An officer-focused field guide for preventing real estate wire fraud. Anatomy of modern scams, a verification protocol that actually works, client-facing scripts, and an incident response checklist — built for the people who sign the wire instructions, not the people writing press releases about them.
By Tim R., EscrowPilot.ai
Updated April 2026
Business Email Compromise (BEC) is still the single most damaging cybercrime category in the United States. According to the FBI's Internet Crime Complaint Center (IC3), BEC losses reached roughly $2.9 billion in reported losses in 2023, and real estate transactions have been one of the most consistently targeted subsegments for the last five years running.
The mechanics are simple enough that new staff get caught every month: a criminal spoofs or compromises an email account inside a title company, law firm, or lender, waits for a transaction to get close to funding, and sends the buyer's wire instructions with the bank routing number swapped. The buyer wires the money. The money is gone.
What's changed in the last two years isn't the scam — it's the scale, the sophistication, and who's being targeted. Smaller independent escrow companies and solo escrow officers are now specifically targeted because the larger firms have hardened. This playbook is written for them.
A typical attack against an escrow office unfolds in five phases. If you can spot what phase you're in, you can stop it.
Reconnaissance
Attackers scrape MLS, county recorder sites, LinkedIn, and public escrow openings. They identify the buyer, seller, agents, lender, and escrow officer by name. They know your file number before you know they exist.
Access
They gain access to one inbox in the chain — not always yours. It might be the buyer's agent, the lender's processor, the buyer's personal Gmail. They set up auto-forwarding rules and inbox filters so their presence is invisible.
Observation
They watch for weeks. They learn how you write, who you CC, when you send wires, and what language is routine. Some criminals mimic your tone so closely that your own staff can't distinguish the email.
The strike
Just before funding, the fraudulent email is sent — usually from a domain that looks almost right (escrowpilot.co instead of .ai, or Tim-R@escrow-pilot.ai instead of tim@escrowpilot.ai). It includes a PDF with new wire instructions. The language is urgent but not panicked.
The extraction
The wire goes out. Within minutes, it hits an intermediary bank account. Within hours, it's split into cryptocurrency or money-mule withdrawals. After 72 hours, recovery is extraordinarily unlikely.
If any one of these is present, stop and verify by phone using a number you already have on file — not a number from the email.
Any change to wire instructions mid-transaction — even a single digit.
Urgency language: 'need this before close of business,' 'wire today to avoid delay.'
A domain that's one letter off, uses a hyphen, or ends in .co / .us / .biz instead of the expected TLD.
PDFs of wire instructions that differ (even visually) from the format your office normally sends.
Requests to change the receiving bank from one the file has already been working with.
Emails received outside of normal business hours from parties who are normally 9–5.
Any request to handle the transaction 'just this once' outside your documented process.
The single most effective control is a call-back verification protocol. It needs to be written down, laminated if necessary, and followed without exception. Here's the version we recommend:
Collect verification numbers at file opening, in writing.
When you open the file, collect the buyer's direct phone number (not a Google Voice or VoIP line), the lender's loan processor's direct number, and the listing agent's brokerage main line. Store them in the file, not just in email threads.
Never accept a verification number delivered over email.
If a new phone number arrives by email and you're asked to call it to confirm new instructions, the number itself is part of the scam. Use only numbers collected before any wire-instruction discussion started.
Call before you send, and call before you act on any change.
Before sending wire instructions to a buyer, call them at the verified number and confirm what they're about to receive. Before accepting any change to wire instructions or routing, call every party in the chain that touched the request.
Use a two-person rule for any wire over $100K.
A second person in your office independently verifies the instructions and the destination account before funds are released. One set of eyes is not enough.
Document every verification call.
Name, number called, what was confirmed, time stamp. If fraud does occur, your insurer and law enforcement will ask for this record. If you don't have it, coverage gets complicated.
Most escrow officers worry that hard verification makes them look paranoid to buyers and sellers. The opposite is true — when you lead the conversation, you look competent. Here are scripts that work.
Opening email to buyer
Hi {buyer name} — congrats on the contract. Before we get into anything wire-related, a quick note on how this will work. I will never email you updated wire instructions without first calling you at the number you gave me when we opened this file. If you ever receive wire instructions from anyone claiming to be me, please hang up the email, call me directly at {your number}, and confirm. Real estate wire fraud is the #1 form of cybercrime targeting transactions like yours. I take it seriously, and I need you to take it seriously with me. Thanks — {your name}.
Pre-wire call script (outbound)
Hi {buyer name}, this is {your name} at {company}. I'm calling to verify the wire instructions for your closing on {address}. The account number on file with us is {last 4 only}, and the routing number is {full}. Can you confirm those match what I sent you? … Great. One last thing — if you get any email later today or tomorrow with updated instructions, do not act on it. Call me first at {direct number}. We're good to wire.
Inbound call from suspicious email
{Buyer name}, thank you for calling — you did exactly the right thing. I did not send that email. Please don't reply to it, don't click anything in it, and don't forward it to anyone except me. I'm going to loop in our IT and our title underwriter, and I want you to forward the original to my verified address at {your email}. We'll handle it from here.
You don't need a cybersecurity team to implement these. You need a 90-minute meeting with your IT vendor.
SPF, DKIM, and DMARC on your sending domain.
Prevents attackers from spoofing your own domain. Set DMARC to p=reject once you've verified no legitimate mail is failing.
External email warning banners.
Auto-prepend "[EXTERNAL]" to every inbound message from outside your domain. Cheap, boring, catches 40% of spoofing attempts.
MFA on every email account.
Not SMS-based MFA — use an authenticator app or hardware key. Most BEC compromises start with a reused password.
Mailbox rule auditing.
Review auto-forwarding rules and inbox rules monthly. Attackers routinely create "forward everything with 'wire' to [external]" rules and hide them.
Known-good wire templates.
Wire instruction PDFs should be generated from your system, not re-typed each time. Criminals spot re-typed docs.
A documented incident response plan.
See the next section. Write it before you need it.
Speed is everything. Every minute after discovery reduces recovery probability. Run these steps in parallel if you have the people, sequentially if you don't.
Within 15 minutes: call the sending bank.
Ask for their wire fraud/fraud operations desk. Request a SWIFT recall. Give them the originating reference number. The closer to real-time, the better the odds.
Within 30 minutes: file with IC3.
Go to ic3.gov and file a complaint. Include all wire details, the fraudulent email, and your contact info. IC3's Financial Fraud Kill Chain can freeze funds if the wire went to a domestic bank and IC3 is notified quickly.
Within 1 hour: notify FBI field office and local law enforcement.
The FBI has field offices in most major metros. Call the local office directly, not the general tip line. Reference that you've already filed IC3.
Within 2 hours: notify your E&O carrier and your ALTA underwriter.
Do not wait to 'figure out what happened.' The clock on coverage notice is running. Most E&O policies require notice within 24–72 hours to preserve coverage.
Within 4 hours: internal security sweep.
Assume at least one inbox in the transaction chain is compromised. Force password reset + MFA re-enrollment on every account that touched the file. Audit inbox rules. Pull email logs for the compromised account.
Built by EscrowPilot
Wire verification call-backs, document tagging, audit trail, two-person approval gates, anomaly flags — that's what EscrowPilot does in the background while you run the file. 14-day free trial, no credit card.
Free Resource
Drop your email and I'll send you the 2026 Wire Fraud Playbook plus a printable one-page verification protocol you can post at your team's desks.