Combat business email compromise

Business email compromise is a form of phishing where scammers impersonate a trusted person over email and convince the target to send payment. It was the most common method of actual and attempted payments fraud in 2024, reported by 63% of respondents to the 2025 AFP Payments Fraud and Control Survey Report. In some cases, scammers gain access to a legitimate email account. In others, they use spoofing to send emails from an address that mimics the authentic one. 

Business email compromise takes many forms. Fraudsters may impersonate: 

• A company leader who directs an employee to transfer funds to the scammer’s account 
• A party in a real estate transaction, such as a property seller, title company or law firm, using wire fraud to trick the buyer into paying an account a cybercriminal controls
• A vendor who sends an invoice with fraudulent account information

AI helps fraudsters appear convincing, generating emails without red flags such as grammar or spelling errors. Scammers may even use deepfakes—realistic but false AI-generated videos, images or audio—to sound like someone you know and trust on a video or voice call.   

Verifying payment requests with a callback is one of the most effective ways to defend against business email compromise, but only if done correctly. 

Other best practices for protecting your portfolio against business email compromise include: 

• Verify callbacks: If you didn’t perform the callback yourself, confirm it was done correctly before sending payment.
• Enable email controls: Tools that mark emails from outside your company make it harder for scammers to impersonate employees. 
• Check email addresses and domain names: Look for signs of spoofing before clicking links. You may see slight alterations to the spelling of an email address or website URL, or changes to the top-level domain such as swapping “.com” for “.co.”
• Be cautious with personal info: Scammers can use information you post on social media or other public websites to craft more convincing phishing attempts, and audio and video clips can be used to create deepfakes. 

Guard against account takeover

Bank account takeover is a form of identity theft and a growing cyber threat. A fraudster’s goal: Gain access to a protected account and the funds or data it contains. 

A cybercriminal may attempt to trick you into sharing sensitive data through deceptive texts, emails or calls that appear to be from someone you trust. 

“Bad actors may call, pretending to be from your bank, and attempt to socially engineer you into divulging sensitive information through a fabricated urgent scenario,” said Nico DiGioia, vice president of Global Banking Client Fraud Experience at J.P. Morgan. “They might claim to want to help you solve a problem, such as reviewing a potentially fraudulent payment or an account with missing funds.”

The target may hand over account details without realizing they aren’t speaking with their bank. 

Fraudsters often use spoofed emails or look-alike domains that closely resemble a real email or login page from the bank they’re impersonating. Another account takeover tactic is search engine optimization (SEO) poisoning, where scammers manipulate search engines so a fake website designed to steal account credentials appears at the top of the results.

Prevent account takeovers

• Learn to spot red flags: “Recognizing an account takeover attempt is much easier when you know what your bank will and won’t ask for over the phone,” DiGioia said. When a J.P. Morgan or Chase employee contacts you, they will never ask for your full account number, password or full token code. They also won’t ask you to click a link and enter your credentials. Don’t limit this tactic to your bank—know what to expect from any vendor with access to sensitive information, such as your property manager or property management system provider. 
• Verify requests: Don’t assume a call, text or email is legitimate. Check with a known contact before sharing any sensitive information—especially if the request is unusual or urgent. 
• Check email addresses and domain names: In addition to checking emails, texts and website URLs for signs of spoofing before entering credentials, consider using bookmarks to access key websites like your bank. This can help you avoid a fake version hiding in search results.
• Use multifactor authentication: MFA helps protect your account if a scammer steals your login credentials by requiring additional proof of identity, such as a code sent by text to your phone.

Use payment protection tools

Digital solutions for preventing unauthorized payments can be part of your real estate cybersecurity strategy—even for analog payments like checks. 

Checks remain the payment method most vulnerable to fraud, with 63% of respondents to the AFP survey reporting their organizations faced check fraud in 2024. But for many multifamily real estate owners, checks remain a necessary payment method. 

Connect offers payment fraud solutions that can help validate checks’ legitimacy before processing, along with tools for protecting other payment types. Talk to your banker to make sure you’re taking advantage of the right solutions for your business’s payment strategy. 

More commercial real estate cybersecurity best practices

Cybersecurity threats are always evolving. These foundational tips can help you protect your business and keep operations running smoothly as fraudsters’ tactics shift: 

• Know who has access to your accounts: Your team members should have access that’s appropriate for their role. Consider setting payment limits for different accounts and employees based on past payment trends or requiring multiple levels of approvals for high-value transactions. Don’t forget to update entitlements as your team changes. “You’d be surprised how many times people find old property managers, bookkeepers or accountants who still have access,” said Suzanna Da Silva, Head of Commercial Term Lending Payments at Chase. 
• Reconcile regularly: Reconciling payment activity daily can help you quickly identify any irregularities.
• Develop an incident response plan: If one of your properties experiences a cybersecurity incident, a response plan can help you respond quickly and limit disruption. A key step in that plan: Identify takeaways that can help you prevent future incidents. “When a property owner experiences one type of fraud, it’s natural to remain on high alert for that particular type—but often there are broader lessons that can help you prevent other threats,” Da Silva said.
• Invest in training and testing: Educate employees on cybersecurity threats most relevant to your business and their role in protecting your properties. Contact your banker to learn about resources that can help you keep your team up to date. 

“Our fraud team is great about having conversations with clients that help them be proactive rather than reactive on fraud prevention and cybersecurity,” Da Silva said.