New hire phishing property management | Leasing agent cybersecurity | CEO impersonation | Tenant data | Salt Lake City
Spring is peak hiring season for property management companies. New leasing agents are joining teams, property managers are getting promoted, and administrative staff are being added to handle the surge in rental applications and lease renewals. New employees are always a security consideration — but the spring rental rush intensifies the risk. Research from Keepnet in 2025 found that CEO impersonation emails are 45% more effective against new employees than against established staff, and a separate study found new hires are 44% more susceptible to phishing overall. For property management companies where email is the primary tool for every significant transaction, a single phishing success on a new leasing agent can expose tenant records, compromise wire transfer workflows, and create real financial liability.
Why New Leasing Agents Are Prime Phishing Targets
Your new leasing agent's first few weeks are a flood of unfamiliar information. They're learning AppFolio or Buildium. They're getting set up on your email platform. They're being added to property-specific communication channels. They're receiving welcome emails from software vendors, from property owners, from maintenance contractors, and from your team — all from addresses they've never seen before. In that context, distinguishing a legitimate email from a phishing attempt is genuinely difficult.
Attackers watch LinkedIn for new job announcements and time their campaigns accordingly. A spoofed email that appears to come from your company owner asking the new leasing agent to process a maintenance payment, or a fake AppFolio login page sent 'just to verify your new account,' are attacks that have succeeded against property management teams. The new employee doesn't yet have a mental model of what's normal — so they can't spot what's abnormal.
The spring rental season adds pressure. Leasing agents are processing applications quickly, responding to prospective tenants, and trying to demonstrate competence in a fast-paced environment. Security second-guessing feels like it slows everything down. That's the environment attackers are exploiting.
The Chaos of Onboarding Creates Security Gaps
Property management onboarding is often rushed. There are units to show, applications to process, and leases to execute. Security training competes with everything else and usually loses. But the security gaps created during onboarding are specific and significant.
If a new leasing agent is given temporary access through a shared login while their individual credentials are being set up — a common workaround — you've created an audit trail problem and a credential risk before their first full day. When something goes wrong, you can't tell whether the action was taken by the new employee or whoever else shared that login. And if that shared credential is ever compromised, multiple people's access is exposed simultaneously.
New team members who don't know your company's normal communication patterns are especially vulnerable to business email compromise. They don't know that your broker or company owner never sends urgent wire requests by email without a phone follow-up. They don't know that AppFolio maintenance requests come from a specific address format. They don't know that your property management company's email domain is slightly different from the spoofed version an attacker will use. Without that baseline, they have no defense.
Wire Fraud Starts With a New Employee Who Doesn't Know the Rules
Wire fraud is the number one financial cyber threat for property management companies. And the path to a successful wire fraud often runs through a new employee. Here's how it works: an attacker monitors your company's email traffic — either through a compromised account or through social engineering — and identifies an upcoming large transaction. An owner disbursement. A security deposit transfer. A vendor payment for a major renovation.
They then send an email to the newest, least experienced member of your team — the one who is still learning the systems and eager to demonstrate helpfulness — appearing to be from the company owner or a senior property manager. The message asks them to update wire instructions or process a payment to a new account. The new employee, not knowing the normal process for these requests, complies.
This attack is devastatingly effective and has cost property management companies across the country hundreds of thousands of dollars. The defense requires new employees to know — before they process their first financial transaction — exactly what your company's payment authorization process is and who they should verify with before acting on any payment-related email instruction.
Three Fixes That Protect Your Agency During the Spring Hiring Rush
1. Configure Access Properly From Day One
Every new leasing agent and property manager should have their own individual credentials in AppFolio, Buildium, Dotloop, Skyslope, and every other platform they'll use — configured before their first day, not on it. No shared logins. No 'use mine for now.' Individual accounts with role-appropriate access create clean audit trails and limit the blast radius of any compromised credential.
MFA should be turned on during initial setup. If a new employee's credentials are phished before MFA is in place, you have a window of complete vulnerability. Don't leave that window open.
2. Teach Them What Normal Looks Like in Your Company
Before a new leasing agent processes their first application in AppFolio, make sure they know: How does your company owner or broker typically communicate? What does a legitimate email from AppFolio, Buildium, or Dotloop look like? What's the actual process for any payment or wire transfer — and who specifically approves it? What would IT support actually ask them to do, and what would they never ask?
This conversation doesn't require a formal training program. It requires 20 minutes with someone who knows your company's communication patterns. Agencies that do this consistently report far fewer phishing successes against new staff because the new hire has a reference point for normal and can recognize deviation from it.
3. Name a Point of Contact for Security Questions
Tell every new hire explicitly: 'If you get an email that seems weird or asks you to do something you're not sure about, text [name] before you click or act.' A named person. A specific instruction. Zero ambiguity about whether it's okay to ask.
New employees won't interrupt a busy day to ask a security question unless they know it's expected and welcome. Make it part of your onboarding script. Normalize the behavior. The culture of asking before clicking is your best defense against the social engineering attacks that specifically target new staff.
Protecting Tenant Data During Your Busiest Hiring Season
Your rental applications contain tenant Social Security numbers, banking information for ACH setup, employment verification, and prior landlord references. That's a significant volume of sensitive personal data, all entering your systems through the people who are newest to your team and most susceptible to phishing. Building security awareness into your spring onboarding process isn't an optional extra — it's a direct risk control.
Tenants trust your company with their most sensitive personal information because they need housing and they're trusting you to handle it responsibly. A data breach caused by a new employee who clicked a phishing link and didn't know who to call isn't just a technology problem. It's a failure of onboarding and a breach of the trust your tenants placed in you.
Want to make sure your spring hires are set up to protect your company — not expose it?
We work with Salt Lake City property management companies to protect tenant data and secure real estate transactions. Schedule a free discovery call to talk about building security into your onboarding process this spring.
Frequently Asked Questions
Our leasing agents work at the property, not our main office. How do we handle security training for remote staff?
Remote and distributed property management teams are common, and security training needs to meet staff where they are. Short video training modules, a one-page security reference card posted at each property office, and a clear escalation contact (text this number if something seems wrong) go a long way for staff who aren't centrally located. Your managed IT services provider can also help configure your systems so that security policies — like MFA requirements and approved device configurations — are enforced at the platform level regardless of where your agents work.
How do we protect against wire fraud when our team processes so many financial transactions?
The most effective control is a strict policy: no wire transfer or payment instruction received by email is acted upon without voice verification with the person who supposedly sent it — using a phone number your company already has on file, not one provided in the email. This policy should be communicated to every new hire before they process their first transaction, and it should be reinforced regularly. No exception for urgency. No exception for seniority of the sender. The two minutes it takes to make a verification call is worth it every time.
What should we do if we think a new hire has been phished?
Act immediately. Change the credentials on any account the new hire accessed from the potentially compromised device or account. Enable or verify MFA. Disconnect the affected device from your network if possible. Contact your IT support team or managed services provider right away. Review recent activity in AppFolio, Buildium, or whichever systems were accessed to check for unauthorized changes. If tenant data may have been exposed, review your notification obligations — and document everything from the moment you discover the incident.
