TLDR
HOA boards control bank accounts, collect owner personally identifiable information, and routinely wire money for vendors and reserve expenditures. That combination makes them a realistic target for business email compromise (BEC) wire fraud, ransomware against management software, and PII breaches that trigger mandatory state notification obligations. The core defenses are simple: dual-control wire authorization, multi-factor authentication on every financial account, written vendor payment-change procedures, and cyber insurance. This guide covers each one and provides a step-by-step incident response table boards can use if an attack happens.
When we built BoardStack, one of the first problems we set out to solve was the financial control gap that makes HOA boards easy targets. Boards collect assessments, hold reserve funds, and write large checks to vendors, often with informal approval processes that rely on trust rather than procedure. That is exactly the environment wire fraud scammers target.
This guide covers the four categories of cyber risk that HOA boards face, the controls that address each one, and a step-by-step incident response process for when something goes wrong.
The four cyber risks HOA boards actually face
Wire fraud via business email compromise
BEC wire fraud is the highest-dollar threat most HOA boards will encounter. The attack is simple: an attacker sends an email that appears to come from a vendor the HOA pays regularly, or from a fellow board officer, and asks for a wire transfer or a bank account update.
The attack succeeds not because of sophisticated malware, but because HOA boards often lack written procedures for wire authorization. A treasurer who receives an email from what looks like the roofing contractor saying “please update our bank account for the upcoming $47,000 draw” has no documented process telling them to pick up the phone and call the contractor at a number already in the records.
The anatomy of a typical HOA BEC attack:
- Attacker researches the HOA through public records, meeting minutes posted online, or social media.
- Attacker identifies a vendor that receives regular large payments.
- Attacker registers a lookalike domain or spoofs the vendor’s email address.
- Attacker sends a payment account change request or urgent wire request.
- Treasurer updates records or initiates wire without out-of-band verification.
- Funds transfer to the attacker’s account. Recall window is typically 24-72 hours.
Ransomware against management systems
Ransomware enters most small-organization environments through a phishing email. A board officer or property manager opens an attachment or clicks a link, and the malware encrypts files on that device, and potentially any network drives or cloud folders synchronized to it.
For an HOA, ransomware can encrypt:
- Accounting records and the general ledger
- Owner contact and payment information
- Governing documents, meeting minutes, and contracts
- Reserve study and vendor bid files
Cloud-based management software reduces local exposure significantly, but boards that run HOA business through personal email accounts, local spreadsheets, or shared Dropbox folders carry real ransomware risk on those personal devices.
Owner PII breaches
HOAs hold more personally identifiable information than most boards realize. A typical community database includes owner names, mailing and email addresses, phone numbers, ACH bank account information for dues collection, credit card tokens, and sometimes social security numbers for lien filings or collection matters.
If that data is exposed through a breach, whether from a ransomware attack, a compromised email account, or a misconfigured shared document, state breach notification laws are likely to apply. The notification obligation falls on the HOA board as the entity that collected and held the data, not the software vendor unless the contract explicitly shifts that duty.
Vendor payment change fraud
This attack is a subset of BEC but deserves separate mention because it is extremely common and the defense is specific. An attacker impersonates an existing vendor and submits a request to change the bank account on file for future payments. The HOA processes the next invoice normally, but the payment goes to the attacker.
The defense is a written policy: any bank account change for an existing vendor must be verified by a phone call to a number already in the HOA’s vendor records, not any number provided in the change request.
Core cybersecurity controls for HOA boards
Dual-control wire authorization
Every outgoing wire transfer should require two separate authorized individuals, acting through separate communication channels, to both initiate and approve the payment.
A workable process:
- The person requesting the wire (treasurer or manager) contacts the payee at a phone number from the HOA’s existing records to confirm amount, date, and account number.
- The treasurer then enters the wire in the bank’s online portal as a pending transaction.
- A second authorized approver, typically the board president, logs into the bank portal independently and approves the pending transaction.
Neither the initiating call nor the portal approval should rely on contact information from the wire request itself. The verification call goes to the number already on file.
Most community banks and credit unions can configure dual-approval wire workflows in business online banking at no additional cost. This is the most important single control an HOA can implement.
Multi-factor authentication on financial accounts
Every bank account, payment platform, and management software login that can initiate or approve a financial transaction should require MFA. Authenticator apps (Google Authenticator, Authy, Microsoft Authenticator) are more secure than SMS codes because SMS is vulnerable to SIM-swap attacks.
