Estate agents sit at the centre of every property chain, connected to buyers, sellers, solicitors and mortgage brokers, with large sums moving at completion. Criminals target that position because one compromised inbox, or one spoofable domain, gives them a way into the whole transaction.

How Estate Agents get targeted

Email interception in the chain

A criminal watches email between your agency, the solicitor and the buyer, then just before completion sends a fake message redirecting the client funds. Even if the fraudulent email did not come from you, if your inbox was the entry point your firm can be implicated.

Agency impersonation

Criminals register a lookalike domain, or spoof your real one, and email clients or solicitors pretending to be your agency. Clients lose money, and trust in your brand.

CRM and portal phishing

Fake login pages for Rightmove, Zoopla or your CRM are used to steal staff credentials. Once in, criminals reach client data, valuations and transaction details.

GDPR and Propertymark expectations

You process personal data for every buyer and seller. A breach must be reported to the ICO within 72 hours, and cyber insurers are tightening email-security questions at renewal.

What this looks like in practice

A buyer near completion got an email that looked like it came from the agency, passing on "the solicitor updated account details." It was a spoof, sent because the agency domain had no DMARC enforcement. The deposit went to a criminal, and the buyer first call was to the agent.

Your quick checklist

  • DMARC configured to reject on your agency domain
  • SPF listing your CRM and email platform
  • MFA on all staff email accounts
  • A policy to verify bank details by phone before any transfer
  • Phishing awareness training in the last 12 months

Questions we get asked

The money moves through solicitors, not us. Why is this our problem?

Because you are the most-emailed party in the chain. If your domain can be spoofed, criminals impersonate you to buyers, sellers and solicitors alike. You are often where the fraud starts, even when the money leaves elsewhere.

We use Rightmove and a CRM. Do they handle security?

They secure their own platforms. Your email domain is separate, and its authentication is usually where the gap is. The free check looks at your domain, not the portals.

Our branches share one domain. Does the check cover all of them?

The check looks at the domain you enter, so run it for each domain your branches send email from. Multi-branch agencies often have one spoofable domain protecting, or exposing, the whole network.

Run the free check above to see whether your agency domain can be impersonated, and get a plain-English fix list for your IT team.