Cyber security for diaspora Greek property owners.

If you read our scams piece, you'll know that fraud aimed at diaspora property owners is real and patterned. A meaningful slice of that fraud now happens digitally — phishing emails impersonating AADE, compromised email accounts of professionals being used to intercept wire transfers, smart-home device credentials being scraped from leaked databases. None of this requires sophisticated technical skill to defend against, but it does require deliberate hygiene that most diaspora owners haven't set up.

This article is the practical checklist. Not a deep-security treatise — a working set of defences for non-technical owners.

The five accounts that matter most

For a typical diaspora Greek property owner, these are the digital accounts whose compromise would cause the most damage:

• AADE / Taxisnet portal — the master gateway to your Greek tax position, E9 declaration, property records, and tax representative appointments
• Greek bank account online banking
• Home-country bank account online banking (the source of any large euro transfers)
• Email account used for Greek property communications — typically your main personal email, which receives everything from lawyers, accountants, building managers, and contractors
• Smart-home device management accounts (if applicable) — Shelly, Sensibo, Aqara, etc.

Defending these five well covers the vast majority of practical risk surface for diaspora property owners. Everything else is secondary.

Foundation layer — the things to do once

1. Unique passwords for every account, managed in a password manager

The single highest-impact intervention. Use 1Password, Bitwarden, or Apple's Keychain (if you're an Apple-only user). Reasons:

• One compromised password no longer cascades into your other accounts
• You can use long, random passwords for each (24+ character random strings) which are essentially impossible to brute-force
• You can store secure notes alongside passwords (recovery codes, bank account numbers, IBAN details)
• You can share specific credentials with your accountant or family member where needed without exposing your master account

Cost: €30-€60/year for 1Password or Bitwarden Premium. Free for Apple Keychain or Bitwarden basic. The hardest part is the initial setup (migrating existing passwords); 1-2 hours of work for a typical diaspora owner.

2. Two-factor authentication on every account that offers it

Required for: AADE, Greek bank, home-country bank, primary email. Strongly recommended for: smart-home accounts, social media if used for Greek family communication.

Preferred 2FA method:

• Authenticator app (Google Authenticator, Authy, 1Password's built-in) — preferred. Codes generated on your device, not transmitted
• SMS to Greek mobile number — required for AADE and Greek banks. Acceptable if you have a Greek mobile that you control
• SMS to international mobile — sometimes the only available option for older Greek services; less secure than authenticator apps but better than no 2FA

Important note for diaspora owners: AADE Taxisnet 2FA defaults to SMS to your registered Greek mobile. If your registered Greek mobile is your deceased parent's still-active SIM, or a SIM you no longer have access to, you're at risk of being locked out of your own AADE account. Update the registered number to one you actually control.

3. Recovery codes saved securely

Every 2FA setup produces backup recovery codes. Save them in your password manager (encrypted) and ALSO printed and stored physically in a secure location. Without these, losing your phone means losing access to accounts.

4. Account-recovery email and phone numbers updated

For each major account, confirm the recovery email and phone number are current and accessible to you. The most common diaspora-owner lockout situation: account recovery info still points to a 2010-era email address you no longer use.

The AADE portal — specific guidance

Your Taxisnet credentials provide access to your E9 declaration, ENFIA, tax filings, and the authority to designate or remove your tax representative. Compromise here is materially damaging.

Hygiene specific to AADE:

• Strong unique password, in password manager
• 2FA enabled, registered to a Greek mobile number you actively control
• Login activity reviewed periodically — AADE shows login history; check for unfamiliar entries
• Tax representative appointment carefully managed — don't grant more access than necessary, periodically review
• Forward suspicious "AADE" emails to your tax representative for verification before any action. AADE essentially never emails property owners directly about urgent matters
• Set up account-alert notifications where AADE offers them (varies by service area)

Greek banking — specific guidance

Greek banks (National Bank, Eurobank, Piraeus, Alpha) all support modern 2FA in 2026. Best practices:

• Mobile-app authentication for transactions where available (lower friction than SMS, more secure)
• Transaction-amount thresholds set — many Greek banks let you cap per-day transfer limits; set conservative values, raise temporarily when needed
• SEPA wire confirmation by voice for transfers above €10,000, especially to new beneficiaries
• Statement notification alerts on every transaction
• Email-based phishing skepticism — Greek banks essentially never email account-action links; they use the app or the secure-message inbox inside online banking

