Why email is the main attack vector and how criminals exploit transactions

Email remains the workhorse of property transactions. But despite this, it is one of the weakest links.  

Globally, more than one billion email accounts were compromised in the past year, and the property sector continues to be a lucrative target. 

In high-value transactions, the stakes are especially high. There are large sums, multiple counterparties, and predictable timelines. This makes it easier for criminals to insert themselves at critical points. 

Email’s structural weaknesses.

Standard email was never designed for secure, verifiable communication. Messages can be intercepted, spoofed, or altered without detection. When email is used to share payment instructions, identity documents, or contractual details, the opportunity for fraud increases sharply. 

In property deals, these vulnerabilities are magnified by the number of participants. Lawyers, notaries, agents, lenders, and clients may all be exchanging information via separate email chains, often without a central record of what was sent, when, and to whom. 

How criminals exploit the process.

Fraudsters rarely need to compromise every account in a transaction. Often, gaining access to just one inbox is enough. Common tactics include: 

• Business email compromise (BEC): Using a hijacked or lookalike address to send fake payment instructions. 
   

• Thread hijacking: Inserting malicious messages into existing email conversations, often with convincing context. 
   

• Document harvesting: Collecting personal and financial data for later use in identity theft or account takeover. 
   

Once funds are redirected, recovery is difficult and often impossible. It is orders of magnitude more complex when property deals cross borders. 

Why this matters now.

Rising transaction volumes and increased cross-border activity mean that more professionals are handling sensitive data for clients they may never meet in person. This expands the attack surface and makes social engineering easier. 

The reliance on email, even when better options exist, leaves the sector exposed. In many jurisdictions, failing to protect personal data adequately can also carry regulatory consequences. 

Reducing exposure.

Protecting transactions requires more than awareness training. Secure communication channels, verified identity checks, and role-based access controls can close many of the gaps criminals currently exploit. Systems that log and track every action in a transaction make it harder for fraud to succeed, and easier to prove what happened if it does. 

Instead of relying on inboxes that criminals already know how to exploit, property professionals need channels built for the job: encrypted by default, identity-verified, and able to show a complete, tamper-proof history of the deal.  

Removing email from the most sensitive stages of a transaction is one of the simplest ways to cut the risk dramatically. 

Redpin helps professionals manage cross-border payments with clarity and control – enabling smoother, more secure transactions. Speak to an expert to find out how we could help you.