A board member whose bank account login is protected only by a password is one phishing email away from a compromised session. MFA does not prevent every attack, but it eliminates the large class of attacks that rely solely on stolen credentials.
Steps to implement:
- Log into each financial account and check security settings.
- Enable MFA if available. Prefer authenticator apps over SMS.
- Confirm that the bank requires MFA for wire initiation and approval, not just login.
- Document which accounts have MFA and review annually when the board transitions officers.
Written vendor payment change procedures
Produce a one-page policy that covers:
- Any request to change a vendor’s payment account (bank account, routing number, or payment method) must be verified by phone call to the vendor’s number in the HOA’s vendor register before the change is applied.
- The board secretary or manager updates the vendor register only after that verification is documented.
- Requests arriving by email, including emails that appear to come from the vendor, are not sufficient authorization on their own.
This policy should be approved by the board, stored in the governing document archive, and reviewed with any incoming board officer during the transition.
Cyber insurance
Standard HOA insurance packages, including most D&O policies, do not cover:
- First-party funds transfer fraud losses
- Ransomware recovery and system restoration
- Breach notification costs (legal fees, notification mailings, credit monitoring)
- Regulatory fines for breach notification failures
Standalone cyber insurance policies or cyber endorsements added to the community association policy fill these gaps. When evaluating a policy, boards should confirm it covers funds transfer fraud (some cyber policies exclude it as a “crime” loss covered separately), breach notification expenses, and first-party data recovery.
Secure document storage
Meeting minutes, owner rosters, and financial records held in personal email inboxes or ad-hoc shared folders create unnecessary breach exposure. Boards should store HOA records in a system that has access controls, audit logs, and encryption at rest. Purpose-built HOA management software provides this by default. A shared Google Drive folder does not, unless permissions are configured carefully and reviewed regularly.
Phishing awareness for board officers
The most effective phishing defense is a board that recognizes the attack patterns:
- Urgent wire requests from board officers or vendors, especially requests that bypass normal approval steps
- Bank account change requests from existing vendors
- Emails asking for login credentials or asking a user to click a link to “verify” their account
- Lookalike sender domains ([email protected] when the real vendor is [email protected])
Board orientation, when new officers join, is the right time to cover these patterns. It does not need to be a formal training session: a ten-minute walkthrough of the wire fraud and vendor payment change procedures is sufficient.
Incident response: step-by-step
If your HOA suspects it has been the target of wire fraud, a ransomware attack, or a PII breach, the following table provides a structured response sequence.
| Phase | Step | Action | Who | Timeframe |
|---|---|---|---|---|
| Contain | 1 | Call the bank using a number from official records, not any email in the chain. Request a wire recall or transaction freeze if fraud is suspected. | Treasurer or President | Within 1 hour of discovery |
| Contain | 2 | Change passwords and revoke sessions for any compromised accounts. Enable MFA if not already active. | Board President or Manager | Within 2 hours |
| Contain | 3 | Isolate any device believed to be infected with malware. Do not power it off; leave it running but disconnected from the network to preserve forensic evidence. | Board officer with the affected device | Immediately |
| Assess | 4 | Preserve all relevant emails, logs, and screenshots with timestamps. Do not delete anything. | Board Secretary | Within 4 hours |
| Assess | 5 | Determine what data or funds may have been accessed or lost. Compile a list of potentially affected owners if PII was exposed. | Board President and Legal Counsel | Within 24 hours |
| Notify | 6 | File a complaint at ic3.gov (FBI Internet Crime Complaint Center). Request activation of the Financial Fraud Kill Chain for wire fraud incidents. | Board President | Within 24 hours |
| Notify | 7 | Report to local law enforcement to establish a case number for insurance purposes. | Board President | Within 24 hours |
| Notify | 8 | Engage legal counsel to determine breach notification obligations under applicable state laws and draft notifications if required. | Legal Counsel | Within 48 hours |
| Notify | 9 | Notify affected owners per state law requirements. Do not improvise the notification language; use counsel-reviewed language. | Board President with Legal Counsel | Per state law deadline |
| Recover | 10 | File a claim with the cyber insurance carrier. Provide all documentation compiled in the Assess phase. | Board President or Manager | Within 72 hours |
| Recover | 11 | Restore systems from clean backups if ransomware attack occurred. Verify backup integrity before reconnecting to the network. | IT vendor or management software support | As needed |
| Improve | 12 | Conduct a post-incident review. Identify which control failed and update the written procedure to close the gap. | Full Board | Within 30 days |
Evaluating your management software vendor’s security posture
The HOA’s management software vendor holds a copy of the same owner data the board does. Before contracting with a vendor, and at each renewal, boards should ask:
- Does the vendor have a SOC 2 Type II report or equivalent third-party security audit? Can they share it?
