Security and fraud prevention

How to prevent wire and ACH fraud at a property management firm

June 19, 20267 min read

Property management firms move money on a schedule. Rent comes in, owner distributions go out, and vendors get paid every month. That steady flow of payments, combined with the personal and banking details you hold on residents and owners, is exactly what makes your firm a target for wire and ACH fraud. The good news is that the most damaging version of this scam is also one of the most preventable, because it relies on people rather than sophisticated hacking.

How the scam usually works

Most payment fraud against property managers is a form of business email compromise. There is often no virus and no obvious break in. Instead, an attacker studies how your firm communicates and then sends a believable message asking your accounting team to send money somewhere new.

The request usually arrives in one of these forms:

  • An email that looks like it is from an owner, asking you to update the bank account for their monthly distribution.
  • A message that appears to come from a vendor, attaching a new invoice with changed remittance details.
  • A note that seems to come from a manager or executive, pressing the team to send a wire quickly and quietly.
  • A real but compromised mailbox, where the attacker has logged into an actual account and is replying inside a genuine email thread.

The message is designed to feel routine and to create a little urgency, so a busy team acts before anyone stops to check. By the time someone notices the owner never asked for a change, the money has already left.

The single habit that prevents most losses

If you take one thing from this guide, make it this: never change payment details based on an email alone. Any request to add or change a bank account, routing number, or wire instruction gets verified by a phone call to a number you already have on file, not a number or link from the message itself.

  • Pause when any payment instruction is new or changed, even if the request looks completely normal.
  • Look up the contact in your own records and call the number you already have, not the one in the email.
  • Confirm the change verbally with a person you can identify before you update anything in your system.
  • Record who you spoke with and when, so there is a clear trail if a question comes up later.
  • Only then update the payment details and release the funds.

A fraudster controls the email but almost never controls the phone number you already have on file. A short call to a known number breaks the entire scam, because the real owner or vendor will tell you they never asked for the change.

Build it into your process, not just your memory

A habit that lives only in one person's head fails the day that person is on vacation. Write the rule down and make it part of how your accounting function operates so it holds up under pressure and turnover.

  • Decide in advance who is allowed to approve a new or changed bank account.
  • Require a second person to approve transfers over an amount you set.
  • Treat any request to skip the verification step as a warning sign, no matter who it appears to come from.
  • Give every team member explicit permission to slow down and verify, even when a message sounds urgent or senior.
  • Review the process with new accounting and leasing staff during onboarding.

The technical layers that back it up

Your verification routine is the core defense, but a few practical IT measures make it much harder for an attacker to get a convincing message in front of your team in the first place.

  • Multi-factor authentication on email and your property management platform, so a stolen password alone cannot take over a mailbox.
  • Email filtering that flags messages from outside your organization and catches common lookalike domains.
  • A visible external sender warning, so staff can see at a glance when a message did not come from inside the firm.
  • Prompt removal of access when staff leave, so an old account cannot be used against you.
  • Regular, plain language reminders so the team can spot a fake invoice or an urgent payment request.

If you think money already went to a fraudster

Speed matters more than anything else. Wires are difficult to reverse after a day or two, so act immediately rather than waiting to be certain.

  • Call your bank right away and ask them to attempt a recall or freeze on the transfer.
  • Report it to the FBI Internet Crime Complaint Center at ic3.gov, which can sometimes help freeze funds.
  • Change passwords and review mailbox rules on any account that may have been compromised.
  • Tell the affected owner or vendor so they can watch for related activity.
  • Review how the request got through and tighten the gap so it cannot happen the same way again.

Wire and ACH fraud is frightening because the losses can be large and the money can vanish quickly. It is also one of the few serious threats you can largely defeat with a simple, consistent habit. If you want help setting up email protection, multi-factor authentication, and a verification routine that fits the way your team actually works, we are happy to help.

Common questions

What is the difference between wire fraud and ACH fraud?

Both move money out of your accounts, but through different rails. A wire is a same day bank to bank transfer that is hard to reverse once it is sent. ACH is the batch network used for most recurring payments and direct deposits, and it can sometimes be recalled if you catch the problem quickly. Fraudsters target both by sending fake payment instructions, so the verification habits in this guide apply to either one.

How fast do we need to act if we think we sent money to a fraudster?

Immediately. Call your bank the moment you suspect a fraudulent transfer and ask them to attempt a recall or freeze. Wires in particular are difficult to claw back after a day or two. Then report it to the FBI Internet Crime Complaint Center at ic3.gov, which can sometimes help freeze funds. Speed is the single biggest factor in whether the money is recovered.

Will email security tools alone stop this?

They help, but no filter catches everything. Many of these scams use no malware and no attachment, just a convincing message from a lookalike address or a real but compromised account. The reliable defense is a verification routine your team follows before any payment change takes effect, backed by email protection and multi-factor authentication.

Who should be allowed to approve a change to payment details?

Keep the list short and clear. Decide in advance who can approve a new bank account or a changed wire instruction, require a second person to sign off on larger amounts, and make sure everyone knows that a request to skip the process is itself a warning sign. Writing this down removes the pressure a fraudster relies on.

Related services

  • Cybersecurity — Email protection, MFA, and staff awareness for property managers.
  • Employee Onboarding — Set up and remove access cleanly as staff join and leave.
  • Managed IT Support — Day to day help for the systems your accounting team relies on.

Want help putting this into practice?

Tell us about your property management firm and the systems your team relies on. A local person will follow up within one business day.

Contact ArcTechOne