By William McCracken in Legal/Financial HABITAT Magazine
This is a slightly edited version of an article that appears in the October newsletter of the law firm Moritt Hock & Hamroff. The author is a partner at the firm.
Savvy co-op and condo boards and their management companies are aware of the need to protect themselves from cyberfraud. But few have the misfortune of experiencing cyberfraud on steroids.
It happened recently in Battery Park City in Lower Manhattan. Last summer Milford Management Corp., a subsidiary of prominent real estate firm Milstein Properties, notified its portfolio of managed condominium associations in Battery Park City that it had been the victim of a cyberfraud scheme. The loss was staggering: more than $18 million belonging to its client properties.
On Sept. 12, the board at one of those properties, Liberty Terrace Condominium, sued Milford in state Supreme Court, seeking the return of $1.3 million, the building’s share of the overall loss.
The stunning scale of the fraud was made possible in part because of the way these properties in Battery Park City are organized. The land, which was created by landfill dumped into the Hudson River in the 1970s, is owned by a governmental agency, the Battery Park City Authority (BPCA), which developed the buildings and then leased them out to condominium associations on long-term ground leases. These ground-lease condominiums must make periodic rent and PILOT (tax equivalent) payments to the BPCA, which can exceed seven figures. Rent and PILOT payments processed by Milford were stolen from multiple properties all in one go.
According to the complaint, Milford was the victim of a classic phishing scheme. An employee in charge of processing wire transfers received an e-mail purporting to be from a BPCA employee (but in reality a fraudster), providing new wire instructions for the BPCA’s June 2025 invoice. The Milford employee not only failed to recognize the signs of fraud evident on the e-mail itself (among other things, the e-mail was sent from a “.com” rather than a “.gov” e-mail address) but also allegedly failed to verbally confirm the new wiring instructions before releasing the funds.
One obvious lesson here is that it is important to always follow best practices for making payments by wire transfer, such as verbally confirming wire instructions. Milford undoubtedly already had those official protocols in place, but this time, for whatever reason, those procedures were not followed.
One might think that these sorts of events should be covered by insurance, but there may be difficulties. First, a generic cyber insurance policy probably will not cover the type of loss suffered here. Cyber policies typically cover only classic hacking schemes, whereby a criminal breaks into a company’s computer files. In contrast, the loss here was the result of a phishing scheme, whereby a human employee was fooled into facilitating the theft. These types of losses are covered, if at all, by “social engineering” coverage that may or may not be specifically added to the underlying cyber or crime policy. Thus, the first takeaway for boards is to find out whether their buildings and management companies have social engineering coverage under their existing policies.
However, even when boards have social engineering coverage written into their policies, the coverage limits tend to be low. Perhaps only a few buildings are ever likely to need to wire out seven-figure payments like the ground-lease condominiums discussed above, but in any event it would be a good idea for boards to contact a reputable insurance consultant to confirm whether they and their management companies have sufficient social engineering coverage to protect themselves from these increasingly common phishing schemes.