- Who holds the encryption keys for data at rest?
- What is the vendor’s breach notification procedure and timeline?
- Does the contract place breach notification obligations on the vendor, the HOA, or both?
- Does the vendor carry cyber insurance that covers client data?
- What is the contractual limit on the vendor’s liability if a breach occurs?
A vendor that cannot answer these questions clearly is a risk that should factor into the contracting decision.
What boards with fiduciary duty exposure should do now
Board members have a fiduciary duty to act in the interest of the community. A wire fraud loss or a PII breach that results from a failure to implement basic controls, dual-control authorization, MFA, and a written vendor payment policy, is the kind of decision that personal liability claims attach to.
Directors and officers insurance provides some protection, but most D&O policies exclude intentional acts and, critically, exclude first-party financial losses from fraud. Cyber insurance fills that gap. A board that carries neither a written wire control policy nor cyber insurance, and then loses $200,000 in a BEC attack, faces a difficult conversation with the homeowners who funded that reserve account.
The controls described in this guide are not expensive or technically complex. Dual-control wire authorization and a vendor payment change policy are written procedures, not software purchases. MFA is a free feature on most bank and software platforms. Cyber insurance for an HOA typically costs less than the HOA pays for a single landscape maintenance cycle. The fiduciary argument for implementing them is straightforward.
We built BoardStack to give self-managed boards a secure, purpose-built platform for financial management and records, one where access controls, audit logs, and fund separation are enforced at the system level rather than left to manual procedures. But the controls in this guide apply regardless of what software your board uses. Start with the wire authorization policy and MFA. Those two changes address the majority of the dollar-loss risk most HOA boards face.
Want to see how this looks inside BoardStack?
Pick a plan to see pricing details and next steps. Start a 1-month free trial with no credit card required.
Start Free Trial- Business Email Compromise (BEC)
- A fraud scheme in which an attacker impersonates a trusted party via email to trick the target into transferring money or sensitive information to a fraudulent destination. BEC attacks rely on social engineering rather than malware and are often targeted at organizations that make regular wire transfers. The FBI IC3 reports BEC as one of the costliest categories of cybercrime by dollar loss.
DEFINITION
- Dual-Control Authorization
- A financial control requiring that two separate authorized individuals, using separate communication channels or system roles, must both act to complete a sensitive transaction such as a wire transfer. Dual control eliminates the single-point-of-failure that makes wire fraud easy: an attacker must compromise two people simultaneously rather than one.
DEFINITION
- Multi-Factor Authentication (MFA)
- A login security method that requires at least two distinct verification factors before granting access: typically something you know (password) and something you have (authenticator app code, hardware token, or SMS one-time passcode). MFA significantly raises the cost of credential-based attacks because a stolen password alone is insufficient to log in.
DEFINITION
- Ransomware
- Malicious software that encrypts the victim's data and demands payment, usually in cryptocurrency, to provide the decryption key. Ransomware attacks on small organizations, including homeowner associations, often begin with a phishing email that tricks a user into executing a malicious attachment or clicking a link that downloads the malware.
DEFINITION
- Breach Notification Law
- A state or federal statute requiring organizations that hold personal information to notify affected individuals and, in some cases, state regulators within a specified period after discovering that personal information has been, or is reasonably believed to have been, acquired by an unauthorized person. Forty-seven states plus D.C. have enacted some form of breach notification law, and the definitions of covered personal information vary by state.
DEFINITION
- Phishing
- A social engineering attack delivered via email (or SMS, in which case it is called smishing) in which the attacker crafts a message that appears to come from a trusted source and induces the recipient to click a malicious link, open a malicious attachment, or provide credentials or sensitive data. Phishing is the most common entry point for both BEC fraud and ransomware infections.
