A NEM address is a base-323 encoded triplet consisting of
- a network byte
- a 160-bit hash of the account’s public key
- a 4 byte checksum
The checksum allows for quick recognition of mistyped addresses. It is possible to send XEM to any valid address even if the address has not previously participated in any transaction. If nobody owns the private key of the account to which the XEM is sent, the XEM is most likely lost forever.
However, you are unlikely to send XEM to an unowned address, because it would have to be generated with the right checksum. This means that the more likely scenario is that the owner lost the key, which caused all the XEM to be lost.
It is possible that two different public keys will yield the same address. If such an address contains XEM it would be possible for an attacker to withdraw funds from such account. In order for the attack to succeed, the attacker would need to find a private+public keypair such that the sha3 256 of the public key would at the same time be equal to the ripemd-160 preimage of 160-bit hash mentioned above. Since sha3 256 offers 128 bits of security, it’s mathematically improbable for a single sha3 256 collision to be found. Due to similarities between NEM addresses and Bitcoin addresses, the probability of causing a NEM address collision is roughly the same as that of causing a Bitcoin address collision.
A good infographic about this can be found here: http://miguelmoreno.net/wp-content/uploads/2013/05/fYFBsqp.jpg