James Morton had been closing real estate deals for 22 years. He'd seen disputes over square footage, arguments about what stayed and what went, and one particularly memorable incident where the buyer discovered the seller's dog had been using the basement as a bathroom for three years.

But he'd never seen anything like the email that arrived on a Tuesday afternoon in October 2024 — an email that appeared to come from his title company's closing coordinator, with the correct signature block, the correct phone number in the email, and wire transfer instructions for a $1.2 million transaction.

"It looked completely legitimate," Morton told the FBI. "The email address had [titlecompany] in it. The formatting was exactly right. I didn't think twice."

He initiated the wire transfer. By the time the title company called him three hours later to ask where the money was, $1.2 million had been moved twice across international accounts and was gone.

James Morton is not alone. In 2023, the FBI's Internet Crime Complaint Center (IC3) received 1,186 business email compromise (BEC) complaints from real estate professionals, with a total exposed dollar loss of $298,169,110 — an average of $447,000 per incident. Real estate now ranks as the highest-average-loss sector in the entire BEC category, exceeding wire fraud from any other industry vertical.

This guide breaks down exactly how real estate wire fraud attacks work in 2024–2025, the specific tactics that make them so effective, and the verification behaviors that stop them cold.

The Anatomy of a Real Estate Wire Fraud Attack

Most people imagine a real estate wire fraud attack as a single sophisticated email — a hacker who somehow gets into a title company's system and sends a fake wire instruction. That image is mostly wrong.

Real estate wire fraud is a multi-step social engineering operation. Here's the actual kill chain:

Step 1: Reconnaissance

Attackers don't target random real estate agents. They research active transactions. They look for public listing sites, county recorder databases (where deed transfers are recorded), social media posts about pending closings, and LinkedIn profiles that identify active agents by name and transaction volume.

Many agents publicly celebrate closings — including the property address, sale price, and closing date. Attackers collect this information to build a list of active transactions with dollar amounts.

Alternatively, attackers use commodity phishing kits to harvest agent email credentials from fake "RE login" pages, then monitor those inboxes for transaction-related emails.

Step 2: Compromise

The most common entry point is agent email. An agent clicks a phishing link in a fake "MLS notification" or "Docusign update" email. The attacker captures their Microsoft 365 or Google Workspace credentials. Now they have inbox access.

From there, attackers monitor the inbox for keywords related to active closings: "wire instructions," "closing," "earnest money," "funding," "title." They learn the agent's clients, transaction amounts, and communication patterns.

Sometimes attackers compromise the title company's email instead, which gives them even more direct access to transaction coordinators and closing teams.

Step 3: Spoofing

Once attackers have enough transaction context, they send a wire instruction update from a spoofed email address — often a domain with one character different from the real title company domain.

For example: if the real domain is premier-title.com, the spoof might be premier-title.net or premiertit le.com (note the space). In the email client, this looks like a legitimate sender, especially if the attacker has set up the display name to match.

The spoofed email contains updated wire instructions — different routing number, different account — with a plausible explanation ("our bank changed correspondent relationships" or "the wire failed and we need a new account").

Step 4: Pressure

The wire fraud email always includes urgency. "Funds must be received by end of business today to avoid delays." "Closing is scheduled for 2pm — please initiate immediately." The urgency is deliberate: it suppresses critical thinking and pushes recipients to act without calling to verify.

Step 5: Money Movement

The victim's bank sends the wire to the attacker's account. Within minutes — often before the victim has even discovered the fraud — the attacker moves the money again, typically through a domestic money mule account, then to a cryptocurrency purchase, then to an overseas account. Recovery at this point is essentially impossible.

Quick Test

Could your team pass a phishing simulation?

Most SMB teams don't know how bad their phishing exposure is until an attack succeeds. Take 3 minutes to get a real-world baseline of your team's detection ability.

Take the 60-Second Phishing IQ Quiz →

The Title Company Spoofing Problem

One of the most effective real estate wire fraud variants doesn't target the agent — it targets the buyer directly. Attackers send fake wire instructions directly to the buyer, impersonating the title company.

In this scenario, the buyer has no existing relationship with the attacker — so they have no baseline to judge the email's legitimacy. They see an email that appears to be from their title company, with the correct name and a legitimate-looking signature, and they send hundreds of thousands of dollars to the wrong account.

The most famous example of this came in 2018 when the Los Angeles Times reported on a coordinated campaign targeting real estate buyers across the U.S. The campaign used spoofed email domains and fake wire instructions, and it affected buyers across multiple states simultaneously. FBI agents described it as one of the most organized real estate fraud operations they'd seen.

The attack works because real estate buyers receive wire instructions via email as a normal part of every transaction. There's no alternative verification process baked into the process — just an email with account numbers, and a buyer who's conditioned to trust it.

The BEC Variants Targeting Real Estate

Real estate BEC isn't one attack — it's several distinct variants, each with its own approach and target.

Variant 1: The Title Company Spoof

The attacker sends a fake wire instruction update from a lookalike title company domain. The email appears to come from the closing coordinator — real name, real company, fabricated account number. The buyer or agent initiates the wire.

How to spot it: The domain in the email address differs from the real title company's domain by one character, one letter, or uses a different TLD (.net vs. .com, .co vs. .com).