DEFINITION
- Cyber Insurance
- An insurance product that covers financial losses arising from cyber events, including first-party losses such as ransomware recovery and business interruption, third-party liabilities such as breach notification costs and regulatory fines, and funds transfer fraud. Standard community association insurance policies, including most D&O policies, do not cover these losses without a specific cyber endorsement.
DEFINITION
Q&A
How do HOA wire fraud scams work?
The most common HOA wire fraud pattern is the vendor impersonation BEC. An attacker researches the HOA's vendors, often from public meeting minutes or social media posts, then sends an email appearing to come from a vendor the HOA pays regularly. The email requests a bank account update before the next payment. If the treasurer updates the account details without out-of-band verification, the next payment goes to the attacker. A second common pattern is the officer impersonation BEC: the attacker spoofs the board president's email address and sends an urgent wire request directly to the treasurer or management company. Both attacks bypass technical defenses because they exploit process gaps, not software vulnerabilities.
Q&A
What financial controls prevent HOA wire fraud?
Three controls together close most HOA wire fraud attack paths. First, dual-control wire authorization: two authorized people must independently verify and approve every outgoing wire using separate communication channels. Second, a written vendor payment change policy: any change to a vendor's bank account must be verified by phone to a number already in the HOA's records, never to a number in the change request email. Third, positive pay or ACH debit blocks at the bank: these services require the bank to match outgoing transactions against a preapproved list and call for confirmation on any mismatch. Most community banks offer these controls at no additional cost.
Q&A
What state laws apply to HOA data breaches?
The applicable law depends on where the affected owners reside. California applies CCPA/CPRA and Civil Code Section 1798.29. Florida requires notification within 30 days of determination that a breach occurred, under Florida Statute 501.171. Texas requires reasonable notification and covers sensitive personal information including financial account numbers under Texas Business and Commerce Code Chapter 521. New York SHIELD Act requires reasonable safeguards and notification without unreasonable delay. Because HOA owners may live in multiple states during the time covered by the records, the board should engage legal counsel to identify which states' laws apply to any given breach event.
Q&A
What does incident response look like for an HOA cyber incident?
A useful framework for HOA boards follows five phases: contain, assess, notify, recover, and improve. Contain means immediately isolating affected accounts or systems, changing compromised credentials, and calling the bank to freeze transactions if fraud is suspected. Assess means determining what data or funds were accessed or lost and preserving all logs and records. Notify means reporting to law enforcement (IC3 and local police), engaging legal counsel, and triggering breach notification obligations if personal data was exposed. Recover means restoring access to systems, recouping funds if possible through the FBI kill chain or wire recall, and filing insurance claims. Improve means updating policies and controls to close the gap that allowed the incident.
Q&A
How should HOAs evaluate the cybersecurity practices of management software vendors?
Before signing a contract with a management software vendor, boards should ask for the vendor's SOC 2 Type II report or equivalent third-party security audit, ask who holds the encryption keys for stored data, ask how and when the vendor notifies clients of a breach, and confirm whether the contract places breach notification obligations on the vendor or the HOA. Boards should also ask whether the vendor carries its own cyber insurance and whether the contract limits the vendor's liability for breach-related costs. A vendor that cannot answer these questions clearly is a risk.
Want to learn more?
- State-specific compliance
- Board-ready reporting and audit packs
- Meetings, governance, and owner workflows
Frequently asked
Common questions before you try it
What is business email compromise (BEC) and why does it target HOAs?
What is a dual-control wire authorization policy?
What personally identifiable information does an HOA typically hold?
Does an HOA have to notify owners after a data breach?
What is ransomware and how does it affect HOA management systems?
How does MFA protect an HOA bank account?
What is vendor payment change fraud?
Does an HOA need cyber insurance?
What should an HOA board do immediately after discovering a wire fraud attempt?
Ready to run the full board workflow in one system?
Start Free TrialSources and Review Notes
BoardStack cites the sources used for this page and records the last review date for each reference.
- Business Email Compromise — The $55 Billion Scam (IC3 Public Service Announcement)
FTC.gov
- Protecting Against Cyber Threats to Managed Service Providers and their Customers
CISA.gov
- Cyber Insurance Policy Guidance for Small and Mid-Sized Organizations
NAIC.org
- Internet Crime Complaint Center (IC3) Annual Report
FBI.gov