How to verify HOA contact authenticity before sending payment

In 2025, the FBI Internet Crime Complaint Center reported over $3 billion in losses from business email compromise, with 86% of those losses occurring through wire transfer or ACH. Real estate transactions specifically accounted for $275 million in fraud losses, a 59% increase from the prior year. The majority of these losses were preventable. They happened because someone accepted payment instructions at face value and wired funds without verifying that the recipient was who they claimed to be.

For title and escrow teams, HOA payments are a persistent verification challenge. Management companies change. Board treasurers turnover. Portals migrate. Email addresses that were correct last quarter may now route to a fraudster. The only sustainable defense is a step-by-step verification protocol that your team follows on every file, every time, without exception. This article provides that protocol.

Why Verification Matters

The cost of a single fraudulent wire extends far beyond the dollar amount lost. A 2026 CertifID survey found that 56% of consumers would not work with a title company again after a wire fraud incident, even if all funds were recovered. Lender relationships fray. E&O premiums rise. Staff morale suffers. And in an industry where trust is the primary product, a public fraud incident can damage a brand for years.

ALTA Best Practices 4.2, released in August 2025, makes verification a formal compliance requirement under Pillar 4. Written wire transfer procedures must include clear processes for verifying instructions through an independent channel. Auditors expect timestamped verification logs, not handwritten notes. Informal verification, even when it works, does not meet audit standards and may void insurance coverage. For more on building compliant operational frameworks, see our guide on how title teams build an HOA ordering SOP.

Step 1: Cross-Reference Contact Info Against Prior Transactions

The first and fastest verification step is internal. Before acting on any HOA payment request, check your company's own records for prior transactions with the same association or management company.

• Compare email addresses. Does the sender domain match exactly what you have on file? Look character by character. "apex-hoamgmt.com" is not the same as "apexhoamgmt.com."
• Compare phone numbers. If you have called this management company before, does the number on the new request match your known contact?
• Compare bank details. If you have wired this company previously, do the routing and account numbers match? Any change should trigger full re-verification.
• Review the contact name. Has the billing contact changed? If so, is the change plausible, or does it arrive with a request for new payment instructions?

This step takes under two minutes and catches a significant percentage of spoofing attempts. Fraudsters often do not know what your prior interactions looked like. A mismatch between current and historical contact information is often the first visible signal of fraud.

Step 2: Verify Through the Association's Official Website

If internal records are incomplete or this is a first-time interaction with the HOA, move to external verification. The association's official website is your most reliable public source for contact information.

• Locate the official domain. Search for the association by its legal name, not just the community name. The official site often ends in .org or uses the association's full legal name.
• Find the management company link. Most association websites list their management company under a "Contact Us," "Management," or "Board" section.
• Cross-check the email domain. The domain of the payment request should match the domain listed on the official website or the management company's corporate site.
• Check for SSL and legitimacy. Ensure the site uses HTTPS and has been active for a reasonable period. Be cautious of recently registered domains that mimic legitimate associations.

For self-managed HOAs without a dedicated website, check county recorder records, the original CC&Rs, or state corporation filings. These documents often list the registered agent or board president's contact information. For more on working with self-managed associations, see our article on self-managed HOA document requests.

Step 3: Call the Management Company Using a Known Number

This is the cornerstone of the verification protocol. Every payment instruction received by email, fax, or portal message should be confirmed by a phone call to a number that you independently verify, not a number provided in the payment request itself.

• Use the number from your file. If you have called this management company before, use the number in your internal database.
• Use the corporate website. Navigate to the management company's official website and use the main office number listed there. Ask to be transferred to the billing or accounts receivable department.
• Use state registration records. For smaller management companies, the registered agent's phone number on file with the secretary of state is a verified contact.
• Confirm the request verbally. Ask the contact to confirm the invoice amount, the property address, and the bank account details. Do not simply ask "did you send this?" Ask them to read back the instructions they have on file.

The call should be made by the person responsible for the wire, not delegated to an assistant who lacks context. The conversation should be documented with the date, time, name of the person spoken with, and the details confirmed. This call log becomes your primary audit trail.

Step 4: Confirm Payment Instructions via Out-of-Band Communication

Out-of-band communication means using a separate, independent channel to verify the information received on the first channel. If the instructions arrived by email, verify by phone. If they arrived by fax, verify by email to a known address. The key is that the verification channel is not accessible to the party who sent the original instructions.

