Pre-Settlement Flash Audit for Perth Private Client Accountants: Catch Settlement-Hijack Indicators Before Funds Move

Your high-net-worth client is settling on a Cottesloe property next week. You’re CC’d on the email chain coordinating the trust transfer between the client, the conveyancer, and the bank. A new email arrives with revised account details — same thread, same signature block, slightly different BSB. You’re not the one pressing “pay,” but if the funds go to the wrong account, the client will ask you what you knew and when. The Pre-Settlement Flash Audit is a one-shot diagnostic that surfaces the indicators most often present on hijacked settlement chains before the funds actually move.

Why it matters now

Settlement hijack — where an attacker inserts altered payment instructions into an in-flight property transaction — is one of the highest-loss scam categories tracked by the Australian Competition and Consumer Commission’s Scamwatch service. Accountants advising on the transaction sit inside the personal-information flow: client identification documents, bank statements, source-of-funds evidence, and trust instructions all pass through your inbox. Under the Privacy Act 1988 (Cth), APP entities (Australian organisations with annual turnover above AUD $3 million, plus some smaller organisations) must handle personal information in accordance with the 13 Australian Privacy Principles, and the Notifiable Data Breaches scheme administered by the Office of the Australian Information Commissioner requires eligible data breaches to be reported. A settlement-hijack incident on a file you touched is not just a client loss — it is potentially a reportable breach event the OAIC will expect you to have controls against.

The 5-minute view

• The Privacy Act 1988 (Cth) is the primary federal statute governing personal information handling in Australia, regulated by the Office of the Australian Information Commissioner
• The 13 Australian Privacy Principles apply to “APP entities” — most Australian Government agencies and organisations with annual turnover above AUD $3 million, plus certain smaller organisations including health service providers
• The Notifiable Data Breaches scheme requires APP entities to notify the OAIC and affected individuals of eligible data breaches likely to result in serious harm
• Settlement-hijack attacks typically arrive in the final 7–14 days before settlement, often via a thread-hijack on an existing legitimate email chain
• Common indicators include subtle sender-domain substitutions, reply-to addresses that diverge from the visible “from” field, and account-detail changes framed with urgency
• The Australian Cyber Security Centre publishes guidance recommending out-of-band verification (phone call to a previously known number) for any payment instruction received or changed by email; general ACSC guidance is at https://www.cyber.gov.au/
• Accountants who hold client identification documents and source-of-funds evidence are inside the personal-information chain even when they are not the party executing the payment

What DRMO does about it

The Pre-Settlement Flash Audit is a single-transaction diagnostic scoped to one settlement file. You submit the file reference and the email correspondence chain related to payment instructions, identity documents, and source-of-funds exchanges. We run a fixed-scope review covering: SPF/DMARC/DKIM authentication results on inbound mail to your firm domain, the counterparty’s prior correspondence pattern with your firm (frequency, signature consistency, prior account details on file), the instruction-change pattern against published hijack signatures, and a brief APP-aligned review of how personal information has been transmitted across the chain. The deliverable is a 15-page PDF audit report identifying the specific indicators present on the file and the verification steps to complete before the funds move. This is the productised single-transaction version of the diagnostic that otherwise runs as part of the L3 Pre-Settlement Shield consulting engagement.

The deliverable

• 15-page PDF audit report scoped to one settlement file
• Executive summary with a Red / Amber / Green status and the recommended next action
• Per-indicator review with the underlying email evidence cited
• Brief Australian Privacy Principles alignment note covering how personal information has been transmitted across the correspondence chain
• Verification checklist for your team to complete before funds release
• Delivered via email within 1 business day of file submission and payment

CTA

Run the Pre-Settlement Flash Audit — AUD $499

A single-transaction productised offer. No discovery call required. Suitable for any client settlement file where payment instructions, identity documents, or source-of-funds evidence have been exchanged by email in the 14 days before settlement. This is operational support for Privacy Act and settlement-integrity obligations; it is not legal advice.

Sources

1. Office of the Australian Information Commissioner — The Privacy Act: https://www.oaic.gov.au/privacy/the-privacy-act
2. Office of the Australian Information Commissioner (domain root, for Notifiable Data Breaches scheme and Australian Privacy Principles guidance): https://www.oaic.gov.au/
3. Australian Competition and Consumer Commission — Scamwatch (domain root, for payment-redirection and settlement-hijack scam categories): https://www.scamwatch.gov.au/
4. Australian Cyber Security Centre (domain root, for out-of-band verification and email-authentication guidance): https://www.cyber.gov.au/

DRMO capability references:

• Pre-Settlement Flash Audit (L2 service shape, single transaction)
• Pre-Settlement Shield (L3 Shield package, the consulting engagement this diagnostic productises)