Property management firms move money on a schedule. Rent comes in, owner distributions go out, and vendors get paid every month. That steady flow of payments, combined with the personal and banking details you hold on residents and owners, is exactly what makes your firm a target for wire and ACH fraud. The good news is that the most damaging version of this scam is also one of the most preventable, because it relies on people rather than sophisticated hacking.
How the scam usually works
Most payment fraud against property managers is a form of business email compromise. There is often no virus and no obvious break in. Instead, an attacker studies how your firm communicates and then sends a believable message asking your accounting team to send money somewhere new.
The request usually arrives in one of these forms:
- An email that looks like it is from an owner, asking you to update the bank account for their monthly distribution.
- A message that appears to come from a vendor, attaching a new invoice with changed remittance details.
- A note that seems to come from a manager or executive, pressing the team to send a wire quickly and quietly.
- A real but compromised mailbox, where the attacker has logged into an actual account and is replying inside a genuine email thread.
The message is designed to feel routine and to create a little urgency, so a busy team acts before anyone stops to check. By the time someone notices the owner never asked for a change, the money has already left.
The single habit that prevents most losses
If you take one thing from this guide, make it this: never change payment details based on an email alone. Any request to add or change a bank account, routing number, or wire instruction gets verified by a phone call to a number you already have on file, not a number or link from the message itself.
- Pause when any payment instruction is new or changed, even if the request looks completely normal.
- Look up the contact in your own records and call the number you already have, not the one in the email.
- Confirm the change verbally with a person you can identify before you update anything in your system.
- Record who you spoke with and when, so there is a clear trail if a question comes up later.
- Only then update the payment details and release the funds.
A fraudster controls the email but almost never controls the phone number you already have on file. A short call to a known number breaks the entire scam, because the real owner or vendor will tell you they never asked for the change.
Build it into your process, not just your memory
A habit that lives only in one person's head fails the day that person is on vacation. Write the rule down and make it part of how your accounting function operates so it holds up under pressure and turnover.
- Decide in advance who is allowed to approve a new or changed bank account.
- Require a second person to approve transfers over an amount you set.
- Treat any request to skip the verification step as a warning sign, no matter who it appears to come from.
- Give every team member explicit permission to slow down and verify, even when a message sounds urgent or senior.
- Review the process with new accounting and leasing staff during onboarding.
The technical layers that back it up
Your verification routine is the core defense, but a few practical IT measures make it much harder for an attacker to get a convincing message in front of your team in the first place.
- Multi-factor authentication on email and your property management platform, so a stolen password alone cannot take over a mailbox.
- Email filtering that flags messages from outside your organization and catches common lookalike domains.
- A visible external sender warning, so staff can see at a glance when a message did not come from inside the firm.
- Prompt removal of access when staff leave, so an old account cannot be used against you.
- Regular, plain language reminders so the team can spot a fake invoice or an urgent payment request.
If you think money already went to a fraudster
Speed matters more than anything else. Wires are difficult to reverse after a day or two, so act immediately rather than waiting to be certain.
- Call your bank right away and ask them to attempt a recall or freeze on the transfer.
- Report it to the FBI Internet Crime Complaint Center at ic3.gov, which can sometimes help freeze funds.
- Change passwords and review mailbox rules on any account that may have been compromised.
- Tell the affected owner or vendor so they can watch for related activity.
- Review how the request got through and tighten the gap so it cannot happen the same way again.
Wire and ACH fraud is frightening because the losses can be large and the money can vanish quickly. It is also one of the few serious threats you can largely defeat with a simple, consistent habit. If you want help setting up email protection, multi-factor authentication, and a verification routine that fits the way your team actually works, we are happy to help.