Hi, I’m sorry you’re dealing with that. Let’s take it step by step.

First, treat it as a suspected payment diversion incident.

1. Stop any further payments to that new bank account immediately.
2. Contact your bank urgently and ask whether the payment can be recalled or frozen.
3. Speak to the landlord using a trusted phone number you already had on file, not the details in the email.
4. Preserve the email trail and note exactly who made the change and when.
5. Check whether any other landlord or contractor payment details were changed recently.

If you’d like, I can help you draft a clear internal incident note or a message to the landlord.

You’ve done the right first step already, so that’s good.

For the directors, I’d suggest a short update covering:

• What happened: landlord bank details were changed following an email request that now appears fraudulent.
• Impact: rental income was sent to an unauthorised account.
• Known timeline: when the email was received, when the change was made, and when the payment was sent.
• Actions taken: payments stopped, landlord contacted, bank contacted or being contacted, evidence retained.
• Immediate risks: financial loss, further impersonation attempts, similar changes on other accounts.
• Next steps: bank recall attempt, internal review, secondary verification process for future changes.

If you want, I can turn that into a ready-to-send message now.

Here’s a simple draft you can use:

Subject: Urgent incident update: suspected fraudulent landlord bank detail change

We’ve identified a suspected payment diversion incident. A landlord bank detail amendment was processed following an email request that appeared genuine and matched an existing communication thread. The landlord has since confirmed they did not request the change.

A rental payment sent yesterday may have gone to an unauthorised bank account. We’ve stopped any further payments to that account, contacted the landlord, and are urgently contacting the bank regarding recovery options. We’re preserving the email trail and reviewing whether any other payee details were amended recently.

Immediate priority is containment, recovery, and verification of any recent account detail changes.

On landlord contact: I’d review recent changes first, then contact anyone affected or at risk. A full broadcast straight away could create confusion unless you know the scope.

Of course. You’ll want to be kind but clear.

You could say:

“Thanks for being open about what happened. I know this is upsetting, but right now the priority is understanding the timeline and helping us contain it. These emails are designed to look convincing, especially when they come through familiar threads. We’ll review the process properly, but for now I just need your help gathering the facts so we can respond quickly and prevent anything further.”

That keeps the tone calm and avoids blame in the moment.

Later, you can reinforce a simple rule: any bank detail change must be verified through a trusted secondary route before it’s processed. It’s a good learning point for the whole team, not just her.

Absolutely! Here’s a simple morning checklist:

1. Confirm all future payments to the new account are blocked.
2. Call the bank and request urgent recovery or recall of yesterday’s payment.
3. Confirm the landlord’s genuine bank details using a trusted contact route.
4. Save the full email chain and record times, names, and actions taken.
5. Identify any other recent changes to landlord, tenant deposit, or contractor payment details.
6. Send the incident update to directors.
7. Speak with the admin involved and capture the timeline calmly.
8. Decide whether any other affected parties need contacting today.
9. Put a temporary hold on processing further bank detail changes without secondary verification.

If you’d like, I can also turn this into a neat internal memo for your team.