Wire Fraud in Real Estate Closings: A Step-by-Step Prevention Guide

Step 1: The Compromise

How It Happens

The attack begins weeks or months before closing. The fraudster compromises the email account of someone involved in the transaction — a real estate agent, a title company employee, an attorney, a mortgage broker, or the buyer themselves.

The most common entry point is a phishing email. A title company employee receives what appears to be a routine message — a document to review, a link to a shared drive, a request to update their credentials. They click. The fraudster gains access to their email account.

With email access, the fraudster silently monitors communications. They read every message about every active transaction. They learn the closing dates, the parties involved, the amounts, and the communication patterns. They wait.

How to Prevent It

Email security is the first line of defense but not the last. Multi-factor authentication on all email accounts involved in transactions (agents, title company staff, attorneys, brokers). Phishing-resistant MFA — hardware security keys rather than SMS codes — for staff who handle wiring instructions. Email monitoring for unauthorized login attempts, forwarding rules, and access from unusual locations.

However, email security alone is insufficient because the attacker may compromise any party in the transaction chain. Prevention must extend beyond email.

Step 2: The Surveillance

How It Happens

Once inside the email, the fraudster typically sets up forwarding rules that copy all incoming messages to an external account. They may also create inbox rules that hide certain messages — particularly any messages that might alert the legitimate account holder to the compromise.

During this surveillance phase, the fraudster builds a complete picture of the transaction: the buyer's name and contact information, the property address, the closing date, the expected wire amount, the title company's communication style, the specific employee who will send wiring instructions, and the format those instructions typically take.

This intelligence allows the fraudster to craft a message that is virtually indistinguishable from the real thing — because it mirrors the exact format, tone, and timing the buyer expects.

How to Prevent It

Regular email audit checks for unauthorized forwarding rules, unexpected inbox filters, and login activity from unfamiliar locations. Automated monitoring that flags when email rules are created or modified on accounts involved in active transactions. Periodic credential rotation for staff handling high-value closings.

Step 3: The Spoofed Instructions

How It Happens

At the critical moment — typically one to three days before closing — the fraudster sends an email to the buyer. The email appears to come from the title company or attorney. In some cases, it is sent from the compromised account itself (making it impossible to distinguish from a legitimate message). In others, it is sent from a nearly identical email address with a single character changed.

The email contains wiring instructions directing funds to an account controlled by the fraudster. The message typically includes urgency language: "Please wire by end of business today to avoid closing delays." The formatting, tone, and signature block match previous legitimate communications exactly — because the fraudster has been reading those communications for weeks.

How to Prevent It

This is where identity verification becomes the critical control.

Out-of-band verification of wiring instructions. Before acting on any wiring instructions received via email, the buyer must verify the instructions through a separate communication channel — a phone call to a number obtained independently (not from the email), a secure portal, or an in-person confirmation.

Authenticated wiring instruction delivery. Title companies should deliver wiring instructions through authenticated channels — a secure portal where the buyer must log in with verified credentials, not an unencrypted email. The portal should require the buyer to authenticate their identity before accessing the instructions.

Identity verification of the sender. Before wiring instructions are sent, the title company employee sending them should authenticate through biometric verification. This creates an auditable record that the instructions came from an authorized person — not a fraudster operating from a compromised account.

Step 4: The Wire Transfer

How It Happens

The buyer, believing the instructions are legitimate, contacts their bank and initiates the wire transfer to the fraudster's account. Wire transfers are designed to be fast and irrevocable — features that serve legitimate commerce but benefit fraudsters. The funds typically arrive within hours.

How to Prevent It

Bank-side verification. Banks should flag wire transfers to new recipients that match real estate closing patterns (large amounts, first-time recipients, urgency in the request). Some banks have implemented "cool down" periods for large wires to new accounts, requiring a waiting period or additional verification.

Buyer education. Every buyer should receive a written notice at the beginning of the transaction that the title company will never change wiring instructions via email, wiring instructions will only be delivered through a specific secure channel, the buyer should call a specific verified phone number to confirm any wiring instructions, and any email containing wiring instructions should be treated as suspicious until independently verified.

Pre-registered account verification. The title company's escrow account details should be provided to the buyer early in the process through an authenticated channel. Any instructions that differ from the pre-registered details should trigger immediate investigation.

Step 5: The Extraction

How It Happens

Within hours of receiving the wire, the fraudster moves the funds — typically through a series of international transfers designed to make recovery impossible. The money may pass through multiple accounts across multiple countries before reaching its final destination. By the time the fraud is discovered — usually when the title company reports they never received the wire — the funds are beyond reach.

How to Prevent It

At this stage, prevention has failed and the focus shifts to detection speed. The faster the fraud is detected, the higher the probability of fund recovery.

Immediate confirmation loops. The title company should confirm receipt of the wire with the buyer immediately upon expected arrival. If the wire does not arrive as expected, both parties should investigate immediately — contacting the bank, reviewing the wiring instructions, and checking for email compromise.

Bank notification. The buyer's bank should be instructed to send immediate confirmation of wire execution to the buyer through a verified channel (not the potentially compromised email). Any discrepancy between the intended recipient and the actual recipient should trigger an immediate alert.

The Transaction-Wide Prevention Framework

Wire fraud succeeds because identity is assumed rather than verified at each step. An email that appears to come from the title company is trusted because the sender address looks right. A phone number provided in an email is trusted because it was in the expected format. A wiring instruction is trusted because it arrived when expected.

The prevention framework replaces assumption with verification at every touchpoint.

At listing: Verify the property owner's identity and authority to sell.

At contract: Verify buyer and seller identities through biometric authentication. Establish authenticated communication channels for all transaction parties.

Before closing: Deliver wiring instructions through authenticated channels only. Require out-of-band verification before any wire transfer. Verify the identity of every person sending or approving wiring instructions.

At closing: Confirm receipt of funds immediately. Maintain auditable identity records for every party and every communication.

After closing: Verify identity at recording — confirm that the person filing documents is authorized by the verified parties.