Why does this matter? Because fraudsters who compromise an email account can intercept replies sent to that same account. They can see your verification email, reply from the compromised account confirming the fraudulent instructions, and your team wires the money believing it was verified. Out-of-band verification breaks this loop.

• Never verify via the same email thread. A reply to a suspicious email is not verification.
• Never use phone numbers from the email. The number in the signature block may route to the fraudster's burner phone.
• Use a portal as a secondary channel only if you independently navigated to it. Do not click links in emails that claim to route to the portal.
• Confirm specific details, not general intent. Ask for the exact routing number, account number, and beneficiary name. General confirmation is not enough.

ALTA Best Practices 4.2 formally codifies this requirement. Pillar 4 states that wire instructions must be verified through an independent channel. Auditors expect to see evidence of this practice, not just assurances that it happened.

Step 5: Verify Bank Account Details Through Multiple Channels

Even after confirming contact authenticity, the specific bank account details require their own verification. Fraudulent wires happen because the contact is real but the account details have been altered in transit.

• Match against prior transactions. If you have paid this entity before, the new account should match the old one unless a formal change notification was received and independently verified earlier.
• Call the bank. Some banks will confirm whether an account number matches the beneficiary name you intend to pay. This service varies by institution but is worth requesting on high-value wires.
• Use positive pay or ACH blocks. Work with your bank to implement positive pay controls that flag wires to unrecognized accounts for manual review.
• Send a test wire for large amounts. For new vendors or changed instructions, send a small test amount, confirm receipt, then send the balance. This adds a day to the process but eliminates catastrophic loss.

If the management company states that they have changed banks, treat that statement with the same skepticism as a new vendor onboarding. Require formal documentation, verify it independently, and update your internal database only after dual approval.

Step 6: Document the Verification in the File

Verification that is not documented did not happen, at least not in the eyes of an auditor, an underwriter, or a court. Every verification step must leave a record in the file.

• Save the call log. Note the date, time, phone number called, name of the person who answered, and the specific details they confirmed.
• Screenshot the official website. Capture the page showing the verified contact information, with the URL visible and the datestamp included.
• Attach the checklist. Use a standardized pre-wire verification checklist, signed or initialed by the verifier and the approver, and save it to the production file.
• Log portal confirmations. If verification occurred through a portal, save the confirmation page or receipt with the transaction ID visible.
• Store for seven years. Retain all verification documentation for at least seven years to support E&O claims and ALTA audit requirements.

Documentation serves two purposes. It protects the company in the event of a dispute or claim. And it creates accountability: when team members know their verification steps will be reviewed, compliance rates improve dramatically.

When to Pause and Verify vs. When to Proceed

Not every situation requires the same intensity of verification. The table below provides a decision framework based on transaction characteristics.

Red Flags That Should Trigger Extra Verification

Certain patterns should automatically escalate any HOA payment to high-intensity verification, regardless of the entity's history with your company.

• Last-minute changes. Any change to payment instructions within 48 hours of closing is automatically suspicious. Legitimate entities rarely change bank accounts on short notice.
• Urgency and pressure. Phrases like "wire immediately," "closing is at risk," or "payment required today" are designed to suppress critical thinking. Treat them as fraud indicators until proven otherwise.
• Unfamiliar formatting. If the invoice layout, font, logo quality, or signature block differs from prior communications, verify before paying.
• Requests to wire to personal accounts. No legitimate management company or HOA requests payment to an individual's personal bank account. This is an automatic stop.
• Email address anomalies. Added hyphens, substituted characters, or different top-level domains are common spoofing techniques. Inspect the full sender address, not just the display name.
• Ambiguous property references. Invoices that reference "Unit TBD" or use an incomplete address may be mass-generated scams sent to multiple title companies.
• Missing or incorrect invoice numbers. Legitimate management companies use sequential invoice numbering. A missing number or a number that does not match the entity's format is a warning sign.

For a broader review of warning signs in HOA transactions, see our article on HOA financial red flags that can kill a closing.

What to Do If Verification Fails

Sometimes verification does not produce a clean confirmation. The known phone number is disconnected. The website is down. The contact on file left the company. When verification fails, the default action is clear: do not send payment.

Escalate Immediately

Notify your escrow manager or operations lead. Failed verification is not a processor-level problem to solve alone. It is a transaction-blocking issue that requires managerial attention and alternative pathfinding.

