Cybersecurity for Letting Agents: a Practical 10-point Defence Plan

Recent warnings suggest letting agents are becoming prime targets for cybercriminals, thanks to the rich mix of personal IDs, bank details, tenancy documents and client-money flows you handle every day. Phishing, business-email compromise (BEC) and invoice fraud are the main risks to cybersecurity for letting agents, but there are ways to protect your business.

Below is a crisp, actionable toolkit you can implement now, grounded in guidance from the National Cyber Security Centre (NCSC), the ICO and property-sector protocols.

Cybersecurity for Letting Agents

1) Make phishing everyone’s problem

Phishing is when criminals impersonate landlords, tenants, suppliers or colleagues via email, text or messaging apps to trick letting agents into revealing login details, opening malware or changing payment/bank details. Run quarterly staff training and simulated phish tests. Teach “stop-and-check” habits: hover over links, verify unexpected attachments and forward suspicious emails or texts to report@phishing.gov.uk. 

2) Lock down email: MFA + password manager

Turn on multi-factor authentication (MFA) on all cloud email and CRM accounts. Make it obligatory that staff use unique, strong passwords via an approved password manager. Most BEC losses start with a single compromised mailbox.

3) Kill invoice fraud with call-backs

Create a hard rule: any request to change bank details for landlords, tenants, deposit schemes or contractors must be verified via a known phone number on file (never the number in the email).

Document the check in your CRM. Sector fraud protocols highlight bank detail change scams as a persistent threat to cybersecurity for letting agents.

4) Separate duties around client money

Don’t let just one person set up and approve payments. Use dual control on client accounts; restrict who can view or export bank details, and log and review payment approvals weekly.

5) Patch, back up and practice recovery

Enable automatic updates on laptops and phones and patch your property-management and e-signature tools quickly when updates appear. Keep offline, versioned backups of critical data (tenancy files, statements, ID checks and so on) and run a quarterly restore test so you know it works under pressure. 

6) Use secure portals for sensitive files, not email

Stop emailing passports, payslips and bank statements. Collect and share documents through your referencing platform or an encrypted portal with access expiry. This reduces the blast radius of a mailbox breach and helps with GDPR compliance.

7) Minimum device standards for staff (including BYOD)

If staff use their own phones and tablets, you need restrictions in place. Require device encryption, screen-lock, auto-timeout and the ability to remote-wipe lost phones. Enrol all devices handling client data into a basic mobile/endpoint management tool. Small steps make for a big risk reduction.

8) Vendor due diligence (your weakest link might be a plug-in)

Maintain a register of third-party tools that you use, such as PM systems, viewing apps and marketing platforms and ask for their security protocols. Prioritise suppliers aligned to National Cyber Security Centre (NCSC) guidance. 

9) Incident playbook: who you call, what you tell, when you tell it

Have a one-page incident response plan: internal contacts, your IT partner, bank, Action Fraud, insurers and the Information Commissioner’s Office (ICO). If a personal data breach risks harm to individuals, you may need to notify the ICO within 72 hours and communicate with affected people so prepare your templates now. Run a drill twice a year.

10) Certify the basics

Adopt the Cyber Essentials certification from the NCSC to systemise controls on firewalls, configuration, access, patching and malware. It’s designed for SMEs and can materially reduce the risk of cyberattack. Many agents use it to unlock insurance cover or vendor approvals.

Cybersecurity for Letting Agents: Free Up Time

Cybersecurity for letting agents is so important commercially that it can take up a lot of your time. To free yourself up, utilise our property management services where you receive a professional and expert service that keeps landlords and tenants happy, letting you get on with matters such as cybersecurity. Contact us to find out more.