GDPR and Security for Real Estate Agencies: Managing Data and Defending Against Phishing
8 min read · AstraLoop Studio
A real estate agency handles exactly the kind of data cybercriminals go after: first and last name, tax code, address, ID documents, land registry records, income data, IBAN. And it manages transactions worth hundreds of thousands of euros that travel through emails and wire transfers. Put those two things together and it's easy to see why the sector has ended up in the crosshairs, with one specific fraud doing enormous damage: wire transfer fraud on property sales.
The underlying problem is something else. Most agencies treat GDPR as a bureaucratic box to tick once (privacy notice signed, file closed) and treat cybersecurity as something that concerns big companies, not them. Both beliefs are wrong, and they can cost, quite literally, the price of an apartment. Let's look at how to properly manage data handling at an agency and, above all, how to defend against the scams that strike at the most delicate moment: the moment money changes hands.

Why a real estate agency is a perfect target
The 2026 Clusit Report paints a stark picture: Italy accounts for roughly 10% of serious incidents worldwide, attacks grew by over 20% in the first quarter of the year, and SMEs now make up 72% of targets. A typical real estate agency is an SME: few staff, little to no in-house IT expertise, a patchwork of tools (personal Gmail or Outlook, WhatsApp, cloud management software, listing portals). It's exactly the risk profile an attacker looks for.
Three specific factors make the sector so appealing to criminals.
- High-value personal and financial data. A single client file contains an ID document, tax code, payslips, bank statements, land registry records — a ready-made package for identity theft and credit fraud.
- Extremely high-value transactions. Few businesses move wire transfers of €200,000 or €400,000 as routinely as a property sale. Hijack just one and you've made the score of the year.
- Many parties in the same deal. Seller, buyer, agent, notary, bank, surveyor: a long chain of emails and attachments, where a single weak link is all it takes to break in.
If you want to frame the topic in a structured way before getting into real estate specifics, it's worth starting with a complete cybersecurity audit for SMEs. That's the framework everything below fits into.
GDPR at a real estate agency: how to actually manage it
GDPR (EU Regulation 2016/679) isn't a form you have signed once and file away. For a real estate agency, it's a way of handling data throughout the entire relationship. Here are the points the Italian Data Protection Authority looks at first, translated into operational practice.
1. Legal basis and purpose: why you're collecting that data
Every piece of data you collect needs a specific purpose and a legal basis. The buyer's tax code for the purchase offer serves the contract (performance of a contract or pre-contractual measures). Sending newsletters and new listings, on the other hand, is marketing and requires separate, freely given, revocable consent. You can't use data collected for one sale to bombard the client with listings forever — it's one of the most common complaints.
2. A specific privacy notice, not a copy-paste job
The privacy notice must state who you are (the data controller), what data you process, for what purposes, how long you keep it, who you share it with (notary, bank, portals), and how the client can exercise their rights. A generic notice downloaded from the internet and never updated is worse than nothing, because it states things you don't actually do.
3. Data minimization and retention periods
Don't collect more than you need, and don't keep data forever. Copies of ID documents and payslips from a client who never bought should not sit in your Drive indefinitely. Define a retention period for each category of data and actually delete it once that period expires. Fifteen years of unprotected sensitive documents is a ticking time bomb in the event of a data breach.
4. External processors: who else touches your data
The cloud management software, the listing portal, the accountant, the marketing consultant: anyone processing data on your behalf is a data processor and must be appointed under a contract per Article 28 GDPR. This is where third-party risk comes in, and it's a major issue today: roughly 30% of data breaches involve a vendor, and supply-chain compromises have grown fourfold in five years. Knowing where your data ends up isn't a formality — it's risk control.
5. Technical security: adequate measures
GDPR calls for measures "appropriate" to the risk. For an agency, that means: strong, unique passwords for every service, two-factor authentication on email and management software, devices with encrypted disks, backups, and no sensitive document circulating unchecked on WhatsApp. You don't need a data center — you need to stop leaving the doors open.

Wire transfer fraud: the scam that empties the deal
Now for the scam that should keep every real estate agent up at night. In technical terms it's called Business Email Compromise, or a "man in the middle" attack on the wire transfer. Here's how it works.
- The criminal compromises an email account somewhere in the chain (agent, buyer, sometimes the notary) via phishing, or silently monitors it after stealing the credentials.
- They wait for the moment money comes up: deposit, balance, closing day.
- At the right moment they send a perfectly credible email — right subject line, right signature, right style — saying that "due to a technical issue the IBAN has changed" and attaching new bank details.
- The buyer, acting in good faith, wires the deposit or balance to the scammer's account. By the time anyone notices, the money has already been funneled to foreign accounts and withdrawn.
In Italy the average loss from this type of fraud runs into the tens of thousands of euros per incident, and in real estate deals the stakes are far higher. The problem is amplified by AI-powered attacks: phishing emails are now grammatically flawless, and cases of voice deepfakes used to confirm payments over the phone are exploding (in Italy, vishing with cloned audio has grown by over 300% compared to 2023). The scammer calls you, with a believable voice, to "confirm" the very same fake IBAN they just emailed you.
Why the agent is liable even when they didn't make the transfer
Here's a delicate point worth noting. Even if it's the buyer who makes the transfer, if the breach originated from the agency's own email account (poorly protected, no 2FA, a weak password) the agency risks being held liable for the damages and, on the GDPR side, for failing to adopt adequate security measures. A compromised email account that exposes data from a property sale is, to all effects, a data breach under GDPR, with an obligation to assess whether it must be reported to the Data Protection Authority within 72 hours.
