Wire Fraud in Real Estate Closings: How SMBs Lose $98,000 in a Single Email

A real estate agent in suburban Ohio receives an email from her title company — legitimate-looking domain, perfect formatting, the same signature block they’ve always used. The message says wire instructions have changed. New account, please update. The agent forwards it to her buyer. The buyer wires $215,000. Three days later the title company says they never sent it.

The funds are gone. The deal is dead. The buyers lose their deposit. The agent faces a lawsuit. Nobody hacked a server. Nobody installed malware. One email. One human moment of trust. $215,000 evaporated.

This is wire fraud in real estate closings, and it’s one of the most financially devastating cyber threats facing home buyers, sellers, agents, and title companies in 2026.

Real estate transactions are uniquely vulnerable because they combine three conditions that attackers love: large dollar amounts, strict time pressure, and multiple parties communicating across different platforms with no standardized verification process. The FBI’s Internet Crime Complaint Center (IC3) tracks real estate and rental wire fraud as one of its highest-growth categories, with individual losses averaging $98,000 to $125,000 per incident for buyers and agents.

This guide breaks down exactly how these attacks work, the five most common patterns targeting real estate professionals, and the practical 8-point defense playbook that any brokerage or title company can implement this week.

Why Real Estate Closings Are a Wire Fraud Target

No other consumer transaction involves wiring six or seven figures to an account you’ve never used before, on a deadline, based on instructions in an email.

Here’s the anatomy of what makes a real estate closing so vulnerable:

Large, time-sensitive money movements. A $350,000 wire transfer is routine in real estate. The closing date is fixed. The agent, buyer, and seller are all under pressure to close on schedule. Urgency is built into the process — attackers exploit it.

Multi-party communication chains with no single authoritative channel. Title companies, agents, lenders, attorneys, and buyers all communicate via email, phone, and text throughout a transaction. There’s no standard “verified instructions” channel. Attackers study the chain and insert themselves at the weakest link.

Low security awareness in the industry. Real estate agents are salespeople, not security professionals. Title company employees are rarely trained in social engineering detection. The assumption that “our email system is safe” is common and dangerous.

No standard verification protocol exists. In financial services, dual authorization and callback verification are standard. In real estate, wire instructions arrive by email, and it’s normal to act on them without a separate confirmation call. Attackers count on this.

CertifID’s 2024 State of Wire Fraud Report found that 73% of real estate professionals had received at least one suspected wire fraud attempt in the prior 12 months. Only 31% of those attempts were reported to law enforcement.

The 5 Most Common Real Estate Wire Fraud Patterns

1. Email Interception and Spoofing (Most Common)

The attacker gains access to or spoofs the email account of a real estate agent, title company, or lender. They monitor communications until they identify a closing date, then send updated wire instructions to the buyer at the critical moment.

This works because most wire fraud happens in the final 24-48 hours before closing, when buyers are most focused and least suspicious. The attacker has been watching the transaction for weeks. They know the parties, the amounts, the timeline. They know when to strike.

The spoofed email address often looks legitimate — info@titlecompany.com vs. info@title-c0mpany.com — and the wire instructions look professional, with routing numbers and account details that are plausible.

Source: FBI IC3 2023 Annual Report, https://www.ic3.gov/Media/PDF/AnnualReport/2023_IC3Report.pdf

2. Compromised Title Company or Agent Email

Attackers specifically target title companies and law firms because they handle the most sensitive financial communications in a transaction. A successful compromise of a title company email account gives attackers a full view of every active transaction, closing dates, and buyer information.

NAR’s own Cybersecurity Checklist for real estate professionals names email compromise as the #1 threat to real estate transactions and recommends multifactor authentication on all email accounts that handle transaction communications.

Source: NAR Cybersecurity Checklist, https://www.nar.realtor/law-and-ethics/cybersecurity-checklist-best-practices-for-real-estate-professionals

3. Fake Wire Transfer Instructions via Text or Phone

After a successful email compromise, attackers sometimes follow up with a phone call or text purporting to be from the title company, confirming the wire instructions. The timing is deliberate: the buyer is expecting a call from their agent or title rep. The attacker spoofs the caller ID to match.

