Cybersecurity in the real estate sector

In today’s tight rental market, where some 31%¹ of Australians rent, many apply for multiple properties before securing a lease. Each application can involve sharing sensitive information with real estate agents, including identification documents, banking details and up to five years of income history.¹

Real estate agents receive personal and financial data from buyers, sellers and tenants, making robust cybersecurity standards essential across the industry. Tenants and prospective tenants are exposed to cyber risks given the information they are required to provide.

Why cybersecurity matters as real estate modernises

Cybersecurity has become a more pressing issue as real estate agents digitise their operations. Digitisation could bring improved productivity and new security challenges².  Digital touchpoints³, from e-signatures to rental payments, could become potential vulnerabilities.

James Roberts, General Manager of Fraud and Scam Strategy and Governance at CommBank, says this shift reflects a broader trend in how scammers are operating today. 

“Cybercriminals are increasingly targeting individuals and businesses outside traditional financial institutions,” he says. “As banks have strengthened their defences, we've seen a shift toward exploiting professionals, like those in real estate, who handle sensitive client data. It’s a sobering reminder that cybersecurity is now a shared responsibility across sectors.”

Leanne Pilkington, CEO at Laing + Simmons and President of the Real Estate Institute of Australia, describes cybersecurity as “a massive concern”.

She says real estate agencies need to be aware of which information they should delete and which they need to retain.

“If you’re getting identification as part of a tenancy application, you can only hold that information while you’re processing the application. If the person’s not successful, you need to delete that information,” she says.

“If you’re getting identification as part of a tenancy application, you can only hold that information while you’re processing the application. If the person’s not successful, you need to delete that information.” - Leanne Pilkington, CEO at Laing + Simmons and President of the Real Estate Institute of Australia.

“As industries like real estate digitise, it’s vital that professionals, technology providers, banks and government agencies work together to protect customers,” he says. 

For Roberts, the key takeaway is clear: collaboration in fighting cybercrime is essential. Data from the Real Estate Institute of Australia (REIA) reveals that cybersecurity is ranked third amongst key business issues for those in the industry.⁴

Melinda Jennison, President of the Real Estate Buyers Agents Association of Australia, warns that cybersecurity attacks can lead to substantial reputational damage.

“More and more, we’re seeing some of Australia’s largest brands being exposed to cyber incidents and that has a lot of reputational damage when it happens,” she says.

How agencies are improving cybersecurity hygiene

Pilkington says staff at Laing + Simmons can focus on simple cybersecurity steps, such as declining requests to change bank account details over email.

“They can pick up the phone and have that conversation with their landlord or their vendor or their buyer,” she notes.

Real estate agencies can also test their security processes, for example, by sending phishing emails to team members to ensure they don’t click on unknown links.

“From Lang + Simmons’ perspective, we have catch-ups with our business owners, and cybersecurity is part of the standard agenda. It’s a conversation that is always evolving and it’s a conversation that we continue to have,” Pilkington explains.

CommBank offers guides and commentary about frauds and scams.

Some of the matters that businesses may consider are:

1. Stop: if a call, email or text seems odd, stop and take a breath.
2. Check: ask someone they trust or contact the organisation the message claims to be from. 
3. Reject: if you’re unsure, you can hang up, delete the email and block the phone number. Change your password if you think someone else may have it and make sure you pick something long and unique.

CommBank’s NameCheck service alerts customers if account details look suspicious during a first-time, one-off payment, helping to prevent scams and mistaken transfers. 

“Technology plays a critical role in stopping scams, but so does awareness,” says Roberts. “When businesses understand the warning signs and know how to respond, they become much harder targets. Our goal is to give customers the tools and confidence to pause, question, and act.”

As the real estate sector continues to digitise, agencies can work to maintain strong cyber security measures.