KapacyberKapacyber
Real Estate & Title Cybersecurity Guide·Overview·Wire Fraud at Closing·How Much Does Cybersecurity Cost for a Real Estate Brokerage or Title Agency?·ALTA Best Practices Pillar 3·Hit by Wire Fraud at Closing?·How Real Estate Agent Mailboxes Get Compromised
Threat AlertReal Estate & Title8 min read

Wire Fraud at Closing — How the Scam Works and How to Stop It

Real estate is the FBI's highest-loss target for closing wire fraud. One compromised inbox can cost a buyer their entire down payment. Here's the five-stage kill chain, the warning signs, and the verification procedure that actually defeats it.

Of all the cybercrime that touches small business, closing wire fraud is among the most devastating — because the victim is usually an ordinary buyer making the biggest financial transaction of their life, and because the money is almost never recovered.

The FBI's Internet Crime Complaint Center consistently ranks real estate and rental fraud among its highest-loss categories. The pattern is remarkably consistent: an attacker compromises one email account somewhere in the transaction, watches quietly, and sends fraudulent wiring instructions at exactly the right moment. The buyer wires their down payment to a criminal, and by the time anyone notices, it's gone.

The good news: wire fraud is not a single unstoppable event. It's a chain of five stages, and breaking any one of them makes the fraud fail. Understanding the chain is the first step to defeating it.

The Five-Stage Kill Chain

1

Reconnaissance

Attackers find deals heading to closing. Public listing data, "pending" and "under contract" status changes, and agents' own social media announcements ("Just got my buyers under contract!") tell an attacker exactly which transactions are live and who is involved.

2

Inbox compromise

A phishing email — often a fake Microsoft 365 or DocuSign login — harvests the password of one person in the transaction. It might be the agent, the assistant, the transaction coordinator, the title officer, or the lender. Any one inbox is enough.

3

Patient surveillance

The attacker doesn't act immediately. They read the deal thread, set a quiet inbox rule to hide their tracks, and learn the timeline, the parties, the tone of communication, and the exact closing date. This phase can last weeks.

4

The lookalike message

Shortly before closing, fraudulent wiring instructions arrive. They come either from a cousin domain (kapacyber-title.com instead of kapacybertitle.com) or directly from the genuine compromised inbox. The email matches the deal's tone, references real details, and looks completely legitimate.

5

The irreversible wire

The buyer wires their down payment — often their entire life savings — to the attacker's account. The funds are moved through mule accounts and offshore within hours. Recovery is rare and depends on flagging the fraud within a very short window.

Why It Works So Well

Closing wire fraud succeeds because real estate transactions create the perfect conditions for it:

  • A large sum moves on a known date. The attacker knows roughly how much and exactly when.
  • Many parties, lots of email. Buyer, seller, two agents, title, lender, sometimes attorneys — all emailing under deadline pressure.
  • Wiring instructions are expected. Nobody is surprised to receive them, so a fraudulent set doesn't raise an alarm.
  • The buyer has no baseline. Most people buy a handful of homes in a lifetime. They don't know what a normal closing communication looks like.
  • The money is fast and final. Wires settle quickly and are extremely hard to reverse once the funds are pulled.

The Warning Signs Everyone Should Know

Every person in a transaction — agents, staff, and especially buyers — should be able to recognise these red flags:

  • Wiring instructions that arrive or change by email, especially close to the closing date
  • A new email thread for wiring instructions rather than a reply within the existing deal thread
  • Pressure or urgency — "the wire must go today to close on time"
  • A sender address that is subtly different from the one used earlier in the transaction
  • Bank account in a different name, or a different state, than the title or escrow company
  • A request to keep the wire "confidential" or not to call to confirm
  • Instructions that arrive after hours or just before a weekend
  • Any change at all to previously provided wiring details

The single most important rule: wiring instructions never legitimately change by email alone. Any change, or any first set of instructions that arrives only by email, must be verified by an independent phone call before a cent moves.

What Buyers Should Do

If you are buying a property, this is the procedure that protects your money:

  • 1
    Before the transaction begins, get verified wiring instructions in person or over a phone call you initiate to a number you looked up independently
  • 2
    Treat every emailed change to wiring instructions as fraud until proven otherwise
  • 3
    Call the title or escrow company to confirm — using a number from their official website or a business card, never a number from the email
  • 4
    Confirm the receiving bank account name matches the title/escrow company
  • 5
    After wiring, call the title company within hours to confirm the funds arrived
  • 6
    If anything is wrong, contact your bank immediately and ask for a wire recall, then file with the FBI IC3 — speed is everything

What Brokerages and Title Companies Should Do

The buyer is the last line of defence — but the firms in the transaction are responsible for the first lines. A real wire-fraud defence at a brokerage or title agency includes:

  • MFA on every email account — agents, assistants, coordinators, title officers. This single control stops most inbox compromises.
  • Email security that flags newly registered and lookalike domains before staff ever see the message
  • DMARC, DKIM, and SPF at enforcement so attackers can't spoof your own domain to your clients
  • A documented, trained wiring-instruction verification procedure — not a disclaimer line
  • Verified contact numbers exchanged with clients at the start of the engagement, in person where possible
  • Endpoint detection & response on every device, so a compromised machine is caught fast
  • Regular review of mailbox rules — attackers create hidden forwarding and filing rules to stay invisible
  • Closing-fraud-specific awareness training and phishing simulations for every agent and staff member

Why "We Tell Clients to Verify" Isn't Enough

Almost every brokerage and title company already includes a warning in its email footer: "We will never change wiring instructions by email. Always call to verify." That disclaimer is not a control. Here's why:

  • When an attacker controls the inbox, they simply delete or rewrite the disclaimer
  • Buyers skim. A footer warning competes with a dozen other footer lines
  • It puts the entire burden on the least-prepared party — the buyer
  • It doesn't prevent the inbox compromise that started the whole chain

A genuine defence is a trained, documented procedure: verification numbers exchanged in advance, a scripted callback that staff actually perform, and a culture where any change to wiring instructions triggers a stop. Combined with MFA and email security that prevents the inbox compromise in the first place, that is what defeats wire fraud.

If a Wire Has Already Gone Out

Speed is everything. If you suspect a fraudulent wire:

  • Contact the originating bank immediately and request a wire recall / SWIFT recall
  • File a complaint with the FBI's IC3 at ic3.gov without delay — the IC3 Recovery Asset Team can sometimes freeze funds if alerted fast enough
  • Contact your local FBI field office
  • Notify everyone in the transaction so no further funds move

Recoveries do happen — but almost always when the fraud is reported within the first 24 to 72 hours. After that, the money is usually gone.

The Bottom Line

Closing wire fraud is preventable. It depends on a chain of five stages, and the controls to break that chain — MFA, email security, domain authentication, and a trained verification procedure — are neither exotic nor expensive. What they require is treating wire-fraud defence as a core operating discipline of the brokerage or title agency, rather than a footer disclaimer and a hope.

This article is general information, not legal or financial advice. Confirm specific obligations with qualified counsel, your title underwriter, and your E&O carrier.

Related reading: the SMB BEC guide, the MFA rollout primer, and the phishing techniques targeting your team.

Real Estate & Title

Get the free Closing Wire-Fraud Verification Procedure.

Controls mapped to every stage of the 5-stage kill chain, a printable buyer-side verification script with red flags and IC3 reporting, and a 9-control brokerage / title-agency stack.

Get the free procedure

Free Wire-Fraud Risk Assessment

We map your brokerage or title agency against the closing wire-fraud kill chain and hand you a one-page gap list. Brokers and agency principals only.

Get Free Assessment
← Back to Security Insights