How do real estate agent email accounts get compromised?

Most commonly through phishing — an agent receives a convincing message that mimics their broker, their MLS, or a transaction-management platform, clicks a link, and enters credentials on a fake login page. From there, the attacker has the mailbox. Reused passwords, mobile-mail apps without MFA, and personal email accounts mixed into transactions are the next biggest doors.

What does an attacker do after compromising an agent's inbox?

Quietly read it. They set up inbox rules that auto-forward or hide specific messages, then watch the agent's active transactions. When a closing approaches, they impersonate the agent (or hijack the real thread) and send the buyer 'updated wire instructions' that route the closing funds to the attacker. The compromise itself can sit undetected for weeks before the fraudulent wire fires.

How do I tell if my email has been compromised?

Watch for inbox rules you didn't create (especially ones that hide or forward messages from clients, lenders, or escrow), unfamiliar sign-in locations in your account's login history, sent items you don't remember sending, and password-reset emails for accounts you didn't initiate. Most modern email platforms surface unusual sign-ins — turn those alerts on and check them.

Does MFA stop this attack?

Yes, for the overwhelming majority of cases. Modern MFA — especially app-based or hardware key, not just SMS — defeats the most common credential-phishing flows. Even when an attacker captures a password, they can't sign in without the second factor. Make sure MFA is enforced on every agent's email and on every device that touches it, including mobile mail apps.

Whose problem is this — the agent's, the brokerage's, or the buyer's?

Functionally everyone's. The financial loss usually lands on the buyer (or seller), recovery is often impossible, and the agent and brokerage face reputational and potentially legal exposure. From a regulatory perspective, if the compromised mailbox held non-public personal information (NPI), the brokerage or title agency may have breach-notification duties under state law and, for title agencies, under ALTA Best Practices Pillar 3.

Real-Estate Agent Email Compromise Explained

Almost every six- and seven-figure closing wire fraud follows the same script, and the first act takes place in the agent's inbox — usually weeks before anyone notices. Understanding how a mailbox gets compromised, and what an attacker quietly does next, is the difference between defending against a single fraudulent wire and defending against the entire campaign.

Here's the kill chain on the agent side, stage by stage — and the four controls that break it at its origin.

The Kill Chain Inside the Mailbox

Phish

A targeted message — fake broker portal, fake MLS notice, fake docusign — captures the agent's password on a lookalike login page. Or a reused password from a separate breach lets the attacker straight in.

Persist

The attacker signs in, often from a residential VPN to look normal, and sets up inbox rules: auto-delete password-reset emails, auto-forward specific senders (escrow, lender, title) to an external address, hide messages containing the word 'wire.' The point is to watch the mailbox without the agent noticing.

Observe

They wait. They read active transaction threads, learn the agent's writing style, identify who the buyer is, what stage the deal is at, and when closing wire instructions are likely to be sent.

Strike

Close to the closing date, the attacker either takes over the existing thread or sends a new email from the agent's mailbox to the buyer with 'updated wire instructions.' The buyer wires funds to the attacker's account. Within hours the money is moved on — often to a chain of accounts overseas.

The Quiet Weeks Are What Make This Work

The reason this attack is so effective is the Observe phase. By the time the attacker sends the fraudulent wire instructions, they've been reading the actual transaction for weeks. They know the buyer's name, the property address, the expected closing amount, the lender, the title company, and the agent's writing style. The email that arrives in the buyer's inbox is indistinguishable from the real one — same signature, same tone, same thread history — except for the bank details.

That's also why post-incident review almost always finds the compromise predates the wire by weeks. The fraudulent transfer is the symptom; the mailbox takeover was the disease.

The Four Controls That Break the Chain

MFA on every agent's email — including mobile
App-based or hardware-key MFA on every account that touches email. Modern phishing-resistant MFA defeats the credential capture itself; even basic MFA defeats stolen-password reuse.
Account-compromise monitoring
A security stack that flags impossible-travel sign-ins, new inbox rules, unusual forwarding addresses, and bulk message access. These are the signatures of a live compromise.
Disable legacy auth and personal email
Legacy email protocols (IMAP/POP/SMTP with passwords) bypass MFA. Disable them. And keep agent transaction communications off personal Gmail / Yahoo accounts — there's no enforcement on those.
Out-of-band verification, every time
Even if everything above fails, a strict workflow rule — 'no wire instruction is followed until verbally confirmed by phone to a number we already have' — stops the strike phase from succeeding. Build it into how every closing runs.

How Each Control Maps to the Kill Chain

MFA breaks the Phish stage by making stolen credentials useless on their own. Account-compromise monitoring catches the Persist and Observe stages — the moment a malicious inbox rule appears or an impossible-travel sign-in fires, the rest of the campaign is over. Disabling legacy auth and locking personal email out of transactions removes the bypasses around your controls. And out-of-band wire verification is the backstop that stops the Strike stage even if everything else fails.

Stack all four and you've closed the agent-side door that this fraud relies on. The transaction-side controls — verification scripts, training, the brokerage / title-agency control stack — are covered in wire fraud at closing — how the scam works and how to stop it, and the broader BEC pattern in our business email compromise guide.

If You Suspect a Mailbox Is Compromised

Don't just change the password. Reset credentials, revoke all active sessions, hunt for inbox rules and forwarding addresses the attacker may have set, review login history for the past 30 days, check the sent folder, and consider whether the mailbox contained NPI that triggers breach-notification duties. For title agencies that's an ALTA Pillar 3 concern — covered in ALTA Best Practices Pillar 3. If a fraudulent wire already fired, follow the recovery playbook in the first-72-hours wire-fraud recovery playbook.

The Bottom Line

Closing wire fraud isn't a wire-day failure — it's a mailbox-security failure that happened to surface on wire day. Put MFA on every agent's email (including mobile), monitor for the signatures of a compromise, close the legacy-auth and personal-email loopholes, and verify every wire instruction out-of-band. That's the agent-side defence; the brokerage- and title-agency-side controls layer on top.

See how we operate that defence for real estate and title firms on the cybersecurity for real estate & title page.

This article is general information, not legal or compliance advice.

Real Estate & Title

Get the free closing wire-fraud verification procedure.

The five-stage wire-fraud kill-chain controls, a buyer-side verification script, the brokerage and title-agency control stack, and ALTA Best Practices Pillar 3 attestation prompts — the controls that defend agent mailboxes and the closings they support.

Get the free procedure

Could an Attacker Be Reading Your Agents' Email Right Now?

A free 30-minute assessment maps your current MFA, monitoring, and verification process against the four controls above — and surfaces the quiet compromises that are already there.

Get a Free Assessment

← Back to Security Insights