Business Email Compromisecritical

The Estate Agent Whose Email Was Used to Defraud Buyers

Criminals compromised an estate agent's email account and used it to send fraudulent payment instructions to buyers, redirecting deposits to criminal accounts.

Independent estate agent (UK)·2023·2 min read

Attack Chain

Estate agent email compromised via phishing

Inbox monitored for active property transactions

Payment instruction emails intercepted and altered

Two buyers transfer deposits to criminal account

1
Estate agent email compromised via phishing
2
Inbox monitored for active property transactions
3
Payment instruction emails intercepted and altered
4
Two buyers transfer deposits to criminal account

Background

Property fraud causes some of the largest individual losses of any cybercrime because the sums involved are so significant. Estate agents frequently exchange payment instructions by email — a process criminals specifically target. A small independent estate agent used a basic email platform with no two-factor authentication.

The Attack

The estate agent's email account was compromised after an employee clicked a phishing link. The criminals monitored the inbox for two weeks, identifying live purchase transactions with buyers expecting to receive payment instructions. When the agent sent genuine bank details to two buyers, criminals intercepted and altered the emails to include their own bank account details. Both buyers transferred deposits thinking they were following legitimate instructions.

Response

Both buyers contacted the estate agent when their solicitors said the funds hadn't been received. The fraud was discovered within days. Banks were contacted and one transfer was partially recalled. Police and Action Fraud reports were filed.

Outcome

One buyer lost £22,000 permanently. The other recovered £15,000 of £28,000. The estate agent faced reputational damage and a potential negligence claim. The incident prompted a full email security overhaul.

Key Takeaways

Any payment instructions received by email should be verified by phone before sending — especially for property transactions
Estate agents and solicitors should have a clear stated policy that they will never change bank details by email alone
Turn on two-factor authentication for all business email accounts — it is the single most important step
Enable email login alerts so you know immediately if someone accesses your inbox from an unfamiliar location
If you're buying property, call your agent on a number you independently looked up to confirm any financial instructions

How to Prevent This

All guides

intermediate

What to do if your business email is compromised

A compromised business email account needs to be treated as an emergency. Criminals who have access to your inbox can read client communications, intercept invoices, learn your payment patterns, impersonate you to clients, and reset passwords on linked services. Immediate steps: 1. Change the email account password immediately from a device you trust (not the potentially infected one) 2. Enable two-factor authentication if it isn't already on 3. Check and update the recovery email and phone number — attackers sometimes change these to maintain access 4. Review recent sent items for any emails you didn't send 5. Check email forwarding rules — attackers often set up silent forwarding so a copy of every email goes to them even after you change the password 6. Notify your bank, key suppliers, and clients that your email was compromised and that any recent payment instructions from you must be verbally confirmed 7. If customer or client data was accessible from the inbox, assess whether an ICO notification is required within 72 hours The discovery that your email was silently monitored for days or weeks is unsettling. Start with the steps above, then work with an IT professional to understand the full scope of what was accessible.

See: The Estate Agent Whose Email Was Used to Defraud BuyersWhat To Do If It Happens

estate agentemail compromiseproperty fraudpayment diversionbusiness email compromise