Mitch Wilson and Penny Davies have lost almost $40,000 in the scam. Photo / 9 News
A Gold Coast couple have been left devastated after they lost almost $40,000 ($44,000) to a "cunning" email scammer who posed as a real estate agent.
Mitch Wilson and Penny Davies believed they were just following their agent's advice when they transferred their house deposit to a bank account.
They had received an email from what appeared to be a Sold Street Real Estate Agent email address.
"It plays over and over in my head all of the time," Davies said.
"We got an email from the real estate agent we had been dealing with, from their email account, saying in light of the contract please pay money to this account," Wilson told 9News.
The couple transferred $39,000 ($43,546) to the bank account and didn't think about it again until the agent contacted them a few days later asking where the money was.
"We went back and forth, we exchanged screenshots and emails from their side and ours, and what was obvious is the money didn't go where it was supposed to go which was their account," Wilson said.
"(It) ended up in some fraudster's account and then offshore to a crypto account."
Police are referring to it as an email compromise scam whereby scammers infiltrate an email account and send emails to victims – making it very difficult to discern that it is a scam.
"These people with these skills, they're very cunning, they're very calculated," Ian Wells from the Queensland Police Service Cyber Crime Group told 9News.
When a business owner sends an invoice, the hackers change the bank account numbers for payments and then forward the invoice to the unsuspecting customer.
Mummy blogger Constance Hall has also fallen victim to the cruel scam.
She told news.com.au last month she felt "stupid" after losing thousands of dollars to the fraudsters.
She believed she was paying a deposit on a rental property when she transferred money via a link sent from the real estate agency that managed the property.
When she contacted her bank she was told that as she had authorised the transaction the chance of getting money back was minimal and to report it to the police.
Her bank recovered just $7.57 ($8.45).
"To have it all stolen in an instant … felt unbelievably unfair," she said.
In New Zealand, Cert NZ works to support businesses, organisations and individuals affected by cyber security incidents.
Director Rob Pope told NZME in 2020 that the organisation regularly receives reports about business emails being compromised by scammers who have issued invoices with false bank account information to their customers. Scammers get access to business emails in a number of ways, Pope said, including guessing or "cracking" weak account passwords.
Cert NZ recommends using long, strong and unique passwords on all accounts, and adding an extra layer of security with two-factor authentication.
The organisation also recommended calling the supplier to confirm account details.
"They should also do this if they have received communications about new payment details from existing suppliers," Pope said.