NCAT Dismisses Proceedings Against Conveyancer Following Funds Misdirection Scam

NCAT recently dismissed a claim brought against a NSW conveyancer (Conveyancer) by its client (the Purchaser) alleging that they had been the subject of a cyber misdirection of funds scam and that the Conveyancer ought to be held liable to its client. Barry Nilsson acted for the Conveyancer.

In the course of settling on a property, the Purchasers received an email from a third-party scammer (Threat Actor) which imitated the email address of the Conveyancer and directed them to transfer AUD $65,000 into an account operated by the Threat Actor. The Purchasers transferred the funds to the Treat Actor. By the time the scam had been identified, the funds could not be recovered.
In an attempt to recover their losses, in circumstances where the Fraud Actor could not be identified, the Purchaser commenced proceedings in NCAT (Tribunal), seeking compensation from the Conveyancer in relation to the incident.

Purchaser’s Claim

In the application, the Purchaser sought several orders from the Tribunal, including:

• compensation for losses incurred due to cyber fraud, amounting to approximately $65,000; and
• a refund of conveyancing fees and tribunal application fees.

The Purchaser’s claim was based in negligence, alleging that:

• the Conveyancer had failed to provide adequate warnings to the Purchaser about the risks of cyber misdirection scams;
• the Conveyancer had failed to implement adequate cybersecurity measures, allowing their system to be infiltrated by the Threat Actor and allowing the fraudulent impersonation of the Conveyancer to occur, resulting in financial loss.

Conveyancer’s Position

The Conveyancer denied that they were in any way responsible for the losses suffered by the Purchaser, and had acted with due care, skill and diligence.

In support of this position, it was argued before the Tribunal that:

• there was clear Cyber Security Warnings on all emails sent by the Conveyancer to the Purchasers, expressly stating “do not transfer any money to our bank account without telephoning our office to confirm account details”;
• during the initial discussion of the contract of sale, the Conveyancer advised the Purchaser about the potential risk of fraud in conveyancing transactions;
• the fraudulent emails received by the Purchaser contained:
  – requests for information which had already been provided to the Conveyancer previously;
  – discrepancies which ought to have put the Purchaser on notice that the emails were fraudulent, including the removal of the Cyber Security Warnings, a different font colour, different grammatical structure, errors in the name and address of an invoice provided, and one email was also signed off by the wrong person; and
  – a discrepancy in the email domain, which ought to have been observed, in that the address ended with cm-au.com instead of .com.

Tribunal Hearing

At the outset, the Tribunal Member highlighted that the Purchaser had the onus to demonstrate the Conveyancer had acted negligently, or in a manner which failed to meet industry standards.

During the hearing, the Purchaser recounted the timeline of events, including the engagement of the Conveyancer and the subsequent fraudulent emails received. He expressed uncertainty about the cybersecurity protocols in place and the adequacy of warnings provided by the Conveyancer.

On behalf of the Conveyancer, the Purchaser’s recollection of events was challenged, particularly regarding the receipt and acknowledgment of cybersecurity warnings. The Purchaser eventually admitted to not recalling specific details about the chronology of events, or reading the warnings.

The Tribunal was also taken to contemporaneous file notes, produced by the Conveyancer, which evidenced that the Conveyancer had provided cybersecurity warnings to the Purchaser verbally and had explained the firm’s standard practices regarding cybersecurity and client communication.

Outcome and Significant Observations

The Tribunal Member first noted some significant observations:
− The Tribunal expressed some doubt about the veracity of the Conveyancer’s file notes, as they were undated and were not overly detailed. Ultimately, and while a concluded view was never expressed, the Tribunal queried whether they would serve as valid proof of a verbal interaction between the Conveyancer and Purchaser.
− The Purchaser, bore the onus of demonstrating the Conveyancer had acted negligently.
− The Tribunal is a jurisdiction of evidence and must therefore make a determination based on the evidence before it.

Taking into account the evidence before it, and the submissions made on behalf of the parties, the Tribunal dismissed the application, concluding that:

1. The Purchaser had failed to provide independent expert evidence demonstrating that the Conveyancer’s actions were negligent or did not meet industry standards.
2. Conversely, there was clear evidence that the Conveyancer had taken reasonable steps in providing cybersecurity warnings.
3. To the extent that liability was to be laid at the feet of anyone other than the Threat Actor, the lost funds were the result of the Purchaser’s actions in responding to fraudulent communications, and transferring the money, despite and contrary to the warnings provided by the Conveyancer.
4. Even if the Conveyancer had acted differently, it would not have prevented the loss, as the Purchaser did not heed the cybersecurity advice given.
5. The Conveyancer ought not be held liable for the Purchaser’s loss.

Key Takeaways and Conclusions

Misdirection scams are rife, particularly in the conveyancing industry where transfers of large sums of money occur regularly. Faced with an inability to recover funds from unknown (and typically overseas) threat actors, the victims of these scams will regularly seek to recover funds where they can, including from their professional advisers.

The dismissal of this matter, and the comments of the Tribunal, underlines the importance of ensuring that:
1. conveyancers’ computer systems are secure to prevent infiltration by third parties;
2. appropriate IT experts are retained to regularly ensure that systems are secure;
3. the risk of funds misdirection scams is raised with clients verbally at an early opportunity;
4. that clear dated file notes are made by a conveyancer of all discussions with their clients; and
5. cybersecurity warnings should be included in all emails to conveyancers’ clients, including a clear statement that funds should not be transferred to any account without obtaining independent verbal authentication of the account details.

In combination, whilst the above measures may not avoid a conveyancer or their client becoming the victim of a misdirection scam, it will:
a) minimise the risk of that occurring; and
b) should a conveyancer need to defend proceedings commenced against it (seeking to recover lost funds) being able to demonstrate that all of the above steps were taken, will significantly increase the prospects of being able to successfully defend such a claim.

	Simon Black Principal 02 8031 2605 [email protected]		Michael Chen Senior Associate 02 8031 2673 [email protected]

DISCLAIMER:  This article does not constitute legal advice. The content of this article is intended to provide a summary and general overview of a matter of interest. You should seek legal advice before acting or relying on the content of this article.