← ALL ISSUES

Reserve Funds
Are Wired Out
by Email.

A condo or co-op board controls hundreds of thousands to millions of dollars in reserve and operating accounts. The wire transfer approvals run through a managing agent's email inbox protected by an eight-character password set in 2019. Business Email Compromise scams targeting building accounts are now a routine industry attack. The losses are six figures and rising.

THE THREAT MODEL

Building accounts are soft targets sitting on hard money.

A typical NYC condo or co-op of 100 units holds $200,000 to $2,000,000 in operating reserves and $1,000,000 to $20,000,000 in capital reserves. The accounts are controlled by a board of volunteers and a managing-agent firm. The wire transfer approvals are routed through email. The vendor payment changes are accepted by phone or by email. The cybersecurity posture is whatever the managing agent happens to maintain.

For a sophisticated attacker, this is a target-rich environment with weak defenses. Business Email Compromise (BEC) scams compromise a board member's or managing agent's email account, watch the legitimate vendor invoice traffic for weeks, then send a spoofed invoice with new wire instructions just before a real payment is due. The wire goes out. The funds are gone. The legitimate vendor calls the next month asking why they were not paid. By then the money has been moved through three bank accounts in two countries.

Industry-tracked BEC losses targeting community associations now run into the hundreds of millions annually nationwide. The FBI's Internet Crime Complaint Center has flagged the sector as a growth area for fraud. Insurance carriers writing community-association D&O are now requiring cyber riders or excluding cyber claims entirely.

THE CURRENT DEFENSE

There is no required standard. There is no required disclosure.

New York does not require condo or co-op boards or their managing agents to maintain any specific cybersecurity standard. Boards may adopt one. Most do not. Multi-factor authentication on the board's financial portals is recommended by every industry advisory and rarely implemented. The wire-transfer approval process at most buildings is one to two email confirmations, both from accounts that could be compromised by the same phishing campaign.

Cyber insurance is not required. When fraud happens, the building looks first to the managing agent's insurance, then to the bank, then to its own D&O policy, often in that order, often unsuccessfully. Banks generally do not bear loss for wire fraud where the customer authorized the wire, even when the authorization was procured by deception. The recovery rate on BEC scams once funds have left the originating bank is under 20 percent.

Incident reporting is not required. A board that loses $250,000 in a wire fraud has no statutory obligation to disclose the loss to owners until the next financial statement comes out a year later. Some boards never disclose it. The next year's special assessment "to rebuild reserves" is the only signal the owners ever receive.

REAL-WORLD INCIDENTS

The patterns repeat across the industry.

  • Vendor change spoof. Attacker compromises bookkeeper's email, watches recurring vendor payments, sends spoofed invoice with new ACH routing. Building pays. Real vendor calls. Loss: $40,000 to $400,000.
  • CFO impersonation. Attacker spoofs board president's email to managing agent, requests an "urgent" wire to a vendor for a capital project. Managing agent processes. Loss: $50,000 to $800,000.
  • Reserve account drain. Attacker accesses managing agent's bank portal through a phishing-harvested password, initiates ACH transfers from reserve account over multiple weeks. Discovered at next reconciliation. Loss: $100,000 to $2,000,000.
  • Insurance claim diversion. Attacker intercepts insurance settlement check, deposits to fraudulent account. Building never receives funds. Loss: face amount of claim.
  • Closing fund diversion. Attacker spoofs closing attorney's wire instructions to incoming purchaser, diverts down-payment funds. Building loses the new shareholder; deal collapses; lawsuit follows.

None of these scenarios are speculative. All have been documented in industry reporting and litigation. Most go unreported publicly because both the board and the managing agent prefer not to disclose.

PROPOSED FIX

Mandatory controls calibrated to building size.

  • Buildings over 50 units. Multi-factor authentication required on board and managing-agent financial system access. Annual security audit by qualified third party.
  • Buildings over 100 units. Cyber insurance required with minimum coverage tied to operating budget (typically $1M to $5M per occurrence). Incident response plan on file with governance authority.
  • All buildings, all sizes. Two-person rule for wire transfers above a threshold ($10,000 typical). Both confirmations must be via independently verified channels -- not both via email.
  • Vendor change protocol. Any change to a vendor's banking information requires verbal verification with the vendor's known contact at a known phone number (not a phone number provided in the email requesting the change).
  • Reportable incidents. Any financial loss over a threshold ($5,000 typical) from cyber fraud is reportable to the governance authority within 30 days. Reporting protects the board from after-the-fact penalty; failure to report compounds liability.
  • Owner notification. Buildings that suffer material cyber losses must notify owners within 60 days. Owners cannot govern what they do not know about.
  • Standards body. The governance authority publishes a minimum cybersecurity standard for condo and co-op operations, updated annually, with managing agents required to certify compliance for each building they serve.
Owner rights guide → Letter to your rep →