Email account hygiene

The most-overlooked risk surface. If a bad actor compromises your primary email, they can:

• Reset passwords on most other accounts (the email is the recovery channel)
• Impersonate you to your Greek lawyer or accountant
• Insert themselves into ongoing transactions with new bank details
• Access historical email content with bank statements, contract documents, ID copies

Defences:

• Strong unique password + authenticator-app 2FA (not SMS for your primary email)
• Hardware security key for primary email (YubiKey ~€55) if you're particularly exposed — the gold-standard defence
• Suspicious-login alerts enabled
• Sensitive past emails moved to encrypted storage or deleted after backup — bank statements from 2018 sitting in your inbox don't need to be there
• Email forwarding rules reviewed periodically — a common attack technique is to set silent forwarding rules to intercept future emails

Smart-home device security

If you've installed any of the smart-home equipment from our smart home piece, basic hygiene:

• Default device passwords changed at install — never leave router admin / Wi-Fi / smart-home app passwords at factory defaults
• Smart-home devices on separate Wi-Fi network (IoT VLAN) from your main devices when possible — limits blast radius of any single compromise
• Firmware updates kept current — most reputable manufacturers (Shelly, Aqara, TP-Link, Sensibo) push security updates regularly. Enable auto-update where available
• Camera positioning thoughtful — avoid positioning cameras in bedrooms or bathrooms; cameras should be at entry points and common areas only
• Camera-feed encryption enabled (default on reputable brands)
• Account 2FA on smart-home cloud accounts

The communication-channel verification protocol

From our scams piece, the modern wire-transfer-interception scam typically works through compromised emails of professionals (lawyer, accountant, agent) — bad actor inserts fake "updated bank details" email shortly before a transaction.

The defence is simple but only works if you actually do it:

• For any wire transfer to any account number, verify the IBAN by voice call to a known phone number for the recipient
• "Voice" means phone or video call — not a WhatsApp text message that could itself be from a compromised account
• "Known phone number" means the number you have on file from a prior trusted interaction — not the number in the suspicious email
• For transactions above €5,000, this protocol is non-negotiable
• Any urgency pressure (act today, act in next hour) is a flag, not a reason to skip verification

This single rule, consistently applied, prevents almost every modern wire interception. The half-hour of friction it adds is genuinely worth it for any significant transaction.

The annual review

Once a year (we suggest tying it to your annual tax filing or another natural calendar marker), spend 60-90 minutes on a structured review:

• Password manager: how many weak/reused passwords does it flag? Update the worst
• 2FA: is it enabled on AADE, both banks, primary email? If not, fix
• Account recovery info: still current and accessible?
• Connected apps: review what apps have access to your primary email account, your banking, your AADE. Revoke anything you don't recognise or no longer use
• Login activity: scan AADE, banks, email for unfamiliar logins
• Tax representative access: still the right person? Still appropriately scoped?
• Smart-home firmware: device dashboard check — any devices needing update?

One annual session handles 95% of the maintenance burden of cyber hygiene.

What to do if you suspect a compromise

If you discover or suspect any of the five major accounts is compromised:

1. Change the password immediately from a known-clean device (different from any device that may be compromised)
2. Force-logout all active sessions (most services offer this)
3. Review recent account activity for unauthorised transactions/changes
4. Reset 2FA — generate new recovery codes, deauthorise old devices
5. For Greek banking: phone your bank's fraud line; for AADE: contact your tax representative
6. Review email for forwarding rules or filter changes (common attack persistence technique)
7. Review other accounts whose recovery channel was the compromised email — change those passwords too
8. If significant unauthorised activity occurred: file a police report (μήνυση) at your nearest Greek police station, particularly if Greek-side financial fraud is involved

How home watch fits

We're not cyber security specialists. What we do as part of the property service:

• Verify any unusual communication purporting to be from your usual lawyer/accountant/agent through alternative channels before acting
• Follow the voice-verify protocol on any change of payment details for our own invoicing
• Use our own secure systems for client communication and document storage
• Flag suspicious communications you forward to us
• Maintain our own access to your property in physical-key form, not just digital — so a smart-lock account compromise doesn't lock us out

For property owners interested in deeper cyber-security setup, we can refer to specialists who do this professionally. Just ask.

Companion reading: Greek property scams, property security, smart home tech.