How to defend against real estate phishing: concrete procedures
Antivirus software alone won't stop wire transfer fraud. You need a procedure, shared with every team member and communicated to clients from the very start of the negotiation. Here's the one that works.
| Rule | How it's applied |
|---|---|
| IBAN never sent by email, never changed by email | Bank details are communicated only once, in person or through a verifiable channel. Golden rule: "no IBAN ever changes by email." If an email arrives announcing an IBAN change, treat it as fraud until proven otherwise. |
| Out-of-band verification | Before any wire transfer, the buyer calls a number already known and verified (not the one written in the latest email) to confirm the details out loud. A second channel the attacker doesn't control. |
| Two-factor authentication everywhere | Mandatory 2FA on email, management software, and portals. It's the single measure that blocks most account compromises. |
| Email authentication (SPF, DKIM, DMARC) | Set up the records that stop a scammer from sending email that impersonates your domain. See how SPF, DKIM, and DMARC work. |
| Staff training | Whoever answers emails needs to spot the warning signs: urgency, an IBAN change, a slightly different sender address, unexpected attachments. Here's how to recognize a corporate phishing attempt. |
| Client communication | Put it in writing at the start of the negotiation that you will never change your IBAN by email and that every wire transfer must be verified by phone. You turn the client into an active line of defense. |
There's also an internal risk not to be underestimated: Shadow AI — staff pasting client data (payslips, documents, contracts) into ChatGPT or other tools to get help writing listings or summaries. 38% of employees share confidential data with unauthorized AI tools: for an agency, that means sensitive client data leaving the company perimeter, with a potential GDPR problem attached. A clear policy on what can and can't be done with these tools is now, effectively, part of security.
Want to know exactly where your agency is exposed, from wire transfer emails to your document archive? Request a targeted assessment: we'll find the weak points and the procedures that keep you safe.
Security audits for agencies: where to start
If reading this you've recognized more than one gap, the right way to address it isn't to buy yet another piece of software at random. It's to start with an orderly assessment of what you're protecting and from what. In practice, an audit for a real estate agency looks at four fronts.
- Data mapping (GDPR). What data you process, where it lives, who accesses it, which vendors you share it with, how long you keep it. This is the foundation of both compliance and security.
- Email and transaction security. 2FA, domain authentication, an anti-fraud procedure for wire transfers. This is the front with the highest financial risk.
- Technical vulnerability checks. A vulnerability assessment identifies the open doors on your website, management software, and devices. To understand how it differs from an actual attack simulation, read vulnerability assessment vs. penetration testing compared.
- Procedures and people. Tested backups, access management, anti-phishing training, a policy on AI tool use. Technology without the right habits doesn't protect anyone.
It's worth remembering this attentiveness isn't purely defensive. More and more cyber insurance policies require proof of minimum measures (2FA, backups, procedures) before they'll pay out on a claim. A documented audit is also what makes you insurable on sensible terms.
The regulatory context that concerns you from 2026 on
Even though the average real estate agency isn't directly bound by the NIS2 directive, the regulatory climate is tightening for everyone. Two reference points are worth keeping in mind.
- GDPR: remains the perimeter that concerns you directly. Fines from the Data Protection Authority for improper processing or mishandled breaches run into serious amounts, and a poorly handled data breach only makes things worse.
- NIS2 cascade effect: if you work with banks, insurers, or large groups (entities directly bound by NIS2), they will increasingly ask you, as a vendor, for security guarantees. It's third-party risk seen from the other side. To find out whether and how NIS2 applies to your business, it's worth getting clear on it before a partner asks you first.
To be clear, this is informational: for the legal and privacy specifics of your agency, a qualified consultant is still your reference point. But the practical substance doesn't change: protect your email, lock down wire transfers, put your data in order, train your people. The most valuable deal you handle is the one that doesn't end up in the wrong account.
Frequently asked questions
Does a real estate agency need to appoint a DPO?
For most agencies it isn't mandatory, since large-scale processing of special-category data isn't the core business. It's still mandatory to comply with GDPR, though: proper privacy notices, a legal basis, retention periods, security measures, and appointment of external processors. If in doubt, it's worth getting an assessment from a privacy consultant.
What is wire transfer fraud in property sales?
It's a scam in which the criminal compromises an email account involved in the deal and sends fake bank details, often under the pretext of a changed IBAN. The buyer wires the deposit or balance to the scammer's account. The main defense is simple: no IBAN ever changes by email, and every wire transfer must be confirmed by phone on an already-known number.
If a client is scammed, is the real estate agency liable?
It depends on the case, but if the breach originated from a poorly protected agency email account (no 2FA, weak passwords) the agency risks being held liable for the damages and, on the GDPR side, for lacking adequate security measures. The compromise must also be assessed as a possible data breach requiring notification to the Data Protection Authority within 72 hours.
What minimum security measures does an agency need?
Two-factor authentication on email and management software, unique passwords for every service, encrypted disks on devices, tested backups, email domain authentication (SPF, DKIM, DMARC), an anti-fraud procedure for wire transfers, and anti-phishing training for staff. These are also the requirements many cyber insurance policies demand to cover a claim.
How long can I keep clients' documents?
Only for as long as necessary for the stated purposes. Documents from people who never bought shouldn't be kept indefinitely: a retention period must be defined for each category of data, and data must actually be deleted once it expires. An endless archive of sensitive documents is a serious risk in the event of a breach.
Can staff use ChatGPT to write listings?
With caution. Pasting client data (documents, payslips, contracts) into unauthorized AI tools moves sensitive data outside the company perimeter and is a potential GDPR problem. A clear policy is needed that bans entering clients' personal data and specifies which tools are approved.
If you handle property deals and sensitive data every day, don't wait for an incident to act. Talk to us: together we'll build the anti-fraud procedures and GDPR compliance tailored to your agency.