this product is unavailable for purchase using a firm account, please log in with a personal account to make this purchase.

The LIV is currently closed to all visitors.

We are working remotely to deliver member services. For more information visit our 

COVID-19 Hub
Select from any of the filters or enter a search term

PEXA cybercrime incidents – lessons learned

PEXA cybercrime incidents – lessons learned

By Ian Bloomfield

Conveyancing Securities Technology 


In the midst of all the coverage of the recent PEXA cybercrime incidents it is worth taking a step back to identify what lessons can be learned. So let’s try to understand what happened, how it was possible and what we can do to stop it happening again.

These were cybercrime incidents involving theft of money being paid as part of property transfers being transacted using the PEXA electronic settlements platform.  Actions by cybercriminal scammers resulted in the redirection of settlement funds involved in the property transfer. There have been at least two incidents that I am aware of involving more than $1.25 million going to bank accounts setup by these scammers. You can read a detailed explanation about what happened here.

In order to execute this crime, the scammers exploited three vulnerabilities. They were able to get the conveyancer’s email password using a phishing scam and consequently get access to their email account. In most cases the victims of phishing scams are not stupid or negligent. Phishing scams primarily rely on social engineering to convince the victim to do something they should not. Social engineering by its very nature is designed to circumvent security. The conveyancers had their email compromised because they were human.

The second vulnerability involves the password reset process for the PEXA subscriber account.  Anyone can initiate the password reset process by clicking on the “Forgot password” link on the PEXA logon page and providing a valid email address associated with a subscriber account.  This will result in an email being sent to the email address for that subscriber.  Anyone having access to the resulting email sent by PEXA, can click on the link contained in the email, whereby they will be prompted to input a new password and will then have full access to the PEXA account.

The nail in the coffin is the third vulnerability. A subscriber when logged into their PEXA account can add a ‘User’ to their account.  Adding a ‘User’ does not require use of the ‘Digital ID’ and there is no requirement for the subscriber to confirm or vet the addition of the ‘User’ account. When logged into the PEXA account, a user can carry out most actions not requiring use of the Digital ID, including amending payment details in the PEXA workspace.

Users of a technology solution endorsed by the major banks and state governments would have a reasonable expectation that the security protocols in place would be consistent with accepted best practice e.g. equivalent to that employed by the banks.  A simple password reset process that requires no verification, and the ability for major changes to be made (create a new user, change the Financial Settlement Schedule) without any verification fall well short of the mark.

Clearly there is a need for PEXA to implement more stringent security protocols, and recent announcements from PEXA indicate it is acting on this.

These incidents were Business Email Compromise scams and the only way to preventing this type of scam is to prevent unauthorised access to email accounts. In these cases, if it had not been possible to compromise the conveyancer’s email account, the scam and consequent theft could not have occurred. Using two-factor authentication with email accounts will prevent unauthorised access to email accounts. If an email service does not offer two-factor authentication, it is not safe to use.

The main takeaway from these incidents is that people cannot just assume that the systems they use are secure. Law firms and lawyers need to understand the threats they are exposed to and how these translate into business risk. It is only with the knowledge of the risks involved can they make informed decisions about how and where they need to act.


Ian Bloomfield is the Managing Director of Ignite Systems. Ian has been developing and delivering cyber security solutions for over ten years. As an Affiliate Member of the Law Institute of Victoria (LIV) and a recognised expert on cyber security, he works to educate lawyers about the benefits and risks of using technology. Ian is the author of many articles and guides on cyber security, and has recently authored two LIV LawTech Essentials documents, ‘Cyber Security Essentials for Law Firms’ and ‘Cyber Security Essentials for the Individual’. Ian is also an active member of the LIV’s Technology and the Law Committee.


Views expressed on (Website) are not necessarily endorsed by the Law Institute of Victoria Ltd (LIV).

The information, including statements, opinions, documents and materials contained on the Website (Website Content) is for general information purposes only. The Website Content does not take into account your specific needs, objectives or circumstances, and it is not legal advice or services. Any reliance you place on the Website Content is at your own risk.

To the maximum extent permitted by law, the LIV excludes all liability for any loss or damage of any kind (including special, indirect or consequential loss and including loss of business profits) arising out of or in connection with the Website Content and the use or performance of the Website except to the extent that the loss or damage is directly caused by the LIV’s fraud or wilful misconduct.

Be the first to comment