Cyber Security for UK Estate Agents and Property Businesses
Property fraud, client money protection, and the specific cyber threats facing UK estate agents and letting agents — in plain English.
Why estate agents are high-value targets
Estate agents and letting agents sit at the intersection of large financial transactions, sensitive personal data, and time pressure — a combination that attackers actively exploit. Property transactions involve significant sums of money, tight deadlines, and multiple parties communicating by email. That makes them a prime target for business email compromise and payment fraud.
Letting agents also hold ongoing financial relationships with landlords and tenants — collecting rent, holding deposits, and making regular payments — creating persistent opportunities for fraud if security is weak.
The biggest risk: property payment fraud
Property payment fraud — where attackers intercept email communications during a transaction and substitute fraudulent payment details — is one of the most financially devastating cyber crimes affecting UK businesses. Estate agents are frequently targeted because:
- They communicate payment details by email as standard practice
- Transactions involve large, often one-off payments that feel unusual to clients anyway
- Time pressure during completion creates urgency that discourages verification
- Multiple parties — buyers, sellers, solicitors, mortgage lenders — create confusion about who should be paying whom
Critical: never send bank details by email alone
Always verify payment details by phone using a number from your records before any significant transfer. Make this a written policy and communicate it clearly to clients at the start of every transaction.
Regulatory requirements
GDPR and client data
You hold significant personal data on buyers, sellers, landlords, and tenants. This includes financial information, identification documents, and in some cases credit check data. All must be protected appropriately.
Anti-Money Laundering regulations
Estate agents are required to conduct AML checks. The identity documents and financial information collected for AML purposes are highly sensitive and must be stored securely.
NTSEAT and The Property Ombudsman
Both require member agents to have appropriate systems for protecting client data and handling it responsibly.
Client Money Protection
If you hold client money, your CMP scheme may have requirements around data security and fraud prevention that you need to evidence.
Priority actions for estate and letting agents
MFA on all email accounts
Email compromise is the root cause of most property payment fraud. MFA on every email account is non-negotiable.
Written payment verification policy
A documented policy requiring phone verification of all payment details, communicated to clients at the start of every instruction.
Secure storage of ID documents
AML identity documents must be stored securely with access limited to those who need them. Not in a shared folder accessible to all staff.
Individual logins for all staff
Every negotiator and admin team member needs their own login. Shared accounts make it impossible to investigate incidents.
Staff training on phishing and BEC
Regular briefings on business email compromise — particularly for anyone who handles payments or communicates with solicitors about transactions.
Separate backups
Client records, transaction files, and AML documents all need regular backups stored separately from your main system.
Our 10-minute security assessment covers all five Cyber Essentials areas and produces a professional report you can use as evidence of your security practices for clients, regulators, and insurers.
Find out where your business stands
Complete our 10-minute plain-English assessment and get a professional security report aligned to Cyber Essentials.
Start Your Free Assessment →£49 for the full report · No account required