4. Phishing of Real Estate Agents — Credential Harvesting

Agents are high-value targets because their email accounts link to active transaction chains. A phishing email impersonating a Matrix or Dotloop notification harvests the agent’s Microsoft 365 or Google credentials. The attacker logs in, maps the transaction communications, and executes the wire fraud from inside the agent’s own email account.

5. Malicious Link in DocuSign or Closing Document Requests

Attackers send fake DocuSign or closing document requests with embedded malicious links. Clicking the link routes the victim to a credential-harvesting page disguised as a real estate software login. This is particularly effective because real estate professionals receive genuine DocuSign and Dotloop requests constantly — they’re conditioned to click these links without scrutiny.

Real Case Study: How $198,000 Disappeared in 72 Hours

The following is based on published incident reports. Names are changed for privacy.

The transaction: 421 Oak Street, Maplewood, NJ. A first-time home buyer, Sarah Chen, is purchasing a $395,000 condo. Closing is scheduled for Friday at 2pm. Sarah has wired $98,000 in earnest money to the title company’s escrow account. She’s about to wire the remaining $297,000 balance.

Monday morning — The compromise: The title company’s email account is compromised via a phishing email sent to a junior processor. The attacker has been monitoring the account for three weeks. They know about the 421 Oak Street deal, the closing date, the parties involved, and the amounts.

Thursday afternoon — The strike: Three hours before closing, Sarah receives an email from the title company with updated wire instructions. The email says the routing number and account have changed due to a system migration. It includes a new account number and asks her to confirm receipt.

The email comes from the legitimate title company address. The formatting matches exactly. There’s a phone number at the bottom with a local area code.

Sarah calls the number. A helpful voice confirms the new routing information and assures her everything is fine. Sarah wires $297,000 to the new account Thursday afternoon.

Friday morning — Discovery: The real title company coordinator calls to confirm final wire details. Sarah says she already sent it. The coordinator says they never changed their routing information.

The funds were moved through a mule account within 90 minutes of receipt. By the time the wire was traced, the money had been overseas for 48 hours.

Total losses: $297,000 wired to fraud accounts, $0 recovered. Sarah lost her $395,000 home purchase. Her earnest money was also at risk (eventually recovered after months of negotiation). The title company faced a lawsuit from the buyer. The agent faced a negligence claim from both parties.

One email. One phone call. $297,000 gone.

What the FBI Says About Real Estate Wire Fraud

The FBI’s 2023 Internet Crime Report specifically calls out real estate wire fraud as one of the highest-value, highest-volume fraud categories tracked by IC3. Key findings:

• Non-payment/shipping fraud and BEC (which includes real estate wire fraud) accounted for over $2.9 billion in adjusted losses in 2023
• Real estate victims in 2023 reported losses averaging $98,000 per incident (IC3)
• Buyers aged 30-49 were the most frequently targeted demographic, with higher average losses than any other age group
• Only 8% of real estate wire fraud victims reported the crime to law enforcement within 24 hours — the critical window for fund recovery

The IC3 recommends that any real estate professional or buyer who receives wire instructions via email call the sender at a known, verified number before initiating the transfer. ALTA (American Land Title Association) recommends using a dedicated wire verification callback procedure and confirming wiring instructions with two independent communication methods before any transfer.

Source: ALTA Wire Fraud Prevention Best Practices, https://www.alta.org/business-operations/operations/information-security

The 8-Point Defense Playbook for Real Estate Brokerages and Title Companies

1. Implement and enforce a dedicated wire verification callback procedure

Every wire transfer request sent via email must be confirmed via a direct, out-of-band phone call to a known and verified number. This means: the buyer calls the title company using the number on the title company’s official website or a business card, not the number in the email. The agent should never be the intermediary for this call.

ALTA recommends this as the minimum standard for all title and settlement companies.

2. Never send wire instructions via email alone

If you must send wiring instructions by email, follow it with a phone call and a written notice alerting recipients that wire fraud is common and instructing them to verify via a separate channel. Many title companies now add a prominent warning banner to all email communications that says: “We will never change wire instructions via email. Call us at [number] to verify.”

3. Train every agent, assistant, and processor on email security

Brokerages and title companies should run quarterly phishing simulations for all employees who handle transaction emails. Focus on the specific lures used in real estate: fake DocuSign requests, fake Dotloop notifications, impersonation of title reps and lenders. Agents should verify any email that asks for login credentials or asks them to click a link to view transaction documents.

