August 7, 2025 | New York City
Milford Entities, a major owner of upscale residential buildings in Battery Park City, has reportedly fallen victim to a $19 million phishing scam. Cybercriminals posed as the Battery Park City Authority (BPCA), successfully intercepting quarterly PILOT and ground-lease payments collected from condo owners — funds typically managed and transferred by Milford. The incident occurred in July and is currently under federal investigation, led by the Department of Homeland Security.
The scam exploited the unique PILOT (Payment In Lieu Of Taxes) structure in Battery Park City, which functions similarly to a property tax system. Milford oversees more than 2,000 residential units and acts as the intermediary for significant fee transfers to the BPCA. Although the BPCA confirmed it never received the funds and was not directly affected, the fallout has shaken the neighborhood’s condo boards — one reportedly lost $3.5 million in the process.
This unprecedented cyberattack has raised alarm bells across the real estate community. The BPC Homeowners Coalition issued a warning to residents, urging tighter cybersecurity measures, as digital threats continue to evolve alongside real estate payment systems. Experts are now emphasizing that real estate firms, especially those handling large sums and automated transactions, must treat cybersecurity as a top operational priority.
The breach mirrors a broader trend of increasing cyber threats in the real estate sector. In a related incident, a Connecticut homebuyer lost nearly $600,000 last year due to compromised legal communications. As real estate transactions become more digitized and involve more stakeholders, the industry is being called to adopt advanced security protocols to protect both firms and residents from similar attacks.