A buyer sits down to wire a down payment. The instructions came by email from the title company, on the right letterhead, in the middle of an existing thread. The buyer sends the money. Within minutes it is gone, moved through a mule account and out of reach. No malware, no dramatic breach. Just a quiet email that was not what it appeared to be.
This is business email compromise, and in real estate, it has become one of the most damaging financial crimes a title or settlement company can be adjacent to. The uncomfortable part is that the victim is often the buyer, but the reputational and legal fallout lands on the closing table. If it happened on your wire, it becomes your problem.
The Numbers are Moving in the Wrong Direction
The FBI's Internet Crime Complaint Center tracks this, and the trend is stark. In its 2024 Internet Crime Report, the bureau logged a record $16.6 billion in reported losses, a 33 percent jump over the prior year. Business email compromise, the engine behind most real estate wire fraud, accounted for $2.77 billion of that. Real estate and rental fraud specifically drew 9,359 complaints and more than $173 million in reported losses in a single year.

The FBI has been blunt about the scale of the underlying scam, calling business email compromise a $55 billion problem over the past decade in a public service announcement. Real estate closings are a favored target for a simple reason: the dollar amounts are large, the timing is predictable, and the parties rarely talk to each other by any channel except email.
Two details in that report should reframe how any closing operation thinks about risk. First, the average reported loss across all internet crime climbed to roughly $19,000, but real estate wire fraud routinely runs into six and seven figures because it targets the entire down payment or purchase amount at once. Second, these are only the crimes victims reported. The FBI has long noted that its figures understate the true total because embarrassment and uncertainty keep many victims from ever filing. The real exposure is larger than the numbers suggest, and it is concentrated at precisely the moment a buyer is most trusting and most rushed.
How the Attack Actually Works
Real estate wire fraud is patient and precise. It usually unfolds in four stages, and understanding them is the first step to breaking the chain.
1. The compromise
An attacker gains access to an email account somewhere in the transaction, such as an agent, a lender, a paralegal, or the title office itself. Credential phishing is the common entry point, which is why weak logins and missing multi-factor authentication remain the single most exploited gap. We covered the cost of that specific failure in The Expensive Truth About Weak SMB Logins.
2. The surveillance
The attacker does not act immediately. They read. They learn the deal timeline, the parties, the tone of the correspondence, and the expected closing date. Modern phishing is context-aware and mimics internal communication convincingly, a shift we detailed in Spotting Phishing in 2025.
3. The switch
Days before closing, the fraudulent wire instructions arrive, or the real ones are quietly altered. The email looks legitimate because, from a compromised account, it is legitimate. The account number is the only thing that changed.
4. The transfer
The funds move to a mule account and are rapidly dispersed. Speed is everything. The FBI's Recovery Asset Team recovered or froze roughly two-thirds of the funds it was able to act on in 2024, but only when the fraud was reported almost immediately. Most victims discover the loss days later, when the money is already gone.
The Controls That Stop It (Before Closing Day)
Wire fraud is preventable, but not by a single tool. It takes a layered program that assumes email will eventually be compromised and refuses to let that compromise reach the money.
Independent, out-of-band verification
The non-negotiable control is confirming every wire instruction through a channel separate from the one that delivered it. If instructions arrived by email, verify by a phone call to a number you already had on file, never a number in the email. The American Land Title Association's wire fraud guidance makes independent verification a core expectation, and it is embedded in ALTA Best Practices. This one habit defeats the majority of attacks on its own.
Email security and identity hardening
Multi-factor authentication on every mailbox, credential monitoring, and email authentication protocols close the door the attacker uses to get in. For firms that also run client portals, the MFA and single sign-on baseline for advisor portals applies just as directly to a settlement operation.
Business continuity, because a stalled closing is its own loss
Wire fraud is one failure mode. A title search system outage or a ransomware event at the wrong moment can kill a closing just as effectively. A purpose-built continuity plan keeps a bad day from becoming a lost deal and a lost referral network. Our Business Continuity and Disaster Recovery practice is built around exactly that risk.
The human layer: your closing team is the last line
Technology closes most of the gap, but people close the rest. The staff member who takes the verification call, notices that wire instructions changed at the last minute, or pauses on an unusual sense of urgency is often the final control that works when everything else has been convincingly spoofed. That instinct is trained, not assumed. Closing coordinators, escrow officers, and front-office staff should be able to recognize the specific pressure tactics attackers use around a closing date, and they should have explicit permission to slow a transaction down to verify. A culture where questioning a wire is rewarded rather than treated as friction is worth more than any single piece of software. This is the same discipline we describe in the five essential IT habits that prevent security risks.
Recovery and Liability After the Money Moves
Speed decides whether stolen funds come back. The FBI's Recovery Asset Team uses a process it calls the Financial Fraud Kill Chain to freeze fraudulent transfers, and it succeeds far more often when the fraud is reported within hours rather than days. The practical implication for a title or settlement firm is that an incident response plan has to name the steps in advance: who contacts the originating bank, who files with the FBI's Internet Crime Complaint Center, and who notifies the affected parties. Improvising that sequence after a seven-figure wire has vanished wastes the window that recovery depends on.
The liability question is where firms are often surprised. Even when the buyer initiates the transfer, litigation frequently follows the party whose email was compromised or whose instructions were impersonated. Legal fees, potential settlements, regulatory attention, and the reputational damage of being the closing where the money disappeared can dwarf the wire itself. That is the same logic behind treating cybersecurity as an investment rather than overhead, which we walk through for financial firms in the cost of compliance versus the cost of a breach.
Where This Connects to Your ALTA Audit
Wire fraud prevention is not a standalone project. It lives inside the information security and settlement expectations that ALTA Best Practices already ask title agencies to meet. If you are preparing for a review, our 2026 audit readiness checklist for title agencies maps the controls auditors want to see, and the wire verification and email security measures above are a direct part of that evidence file. The same underwriting scrutiny is showing up in cyber insurance, a trend we tracked in the 2024 carrier checklist for financial firms.
The Takeaway: The Day of Closing is Too Late
Every control that stops real estate wire fraud has to be in place before the wire is initiated. The verification call, the hardened mailboxes, the trained staff who know a last-minute change of instructions is a red flag, none of it can be improvised on closing day. The firms that treat this as an operating discipline protect their clients, their reputation, and the referral relationships that keep deals coming.
Techvera builds fraud-resistant IT and security programs for title, settlement, and financial services firms, from email hardening and multi-factor authentication to continuity planning and audit-ready documentation. Explore our cybersecurity services and financial services practice to see how it fits together.
Do not wait for a compromised wire to find your gaps. Schedule a wire fraud and continuity readiness review with Techvera.
About the Author
Team Techvera
Techvera Team
Articles written collaboratively by the Techvera team, combining expertise across cybersecurity, managed services, and digital transformation.
