Fraudsters are placing fake rental property listings for affordable apartments on the Domain site. Upon contacting the purported landlord, would-be renters are instructed to transfer money offshore in exchange for apartment keys that will never arrive.
The 'landlord' claims to have moved to Italy, but promises to send the keys along with the lease when a bond is received in escrow. If the would-be renter doesn't like the apartment after using the keys to inspect it, they are assured their money will be refunded. There are, of course, no keys.
Or apartment, for that matter.
"I have found a procedure that will allow us to make a fast and safe deal and through this way you will see [the apartment] and decide if you will stay in the apt or not before I receive my payment," one of the scam e-mails reads. "In this way you will receive the keys in less than two days, if you move fast as well."
The wire transfer the fraudsters instruct their marks to use, conducted through Western Union, is irreversible and final.
Since Risky.Biz first exposed the current incarnation of the rental scam in May we've received e-mails and phone calls from several victims.
Nadine was taken for $8,000 in two transfers. After she'd sent an initial amount, the fraudster's managed to coax thousands more out of her with the promise of a budget lease.
Mohammad, a foreign student based in Hobart, lost $2,000. "I don't know what to do," he told Risky.Biz Friday last week. "I'm alone and I don't have any money... I'm homeless."
Risky.Biz referred Mohammad to the Tasmanian Fraud Squad.
As recently as this morning we received a telephone call from a Domain.com.au user in Brisbane who was almost taken in by the scam. There have been several of these. Many of these users were only aware of the scam because they stumbled on Risky.Biz's coverage of the scam.
"I am currently looking for an apartment in Sydney and came across a deal which sounded too good to be true - and it was," wrote Sydney renter Paul Geddes. "My suspicions were confirmed by... coming across an article posted on your site on May 15th.... So thanks to and all involved for the alert."
Why is Risky.Biz and online fraud websites the only source of information on the scam? Why aren't users finding out about the fraud from Domain.com.au itself?
Through its outsourced spin team, Red Agency, Domain.com.au says it's introducing a series of warning pages designed to combat the fraud.
How can this be taking so long? Why is this not the company's top priority? Can it really take five weeks to introduce a splash screen? Why won't the company identify the manager responsible for combating this type of fraudulent activity and make them available for an interview? Is anyone in charge of combating fraud?
The team at Fairfax Digital should be forced to speak to the victims of this fraud. It's heartbreaking. Most have borrowed money to pay for the bond and advance rent on their exciting new apartment. Instead of a new lease, however, they're left in debt and homeless.
Even worse, they're left feeling foolish.
The appropriate response, in the view of Risky.Biz, would be to send a press release and make some noise. Warn users. Get as many spokespeople in front of as many media sources as possible. The media is the perfect conduit through which warnings like this can be distributed.
Some companies are mature enough in their approach to do raise the alarm bells themselves. As Australia's Commonwealth Bank was being hammered by a series of phishing scams targeting its users last month it introduced a splash screen shown to every user every time they logged in warning them of the scam.
Admittedly the bank has more skin in the game than Domain.com.au -- direct losses through phishing -- but it's the view of Risky.Biz that organisations should protect their customers' money as if it were their own.
There is no downside to that approach. Instead, Domain.com.au is circling the wagons and dragging its feet.
It's not good enough.
Want more exclusive security news? Sign up for our newsletter here. You'll receive a weekly dose of written news, podcast descriptions with links and even infosec jobs.