By Rachel Clayton, ABC business reporter
Sarah and Laine Robinson have three kids and are having to start all over again to buy a house. Photo: Supplied / ABC News / Steve Keen
Sarah and Laine Robinson did everything right.
They spent years saving for a house deposit, had a reputable conveyancer, and even hired a buyer's agent to help them with negotiations after losing out on multiple properties they had fallen in love with.
Finally, they had a house they could call their own in Mount Nathan on the Gold Coast.
They went into an ANZ bank branch to make two transfers of their home deposit, totalling more than $300,000.
The day before settlement, their world fell apart - the money was gone.
They had unknowingly transferred almost all of their deposit into a scam account.
The house the Robinsons lost after their home deposit was stolen. Photo: Supplied / ABC News / Steve Keen
Scam not realised until a day before settlement
The Robinsons had no idea how it could have happened, with almost no red flags or signs something was amiss.
"We went into the bank and we thought we have nothing to worry about going into the branch, other than it's all good and safe," Mr Robinson said.
The loss was a traumatic shock, Ms Robinson said.
"From the moment it happened, I fell apart. I did break down. I've lost parents, and [the grief] was much the same because you just don't expect it, and it changes your life so quickly."
The day before settlement Mr Robinson called his wife to say their conveyancer could not see the full deposit in the trust account.
The first $60,000 payment had cleared, but the second $252,000 deposit was not there.
"I was just gobsmacked," Ms Robinson said.
"I told Laine, 'I've been corresponding with the conveyancer for two weeks about the transfer. I followed their email and then they replied, we've received funds. I've got it all there I'll show you.'"
Once their conveyancer looked at the email Ms Robinson was referring to, it all clicked into place.
"He told me, 'Sarah, it's all a scam. It's not real.'"
The account details of where to send the money had come from emails appearing to be from their conveyancer.
All the details, from the stamp duty amount to specific fees and charges, were correct.
What they had missed was the email address - it was missing the ".au" at the end.
'Spear phishing' attacks becoming more common
The Robinsons were likely victims of what's called a "spear phishing" attack - a personalised impersonation scam where scammers gain access to emails or text messages and impersonate someone, to make their victims believe they are communicating with people they know and trust.
Philip Goldie is the managing director of Okta, a security software company, and told the ABC after years of general, mass phishing attacks, scammers were shifting towards high-value targets.
He said about 18 months ago, most attacks were "very broad phishing scams that target potentially hundreds of thousands or even tens of millions of people", like text messages that look like they're from Australia Post or Linkt, asking for a bill to be paid.
Those, Mr Goldie said, were being superseded by "very, very targeted scams where the impact can be incredibly high financially".
"Usually the perpetrator will know something about the transaction or the situation - in this case, something like a house purchase or a mortgage settlement, and they'll use techniques that are very targeted to the individual.
"That sort of scam takes a lot more time and effort on the perpetrator's side, but can be done at scale and the impact and the kind of financial loss or the financial gain for the perpetrator can be huge."
Funds sent to Victorian account
Queensland Police detectives initially began investigating how the Robinsons were scammed, but the ABC understands the case was recently transferred to Victoria Police after it was discovered a university student in Melbourne owned the bank account the funds were transferred to.
ANZ said it was able to recover $82,000 of the $252,000 lost but could not comment further.
The Robinsons said they were furious the bank did not do more to warn them their funds may have been transferred to the incorrect account.
About a week after making the transfer, Ms Robinson received a late-night phone call from ANZ and was asked if the details of the account she had transferred the $252,000 deposit to were correct.
While on the phone, she opened the email again and confirmed the details.
Ms Robinson said there was no indication that the woman on the other end of the line was worried about the transfer.
The bank, she said, called her a few weeks ago apologising for how that particular phone call was handled, and admitted more should have been done to convey the seriousness of what was being asked.
"My hindsight realisation from all of this is actually I would have been safer with a paper contract. The reality is electronic banking is scary now, and we have no control over it," Ms Robinson said.
A letter to Ms Robinson from ANZ, seen by the ABC, said even if the scam was identified during the phone call, it would have been too late to recover the money.
Okta's Mr Goldie said as scams became more common and sophisticated - especially with the emergence of artificial intelligence (AI) - it was important both banks and individuals did all they could to ensure they were communicating with the right people.
The Robinson family said they wanted to tell their story to warn others.
"If somebody said to me, conveyancing scams are so rife in Australia right now, you have to make sure of this … there's so many points where so many people could have helped me," Ms Robinson said.
How to protect yourself
In its latest annual report, the Australian Cyber Security Centre said AI would "allow cybercriminals to undertake more labour-intensive activities, such as generating spear phishing content more efficiently and on a larger scale".
Mr Goldie said there were simple steps people could take to protect themselves from targeted attacks.
"If there was one thing that I think everybody should be thinking about doing, it's really making sure that your personal email account is well protected," he said.
"That means having a very complex and unique password to get access to your email, and then enabling features like multi-factor authentication, a one-time code that might come to your phone, or to an app that allows access to your email."
A second avenue of protection was to "just be more cautious".
"If you're dealing with anything that involves any sum of money, particularly large sums of money, or you're dealing with institutions that have access to meaningful information or financial aspects of your life, double check, triple check, make sure you're talking to someone legitimate.
"Make sure you understand how to verify the organisation that you're interacting with."
- ABC
