Why is real estate wire fraud so common?

Three structural reasons. First, real estate closings involve large wire transfers on tight deadlines. Second, the buyer is often sending money to an account they have only seen in an email. Third, the closing chain involves multiple parties (lender, title, attorney, escrow, agent) so a fraudulent email in the right context blends with real ones. The FBI's IC3 has reported real estate-related BEC losses around $446 million in a recent year.

Who is typically targeted in real estate wire fraud?

The buyer is the most common target because they wire the closing funds. Sellers can be targeted for proceeds redirection. Real estate agents are targeted for commissions. Title companies and closing attorneys are targeted at the credential layer (compromised mailboxes are then used to send the fraudulent wire instructions to buyers).

What is the most common closing-wire-fraud pattern?

The buyer receives an email purporting to be from the title company or attorney with updated wire instructions, often with a plausible reason for the change. The buyer wires the closing funds to the attacker's account. By the time the title company calls about the missing wire, the funds are gone. Loss per incident often exceeds $100,000.

Does encryption stop real estate wire fraud?

Encryption helps with confidentiality of wire instructions in transit but does not stop a fraudulent email arriving at the buyer's inbox. The defense is procedural: communicating wire instructions only by phone, using a number the buyer was given at contract signing, with explicit warnings that any email purporting to update wire instructions is fraudulent and should be verified by phone.

Does an email paywall stop closing wire fraud?

Partially. The mass version (sending fraudulent wire-update emails to thousands of small-business buyers) becomes uneconomical when each recipient costs four cents. The targeted version (an attacker monitoring a specific closing and crafting a message at the right moment) is downstream of identity, because the title company is on the buyer's guest list. Procedural verification handles the targeted survivors.

Real Estate Wire Fraud: $446M Last Year

Real estate wire fraud cost the industry hundreds of millions last year. Here is the structural reason and what defenses actually work.

Real estate wire fraud is one of the largest single-pattern loss categories in email-driven crime. The FBI’s Internet Crime Complaint Center has reported real-estate-related business email compromise losses of approximately $446 million in a recent year, with most incidents involving closing-stage wire fraud where the attacker impersonates an attorney, title agent, or escrow officer.

This post is about why the pattern is so consistent year after year and what defenses actually work.

The Structural Reason

Real estate closings have four properties that combine to make wire fraud uniquely effective:

Large transactions. A typical residential closing involves wires of hundreds of thousands of dollars. Commercial closings can run into the millions. The single-incident loss is large enough to make fraud worth attempting.

Tight deadlines. Closings are scheduled. The buyer must wire funds by a specific date. The window for verification is narrow because the closing cannot move. Time pressure reduces verification.

First-time relationships. The buyer often has not corresponded with the title company or closing attorney before this transaction. The communication patterns are unfamiliar. A fraudulent email in this context looks similar to a real one because the real ones look new too.

Multi-party chain of trust. The closing involves the buyer, the seller, the buyer’s agent, the seller’s agent, the lender, the title company, and (in many states) the closing attorney. The buyer is receiving emails from many parties about the closing. A fraudulent email from “the title company” arrives in a context where many real emails from the title company are also arriving. The buyer’s pattern recognition is overloaded.

These four properties make real estate fundamentally different from most consumer email. The defense pattern that works in other contexts (recognize unusual mail, verify before acting) is harder when every email about the closing is from someone you do not know well, all under deadline pressure, all about wire transfers.

How the Attack Typically Runs

The most common pattern:

Step one: monitor the closing. The attacker gains access to email correspondence about the closing. This can happen by compromising a real participant’s mailbox (the agent, the title company, the closing attorney) or by harvesting publicly available information (MLS listings, county records, social media).

Step two: identify the right moment. The attacker waits for the closing to be a few days out, when wire instructions are imminent. The buyer is paying close attention to the closing but has not yet wired the funds.

Step three: send the fraudulent wire instructions. The attacker sends an email to the buyer purporting to be from the title company or closing attorney. The email cites a plausible reason for updated wire instructions: “We need to use a different account for this closing due to a banking change,” or “There was an issue with the previous wire details, please use these instead.” The new wire details are the attacker’s account.

Step four: collect the wire. The buyer wires the closing funds. The attacker withdraws or transfers the funds within hours. By the time the real title company calls the buyer asking why the wire has not arrived, the funds are gone.

