this is their money and you have been entrusted with the disbursement of their property sale or purchase.

Client money deposits are often overlooked for thorough due diligence. Transfer of funds is one of the last actions on the file before Settlement and can be a low priority in the constant checking and rechecking for other conveyancing data, but  in the mind of the client this is what it is all about – the money!

Example of post-settlement conveyancing fraud - PEXA

In June 2018 a Victorian Conveyancer's email account was hacked, the hacker accessed PEXA by changing the PEXA user and password, then changed the vendors account surplus funds’ details.  At Closure of the sale, the vendor lost $250K from the home sale.

What stress this caused not only the vendor but also the conveyancing firm acting for the sale. The upshot for PEXA was to install a very high level of Practitioner Security to access the online Platform via 3 step verification process using a Ping ID App or SMS linked to a Practitioners mobile device.

Lessons for Conveyancers & Lawyers around the PEXA fraud

First and foremost is to only employ the services of a certified cybersecurity expert to handle cyber defence for your firm. If you are a larger organisation with an in-house IT dept, ensure they are working with the most current and up-to-date cybersecurity protection and all systems in your firm are rigorously maintained and secured.

For a smaller SME or solo practitioner working with an external IT company, ensure they are totally up to date with the latest cybersecurity protection offerings and understand how to install correctly.  If you have been working with the same IT company for some time ask them the following questions:

  1. Is the firm’s website https secure or still under a http server?
  2. does our firm need a Secure Document Exchange (SDX) portal?
  3. does the firm's email system have Two-factor Authentication (2FA)?
  4. what other cybersecurity protection do we need?

If the IT company don’t know or are unable to provide the latest cybersecurity protection for your firm then it might be time to find a specialist cybersecurity expert.

You may say “oh no I just can’t afford to add all this extra security”. Well, remember that cyber fraud could see the end of your business, through resulting adverse press, negative word of mouth and potential lawsuits. 

The reality is if you can’t afford to install the latest robust cybersecurity systems then are you prepared to take the risk of being hacked? 

Security risk management strategies to avoid website and email hacking

Here are some recommendations:

  • Employ a Cybersecurity specialist to conduct an audit on your conveyancing or law firm email and computer systems.
  • Once the audit is completed and you are satisfied the cybersecurity expert knows what they are recommending, then don’t delay in authorising the appropriate security protection and installations.
  • Ask your current technology providers how they can assist you in securing your conveyancing process.
  • Request client Bank account and BSB numbers by telephoning the vendor or purchaser and carefully read them back to confirm then record them in your Legal Practice Management system (LPMS) and recheck again via telephone before settlement with the client.
  • Never email any sensitive information to your client. Whilst email is efficient to keep in touch it can no longer be considered a secure way to communicate and share files with clients.

Last tip: Understanding and employing best practice cybersecurity solutions will ensure the client knows you are interested in them and their stress points – this is the key to providing stress-free client service and will result in repeat business and more referrals. 


Garth Brown B. Bus JP FAICNSW

Garth Brown B. Bus JP FAICNSW

Legal Practice Expert, Industry Thought Leader, Accountant 20 Years’ experience in the Legal Space Author, Webinar Presenter, Trainer & Industry Adviser Fellow AICNSW & 2015 NSW Conveyancer of the Year. Principal Brown & Brown Conveyancers. To find out more about operating a successful legal or conveyancing practice, read my ebook, "Step by Step Guide to a Successful Conveyancing/ Legal Practice" available at

Share this article on social