3 in 4 Australian conveyancing firms have nothing stopping a criminal from sending email in their name
We scanned 260 licensed conveyancing and settlement firms across WA and Victoria in June 2026. 76.9% can be impersonated by email today — a key technique in settlement payment-redirection fraud.
lost to payment-redirection scams in Australia in 2025
Payment redirection was Australia's second-costliest scam category in 2025, according to the ACCC's National Anti-Scam Centre — $166.8 million of the $2.18 billion Australians reported losing to scams that year. And property settlements are where it bites hardest: a single redirected deposit is often a six-figure loss.
The play is simple. A criminal sends your client an email that looks like it comes from your firm — same name, same address — with "updated" trust account details a few days before settlement. The client pays. The money is gone, usually unrecoverable. The client's life savings, your firm's name on the email.
The technical term is email spoofing: sending an email that appears to come from someone else's address. It works because, by default, nothing in email checks that the sender is who they claim to be. A standard called DMARC closes that gap — it lets your domain tell the world's mail servers "reject anything claiming to be us that we didn't send." It is free, it is invisible to your clients, and 76.9% of the firms we scanned don't have it doing its job.
What we found
Of the 260 licensed firms we scanned,
56.5% have no DMARC record at all —
their domain says nothing about who may send email in its name. Another
20.4% have DMARC switched to "monitor only"
(p=none), which observes impersonation without stopping it.
Together that is 76.9% of the sector — 3 in 4 firms
— effectively open to impersonation today.
Only 10% enforce the policy that actually blocks spoofed
mail (p=reject), with a further 13.1% at
the halfway setting (p=quarantine). For comparison, across
the 10,586-domain
national dataset behind our
State of DMARC in Australia
research, 39.1% of organisations enforce
— conveyancing trails the national average at
23.1%. The sector entrusted with the largest transfers of
ordinary Australians' money is less protected than the average
Australian organisation.
Open to impersonation
No DMARC at all
By state
Western Australia
154 firms- Open to impersonation
- 71.4%
- No DMARC record
- 47.4%
- Enforcing (quarantine or reject)
- 28.6%
Victoria
106 firms- Open to impersonation
- 84.9%
- No DMARC record
- 69.8%
- Enforcing (quarantine or reject)
- 15.1%
"Open to impersonation" means the domain has no DMARC record or has DMARC set
to monitor-only (p=none) — in both cases, receiving mail
servers are not told to reject mail that fails authentication. Aggregates
only: this report names no firm and publishes no per-firm data.
Aggregate data (JSON).
Is your firm one of the 3 in 4?
It takes about 10 seconds to check. Enter your firm's web domain — the part after the @ in your email address — and our scanner reads the same public records we used for this report. Free, no signup, and your result is not published anywhere.
Check my firm's domainMethodology & responsible disclosure
Who we scanned. The cohort is currently licensed conveyancing and settlement firms drawn from two public government registers: Western Australia's settlement agent licence register (DEMIRS Online Licence Search) and Consumer Affairs Victoria's register of licensed conveyancers. For each licensed firm we identified its web domain and verified the website's content actually belongs to that firm before including it; firms without a discoverable, verifiable website are not in the cohort. That produced 260 firms (154 WA, 106 VIC).
How we scanned. Each domain was checked in June 2026 with DMARC Busta's scanner using publicly available DNS records only — DMARC, SPF, and DKIM. This is the same information any mail server on the internet reads before deciding whether to trust an email. No intrusion, penetration testing, or email sending of any kind was performed.
What we will not publish. No firm is named in this report, and no per-firm data is published or downloadable — aggregates only. We will not provide the list, including on request. Any firm can check its own standing in seconds with the free scanner; industry bodies are welcome to contact us for a briefing on the aggregate findings.
You run settlements. We'll run this.
Fixing this doesn't require an IT department. DMARC Busta sets up the records, watches them, and moves your domain to DMARC enforcement automatically — you don't interpret reports or touch DNS. Most firms reach enforcement within weeks, without changing how anyone works.