4. Enable MFA on every email account in your brokerage

Every email account that handles transaction communications should have phishing-resistant MFA enabled. This includes agent email accounts, title company accounts, and any shared inbox used for transaction management. CISA’s phishing-resistant MFA guidance names FIDO2 security keys and passkeys as the only methods that fully block AiTM-style email interception attacks.

5. Set up domain-level email authentication (DMARC, SPF, DKIM)

DMARC prevents attackers from spoofing your domain in phishing emails. Set your policy to “reject” or at minimum “quarantine.” This protects your clients from receiving fake emails that appear to come from your address.

6. Establish a transaction-level security protocol with your title company and lenders

Before any transaction begins, agree on a security protocol: what verification methods you’ll use, who calls whom, what the escalation path looks like. Share this protocol in writing with every party to the transaction at the outset.

7. Educate your buyers and sellers directly — with a written warning

Many brokerages include a wire fraud warning in their buyer representation agreement or closing documents. Make it explicit: “We will never change wire instructions via email. If you receive updated wiring instructions, call your agent and title company at known numbers before sending any funds.”

Buyers who receive this warning before closing are far less likely to fall for a wire fraud email. The NAR and ALTA both publish sample wire fraud warning language you can use.

8. Report every attempt — successful or not

IC3.gov allows you to file a report even for attempted fraud. If you receive a suspicious email, report it. Time is everything in wire fraud: the faster law enforcement knows about it, the better the odds of tracing and freezing the funds before they leave the U.S. financial system.

What to Do If You’re Caught in a Wire Fraud Incident

If you or your client has wired money to a fraudulent account:

1. Call your bank immediately. Request a wire recall. If the wire is domestic, there may be a window to freeze the funds.
2. File a report at IC3.gov immediately. Include all communication, wire confirmation, and routing information.
3. Contact your local FBI field office. They have dedicated agents for financial cybercrime and can sometimes act faster than the online reporting system.
4. Contact your state’s real estate commission. Some states have specific guidance and resources for real estate wire fraud victims.
5. Do not assume the attacker is done. If they accessed your email, they may still be in your system or have access to your contact list. Change credentials, enable MFA, and audit mailbox rules immediately.

The Bigger Picture: Why Real Estate Cybersecurity Matters Now

Real estate transactions are increasingly conducted online, and the industry has not kept pace with the security posture of the financial institutions it interfaces with. Title companies, brokerages, and agents are not banks — they don’t have the same regulatory requirements or security infrastructure. But they handle the same dollar amounts.

The NAR’s push toward cybersecurity checklists and ALTA’s wire fraud prevention guidance are a start, but the industry still has significant ground to cover. Until wire verification becomes standard practice — not optional — these attacks will continue to succeed.

For individual agents and brokerages: the cost of a wire fraud incident can end a career. The cost of training your team on email verification procedures is a rounding error compared to a $200,000 loss.

Ready to Close the Security Gap?

SecurEveryone works with real estate brokerages, title companies, and independent agents to deliver practical, industry-specific cybersecurity training. Our Real Estate Cybersecurity Training covers the 5 most common fraud patterns, wire verification protocols, email security fundamentals, and incident response planning — all built around real transactions.

See our Real Estate Cybersecurity Training →

• Live instructor-led sessions, no pre-recorded content
• Wire fraud defense protocols your team can implement immediately
• Buyer and seller communication templates with security warnings built in
• Agent and staff phishing simulations to test real-world awareness
• Post-training written summary with specific recommendations

Book a training session →

If you’re an agent or brokerage owner who wants to benchmark your team’s current security awareness, take our free 60-second phishing quiz to see where your team stands.

Or if you want to know exactly how exposed your operation is to these attacks, take our free Cybersecurity Scorecard — it takes 5 minutes and gives you a real-world baseline of your team’s current detection and response ability.

For more on protecting your business from BEC-style email fraud, read our guide: Business Email Compromise: The $2.9B Threat Hitting SMBs Right Now.

Get your free pocket guide

Enter your work email and we'll send the SMB Phishing Defense Pocket Guide — 6 red flags + 5-step incident response playbook.

Send me the pocket guide →

✓

Check your inbox!

Your pocket guide is on its way.

No spam. Unsubscribe anytime. Unsubscribe