Estate agency and conveyancing email security in 2026: where the money moves

Property is where house-deposit emails meet weak domain protection. This guide covers why estate agents, conveyancers and surveyors are targeted, and the practical steps that close the gap.

Estate agency and conveyancing email security in 2026: where the money moves
Photo by Markus Winkler on Pexels

Buying a house is, for most people, the largest payment they will ever make. The instructions for where that money goes arrive by email. That single fact makes the property sector one of the most attractive targets in the UK for email-based fraud, and it explains why estate agents, conveyancers and surveyors deserve their own look rather than being lumped in with general professional services.

This guide covers who is targeted, how the fraud works, and the specific, practical steps that reduce the risk. It is written for office managers, partners and the IT person who keeps everything running, not for a security team you probably do not have.

Why property is different

Most sectors worry about reputation, data and disruption. Property has all of those, plus a feature that fraudsters love: predictable, large, one-off payments to bank details supplied by email. A deposit, a completion sum, or a surveyor's fee all follow the same pattern. The buyer expects to be told where to send money. The fraudster only has to make their instruction look more convincing than the real one.

This is the crime the press calls "Friday afternoon fraud", because completions cluster at the end of the week when everyone is rushed and a wrong bank account is hardest to claw back. The technical name is payment diversion fraud, a form of business email compromise.

How the fraud actually works

There are two broad routes, and they need different defences.

1. Spoofing your domain

The simplest version does not require breaking into anything. If your domain is not properly protected, a fraudster can send an email that appears to come from your exact address - the same one your client has been corresponding with for weeks. As we explain in our piece on how anyone can send email as your domain, the email "From" address is trivially forged unless you have published the right records and told the world to enforce them.

The buyer receives an email that looks identical to your firm's, often replying to a real thread, telling them the bank details have changed. They pay. The money is gone within hours.

2. Compromising a mailbox

The more advanced version involves a fraudster gaining access to a real mailbox - yours, the buyer's, or the other side's solicitor - usually through a phishing link or a reused password. They watch the conversation, learn the names and the timeline, and intervene at the moment of payment. This is harder to stop with email authentication alone, because the email genuinely comes from the compromised account.

The honest position is that domain protection stops the first route and reduces, but does not eliminate, the second. We will be clear about that throughout.

What domain protection does and does not do

The three records that matter are SPF, DKIM and DMARC. Together they let receiving mail servers check that an email claiming to be from your domain was actually sent by you, and tell those servers what to do when the check fails.

The trap many firms fall into is publishing a DMARC record set to p=none and assuming the job is done. It is not. As we set out in why p=none is not protection, that setting only gathers reports. It tells receiving servers to deliver spoofed mail anyway. A fraudster spoofing your domain sails straight through. To actually block impersonation you need to reach p=reject.

What this does:

  • Stops outright spoofing of your exact domain, which is the most common and most scalable attack.
  • Protects your name when fraudsters try to send to buyers, vendors and other firms.
  • Gives you reporting data showing who is sending as you.

What it does not do:

  • Stop a fraudster registering a lookalike domain - smith-conveyancing.co.uk instead of smithconveyancing.co.uk. That is a separate problem requiring vigilance and, where it matters, monitoring.
  • Protect a mailbox that has been compromised through a weak or stolen password.
  • Replace the single most effective control in property: telling clients, in writing and up front, that you will never change bank details by email, and asking them to verify any such request by phone using a number from your letterhead, not the email.

Where the property sector stands

Across the sectors we have reviewed, professional services that handle client money - law firms and accountants among them - have moved faster than most. Property sits in a more uneven position. Larger conveyancing firms and the bigger agency chains often have authentication in place. Independent agents, smaller surveying practices and high-street solicitors frequently do not, or sit on the false comfort of p=none.

The reason is structural. Property firms tend to send email from a sprawl of services: a CRM or agency software platform, a marketing tool for property alerts, a separate system for valuations, an accounts package, and the office's own email. Each of these sends on your behalf, and each must be accounted for before you can safely enforce DMARC. Get it wrong and you risk blocking your own legitimate mail. That complexity is exactly why firms stall at p=none and never finish the job.

A practical route to protection

The path is well established and, done carefully, carries no risk to legitimate email. We cover it in full in the safe route to enforcement, but in summary:

  • Publish DMARC at p=none with reporting to begin gathering data. This is a starting point, not a destination.
  • Read the reports to find every legitimate service sending as you - the CRM, the property portal feeds, the marketing tool, the accounts system.
  • Bring each sender into SPF and DKIM so it passes authentication.
  • Move to p=quarantine, then p=reject once the reports show only legitimate mail is passing.

For a firm with a handful of sending services this can take a few weeks of careful checking. The work is in the discovery and verification, not the publishing.

What to tell your clients

Technical controls protect your domain. Process protects the payment. The two go together. Every property firm should have a standing instruction, repeated at the point of money changing hands, that reads roughly:

  • Our bank details will not change during your transaction.
  • If you receive any email asking you to send money to a different account, treat it as fraud.
  • Always confirm payment details by telephone using the number on our letterhead before transferring funds.

If the worst happens, the buyer and the firm should contact the bank immediately and report it to Action Fraud. Speed matters; funds recovery is far more likely in the first hours.

The board-level view

For partners and principals, the question is not technical. It is risk. A diverted completion can run to hundreds of thousands of pounds, and the dispute over who bears the loss - firm, bank or buyer - is expensive and reputationally damaging regardless of outcome. The NCSC guidance on managing cyber risk frames this well: email fraud is a business risk to be owned at the top, not an IT detail to be delegated and forgotten.

Domain authentication is cheap relative to the loss it prevents. It is also increasingly expected by professional indemnity insurers and by the larger firms you transact with.

Where to start

If you do not know whether your domain is protected, that is the first thing to establish. A free health check will show you what records you have published and whether a fraudster could currently send email as your firm. From there the route to genuine protection is clear and methodical.

Property is unusual in how directly email touches money. That makes the case for getting domain protection right unusually simple. The controls do not stop every variant of fraud, and we have been honest about their limits, but they close the single largest and easiest route a fraudster has to impersonate your firm at the exact moment your client is about to pay.

Shaun Cooke
Shaun Cooke

Founder of SealedMail and a UK email-security specialist in DMARC, SPF, DKIM and email authentication for regulated sectors. He personally reads the DMARC and TLS reports behind every SealedMail account and writes the company's plain-English guides. More from Shaun Cooke →