Step five: the recovery problem. Wire fraud recovery is difficult. The receiving bank may freeze the funds if notified within hours, but most fraud is detected after the funds have been moved through multiple accounts. The FBI’s IC3 has had some success with rapid-recovery interventions, but the success rate is far below 100%.

What Standard Defenses Do and Do Not Do

A typical title company has Microsoft 365 or Workspace native filtering, possibly Defender for Office 365, possibly a third-party gateway. What each layer does for the closing-wire-fraud pattern:

Native filtering. Catches mass-volume mechanical phishing reliably. Does not catch the precision wire-fraud emails because they are well-crafted, come from non-blacklisted (sometimes lookalike) domains, and contain nothing technically suspicious.

Defender or Workspace Advanced Protection. Adds URL rewriting and impersonation detection. Helps with display-name attacks. The wire-fraud version often passes because the lookalike domain is plausible.

Third-party gateways. Add deeper threat intelligence and sometimes vendor-relationship analysis. The detection rate improves but is not 100% for precision attacks.

Inbox-layer filtering. A filter that asks unknown senders for a small cover charge does not catch the case where the title company’s mailbox has been compromised (the title company is on the buyer’s guest list because they have corresponded). The filter does catch the case where the attack arrives from a completely new lookalike domain at low volume but high precision; it slightly raises the cost.

The honest summary: no single technical layer catches the targeted attack. The closing-stage wire fraud is fundamentally a procedural problem.

What Actually Works: Procedural Defenses

The procedural defenses that genuinely reduce closing-wire-fraud losses:

Phone-only wire instructions. The single most effective control. The title company or closing attorney provides wire instructions verbally on a phone call with the buyer, using a number the buyer was given at contract signing. The buyer is told explicitly: any email purporting to update wire instructions is fraudulent. Verify by phone before acting.

Written buyer warnings at contract. The contract package includes a prominent written warning about wire fraud, the firm’s wire-instruction protocol, and the phone number for verification. The warning is repeated verbally at multiple points in the closing process.

Verification call before any wire. The buyer is required to call the title company or closing attorney to verify the wire instructions immediately before wiring. The call is to a known number, not a number from any email. This adds five minutes per closing and prevents most fraud.

Two-person verification at the title company. Any change to wire instructions communicated to a buyer is approved by two people at the title company. Single-person changes are not made.

Monitoring of the title company’s email infrastructure. The title company is a target. MFA on all email accounts (hardware-key for the principals), monitoring for unusual access patterns, prompt response to credential alerts.

Cyber insurance with social-engineering coverage. A policy that covers wire-fraud losses up to a meaningful sub-limit. Most professional liability insurers offer this for real estate and title professionals.

These procedures are not glamorous. They are the actual defenses that reduce losses.

Rythm sits at the inbox layer on top of Gmail or Outlook. What it does for real estate wire fraud:

Reduces the volume of cold outreach to the title company and the buyer. Marketing services, lead-gen vendors, software pitches, conference invitations all decrease meaningfully when unknown senders have to pay a small cover charge. This is meaningful for both sides of the transaction because attention bandwidth is limited.

Reduces the mass version of lookalike-domain attacks. A 1,000-recipient blast at four cents each is $40 instead of $0. The mass version of fraudulent wire-update campaigns becomes uneconomical. A targeted attacker who pays anyway shows up with a PAID label attached. The legitimate title company is on the recipient’s guest list and would not pay a cover charge, so a paid email claiming to be from that title company is itself a visible red flag.

Does not stop the compromised-account attack. When the title company’s mailbox is compromised and the attack comes from inside, no inbox-layer filter helps. The defense is procedural.

The pattern: Rythm collapses the mass version. Procedural verification handles the targeted survivors. The combination is what works.

A Specific Honest Note

Real estate wire fraud is one of the highest-loss email-fraud patterns and one of the hardest to defend against purely with technical tools. The targeted version of the attack defeats most defenses except phone-only verification protocols.

We are not pretending Rythm prevents the targeted attack. The compromised-title-company version walks through any inbox-layer filter because the title company is a known sender. What Rythm does is reduce the volume of mass-impersonation attempts and cold outreach competing for attention, which makes the procedural verification protocols more sustainable.

Real Estate Wire Fraud Cost the Industry $446M Last Year. Here Is Why