Variant 2: Agent Account Takeover

The attacker compromises an agent's email account, then sends wire instructions from the agent's real email to their real clients. The email comes from the agent's actual account — it passes every spam filter and every sender verification check.

How to spot it: You can't spot it by looking at the email. This is why verification via a known-good phone number — not the number in the email — is the only reliable defense.

Variant 3: Attorney Impersonation

The attacker impersonates the real estate attorney handling the transaction, sending updated wire instructions from a lookalike domain. Particularly effective when the attorney is known to be busy or traveling — reducing the likelihood of a real-time call to verify.

Variant 4: Change of Banking Notice

The attacker intercepts a legitimate wire instruction email and replies with "updated banking details" — changing the routing number and account to their own. Since it's a reply to an existing thread, it appears in the email chain context and suppresses suspicion.

Case Study: The $50M Global Real Estate BEC Ring

In 2020, the FBI and international law enforcement agencies shut down a BEC ring responsible for over $50 million in real estate fraud losses across multiple countries. The operation had dedicated teams for reconnaissance, email compromise, spoofing, and money laundering — a professional criminal enterprise with specialized roles.

What made this ring distinctive was its patience: they monitored inboxes for weeks before sending any wire instructions, learning the communication patterns, transaction terminology, and relationship dynamics of each compromised account. The more they knew, the more convincing the spoofed instructions.

This is the professional threat your team is facing. Real estate wire fraud is no longer amateur-hour phishing — it's organized crime with research, patience, and operational discipline.

The SLAM Method: How to Check Every Transaction Email

Every transaction email you receive should be checked using the SLAM method before any wire instruction is acted on:

S — Sender: Check the actual email address, not just the display name. On mobile, tap and hold the sender name to reveal the full address. Look for character substitutions: l (lowercase L) vs. I (capital i), rn vs. m. If the domain has any variation from the official title company domain you've used before, stop and call.

L — Links: Hover over any link in the email (without clicking). The URL that appears should go to the official domain of the company in question. If the link text says "title company" but the URL goes to something else entirely, it's a trap. On mobile, tap and hold links to reveal the URL.

A — Attachments: Wire instructions should come as text in the email body or a PDF, not a zip file, not an executable. Any attachment asking you to "open to view wire instructions" is a red flag.

M — Message: Urgency is always suspicious. "Funds must be received today" is not something a legitimate title company says in a wire instruction update. Legitimate title companies give you advance notice of wire instructions and give you time to verify.

The Callback Verification Protocol

SLAM alone isn't enough. The only way to definitively verify wire instructions is to call the sender on a known-good phone number — one you've used before this transaction — and confirm the account details verbally.

Here's how to do it correctly:

  1. Get the title company's phone number from a source other than the email you're verifying. This could be their website, a business card you've used before, or a directory listing.
  2. Call the title company directly. Do not call any number provided in the wire instruction email.
  3. Ask to speak with the closing coordinator who sent the wire instruction.
  4. Read back the routing number and account number you received and ask them to confirm.
  5. If they say "we didn't send that," do not send any money. Report the attempt to the FBI at ic3.gov.

Yes, this takes five extra minutes. That five-minute call is the difference between a completed closing and a $1.2 million loss. Make the call.

The Deepfake Variant: Voice Wire Fraud

In 2024, the FBI's IC3 began tracking a new variant: deepfake audio wire fraud. Attackers use AI-generated voice clones — trained on public audio from LinkedIn, podcast appearances, or conference talks — to call real estate agents or buyers and impersonate the other party in the transaction.

The caller claims to be the title company representative or the buyer's agent, says there's an urgent wire situation, and provides new account details over the phone. In at least one documented case, the buyer's "agent" was an AI voice clone placed during a recorded phone call of the original transaction.

The defense is the same: verify via a known-good channel. If someone calls you with urgent wire instructions, tell them you'll call them back — on a number you've used before. If it's legitimate, they'll understand. If it's a deepfake, you've just stopped a fraud.

Training Your Team to Stop Wire Fraud

Most real estate teams have never been trained to recognize wire fraud. They know not to click suspicious links, but they don't have a systematic verification process for wire instructions, and they don't know what the actual attack looks like in their inbox.

SecurEveryone's live coaching sessions include a specific wire fraud drill built for real estate teams. Here's what the session covers:

Sessions are 60–90 minutes and held over Zoom. They're built for real estate transaction teams — agents, transaction coordinators, and administrative staff. The goal is behavioral change, not just awareness.

SecurEveryone

Get your free pocket guide

Enter your work email and we'll send the SMB Phishing Defense Pocket Guide — 6 red flags + 5-step incident response playbook.

No spam. Unsubscribe anytime. Unsubscribe

Book a Session for Your Team →

What to Do Right Now

Before your next closing, do these three things:

  1. Send a wire fraud warning to every active client. One email — "We will never send updated wire instructions without a phone call. If you receive an email with wire instructions, call us directly before sending any money." This alone has stopped real estate wire fraud attempts.
  2. Add the SLAM method to your transaction checklist. Make it a step in your standard process: "Verify wire instructions via callback before initiating transfer." Make it repeatable and documented.
  3. Book a training session. If your team hasn't had wire fraud training, book a SecurEveryone session before your next big transaction. One training session for your transaction coordinator probably costs less than the wire they're protecting.

The $447,000 average loss isn't a statistic. It's what happens when a trained team isn't in place. Fix that before the next deal closes.