Attempt Alternative Verification Paths

If the primary contact cannot be verified, try secondary channels. Contact the HOA board president through county records. Ask the listing agent for a direct introduction to the association's treasurer. Check the preliminary title report for alternate contact information. Search state business registration databases for the management company's registered agent.

Inform Transaction Parties

Transparency protects the file and the relationship. Inform the lender, buyer, seller, and agents that HOA payment is pending due to verification requirements. Most parties will respect the caution. The ones who pressure you to skip verification are the ones who will blame you if fraud occurs.

Document the Failed Attempts

Record every attempt you made: the numbers called, the websites checked, the emails sent, and the responses received. This documentation demonstrates due diligence if the closing is delayed and supports your position if a party claims negligence.

Consider Engaging a Specialist

If internal verification fails and the closing timeline is tight, consider routing the file to an external document retrieval specialist with established management company relationships. A provider who already has verified contacts and portal access can often resolve verification gaps faster than an internal team starting from scratch. For more on when external support makes sense, see our guide on HOA Docs Direct vs. DIY document ordering.

Frequently Asked Questions

What is out-of-band verification and why does it matter for HOA payments?

Out-of-band verification means confirming payment instructions through a communication channel separate from the one that delivered them. If you receive wire instructions by email, you verify them by phone using a known number. This matters because fraudsters who compromise an email account can intercept both the original message and any reply sent through the same channel. A separate channel breaks their control.

How do I find a verified phone number for an HOA management company?

Use the association's official website, your company's internal contact database from prior transactions, state business registration records, or the management company's main corporate line. Never use a phone number from an email requesting payment, as it may be controlled by the fraudster. If no official website exists, check county recorder records or contact the association's board president through information on file.

What should I do if the HOA is self-managed and has no official website?

For self-managed HOAs, verification requires extra diligence. Cross-reference the contact against prior transactions in your files. Confirm the board treasurer's identity through county property records or the original CC&Rs. Call the board member at a number obtained from an independent source. If no independent source exists, request documentation such as a signed authorization or bank letter before wiring funds.

Can I rely on a management company's online portal for verification?

Online portals reduce but do not eliminate risk. Portals can be spoofed, credentials can be phished, and portal payment pages can be cloned. Use the portal as one verification channel, but confirm payment instructions through a second independent channel for high-value or first-time transactions. Save portal screenshots and confirmation numbers in the file for audit purposes.

How long should verification documentation be kept in the file?

Retain verification documentation for at least seven years, aligning with standard title industry record retention requirements. This includes call logs, email confirmations, portal screenshots, and checklists. These records support E&O claims, satisfy ALTA Best Practices audit requirements, and demonstrate that your team followed documented procedures if a dispute arises.

What if verification fails and I cannot confirm the contact's identity?

Do not send payment. Escalate to your supervisor or escrow manager immediately. Attempt alternative verification paths: contact the association's board president, check county records for alternate contacts, or reach out to the listing agent for a direct board introduction. If verification remains impossible, document the failed attempts and inform all transaction parties that HOA payment is pending until authentic contact is established.

Key Takeaways

Verification is not a speed bump. It is the control that keeps your company out of the FBI's annual fraud statistics. A disciplined, six-step protocol transforms HOA payments from a point of exposure into a repeatable, auditable process.

• Start with your own files. Cross-reference every payment request against prior transactions. Mismatches in email domains, phone numbers, or bank details are early warning signals.
• Use official sources. Verify contacts through the association's website, state registration records, or county filings. Never trust contact information provided in the payment request itself.
• Call using a known number. Phone verification is the single most effective fraud prevention step. Use numbers from your database or independently verified sources, not from the email.
• Verify out-of-band. Confirm instructions through a separate communication channel. A reply to a suspicious email is not verification.
• Validate bank details independently. Match account numbers against prior transactions, request test wires for new accounts, and implement positive pay controls with your bank.
• Document everything. Call logs, screenshots, checklists, and confirmations belong in the file. Undocumented verification does not exist for audit or E&O purposes.
• When in doubt, stop. Failed verification is a transaction-blocking event, not a problem to work around. Escalate, inform all parties, and pursue alternative paths until authenticity is confirmed.

Teams that build this protocol into their standard workflow do not just prevent fraud. They create defensible audit trails, strengthen lender confidence, and demonstrate the operational maturity that separates professional title operations from the rest of the market.