Defending Against Phishing

An estimated 3.4 billion phishing emails are sent every day.

Phishing attacks have become a prevalent threat to HOA management companies, putting homeowner data at risk. In this blog post, we will explore the nature of phishing attacks, discuss best practices for preventing them, and highlight the importance of robust security measures. By implementing these strategies, HOA management companies can protect their communities and maintain homeowner trust.

Understanding Phishing Attacks

Phishing attacks are cyberattacks that attempt to deceive individuals into revealing sensitive information or performing harmful actions such as clicking on malicious links or sending money to fraudsters. Cybercriminals often use deceptive emails, fake websites, and social engineering techniques to trick people into believing that they are legitimate businesses or individuals. Spear phishing and whaling are more targeted forms of phishing which focus on specific employees within an organization, grooming them over a period of time into trusting the fraudster. The consequences of successful phishing attacks can range from data breaches to financial loss and reputational damage.

Best Practices for Preventing Phishing Attacks

To defend against phishing attacks, HOA management companies should prioritize the following practices:

Employee Education and Awareness

One of the most effective ways to prevent your employees from being tricked by phishing is to educate them about the threat. Employees should be trained to recognize phishing indicators, avoid clicking on suspicious links or attachments, and report any suspected phishing attempts. Regular reminders and simulated phishing exercises can reinforce these best practices. Make the training part of your onboarding process!

There are a lot of vendors that offer employee phishing training and will test your team. If that is not in the budget, a free old-but-still-good training will get you started. 

A successful program will measure your employee’s susceptibility to a phishing simulation at the beginning and measure it after training. The goal is to see the number of “We aren’t falling for that!” grow over time.

Implementing Robust Email Security Measures

HOA management companies should leverage email security solutions to protect against phishing attacks. This includes using spam filters to block suspicious emails, implementing email authentication protocols such as SPF, DKIM, and DMARC to verify sender identities, and enabling email encryption to protect sensitive information. Advanced threat protection tools can also help detect and block malicious email content. 

Many of the email solutions used by businesses have built in phishing and spam detection already. Hence the “spam” mailbox! 

Google claims to block 99.9% of spam emails and has additional security measures your administrator can enable in the admin console at Apps/Google workspace/gmail/safety/.  

Microsoft 365 comes with Microsoft Defender. Make sure it is configured correctlyMicrosoft Exchange Online Protection validates the “From” address to protect against phishing. 

Gartner has a great list of email security vendors that can augment your current email solution even further: They do things such as quarantining the suspect messages so that they can be examined safely, setting up “allow lists” to get around the spam controls, etc. They go beyond the “out of the box” gateway protections and actively scan and monitor the mail environment for new threats that the gating controls have not been set to remediate. If your employees are reporting a large amount of phishing attempts getting past your email system’s built in protections, you should seriously consider one of these vendors.

Multi-Factor Authentication (MFA)

Implementing MFA adds an extra layer of security by requiring users to provide additional verification beyond passwords. HOA management companies should require employees to enable MFA on all their tools. Homeowners should also be educated about the importance of enabling MFA for their accounts to protect their personal information.

If an employee is tricked into providing their password, their MFA tool or code can help prevent against data loss. However, some sophisticated attackers have worked out ways to trick users into providing their MFA codes, which is why physical MFA devices are a more robust defense against Phishing

Incident Response and Reporting

Having a well-defined incident response plan is crucial for minimizing the impact of a successful phishing attack. HOA management companies should develop an incident response plan that covers incident detection, containment, eradication, and recovery. The plan should outline who should do what, how the team should communicate, and provide guidance on reporting incidents to the HOA board, homeowners, and law enforcement. Reporting incidents to law enforcement and relevant authorities, such as the FBI's Internet Crime Complaint Center (IC3), is also essential for tracking cybercriminal activities and raising awareness.

The plan should be detailed enough that the management company doesn’t have to go looking for phone numbers in an emergency. By planning ahead, the management company doesn’t have to figure out what they are legally required to do in the heat of the moment. If you have Cyber Insurance, make sure to verify annually what their incident management requirements are; they can change!

Once you have a plan, run a “pretend” incident to flesh out any gaps in your plan. Even better, do the simulation annually to keep your contact lists up to date and your confidence level high. 


Defending against phishing attacks is an ongoing challenge for all businesses; HOA management companies are no exception. The scary thing is that the sophistication of Phishing attacks continue to evolve. By prioritizing employee education and awareness, implementing robust email security measures, and developing comprehensive incident response plans, HOAs can protect homeowner data and maintain the trust of the HOA boards who are their customers. Employees should be encouraged to promptly let your IT department, Security department or whoever is the “email admin” in your company know if they suspect phishing. It will help ascertain whether additional funds should be spent on a supplemental email security solution. With proactive strategies and a collaborative approach, HOA management companies can stay one step ahead of cybercriminals.


  1. AAG IT Services. (n.d.). The Latest Phishing Statistics. Retrieved from
  2. Rapid7. (n.d.). Phishing awareness training: Simulating phishing attacks. Retrieved from

Share This Article

Previous Article

July 3, 2023 • 7:14PM

Next Article

July 13, 2023 • 5:30PM

Get the latest

The best tips on HOAs

From Our Blog