Wire Fraud Prevention for Real Estate Offices: The Complete Guide (Including What Everyone Else Skips)
In 2022, wire fraud cost real estate buyers and sellers $446 million. The FBI received 9,521 real estate fraud complaints in 2023 alone. The median victim loses more than $70,000, often their entire down payment, and in most cases, the money is never recovered.
Every title company, real estate association, and mortgage lender in the country publishes some version of the same advice: verify wire instructions by phone before you send anything. Call using a number you already have on file, not one from a suspicious email. That advice is correct. Follow it.
But here's what almost nobody talks about: that checklist assumes your email hasn't already been compromised. If an attacker has been reading your inbox for two weeks, they already know your clients' names, the deal timeline, the parties involved, and what amount to put in the fraudulent wire instructions. The phone verification step is the last line of defense, not the first.
Wire fraud prevention for real estate offices requires two layers. Step 1 is the procedural checklist everyone already knows. Step 0 is securing the email account so the attacker never gets in to begin with. Almost no one in this space talks about step 0. This guide does.
What Is Real Estate Wire Fraud and Why Your Office Is the Target
Real estate wire fraud is a form of business email compromise (BEC) in which an attacker intercepts wire transfer instructions and redirects funds to a fraudulent account. The buyer, seller, agent, title company, or lender believes they're sending money to the correct destination. The funds land in an account controlled by the attacker. By the time anyone realizes what happened, the money is gone.
Real estate is uniquely attractive for this crime for three reasons. First, transactions involve large one-time wire transfers, the average real estate wire is in the hundreds of thousands of dollars. Second, closings are emotionally high-stakes and time-pressured, which reduces the skepticism buyers and agents apply to last-minute changes. Third, every transaction involves multiple parties communicating by email: buyer, seller, agent, title company, lender, and sometimes attorneys. Any one of those parties is a potential entry point.
The wire transfer itself is the final step of a process that starts much earlier, with access to someone's email account.
Real Estate Wire Fraud Statistics: The Numbers Behind the Risk
The scale of this problem is larger than most real estate professionals realize.
According to FBI Internet Crime Complaint Center data, real estate wire fraud losses reached $446 million in 2022. The FBI received 9,521 real estate fraud complaints in 2023. The median loss per victim exceeds $70,000, and recovery rates are low, wire transfers are difficult to reverse, and international destination accounts are nearly impossible to seize quickly enough.
The threat extends well beyond buyers. A 2024 report from CertifID found that 1 in 4 buyers received fraudulent wire instructions during a closing process. More striking: 54% of real estate professionals experienced at least one fraudulent seller impersonation attempt in a recent six-month period. Agents and office managers aren't bystanders in this crime. They're targets.
Business email compromise across all industries totaled $2.9 billion in losses in 2023, according to the FBI IC3 annual report. Real estate is consistently ranked among the most targeted industries.
The trajectory matters too: wire fraud losses in real estate were under $9 million in 2015. They reached $446 million by 2022. That's a 50-fold increase in seven years. The attacks are getting more sophisticated and more common, not less.
How Wire Fraud Actually Happens: The Three-Step Attack Chain
Most guides describe wire fraud as a buyer sending money to the wrong account. That's accurate, but it's the end of the story. Understanding how the attack actually works is what makes prevention possible.
Step 1: Gaining Access to an Email Account
The attack starts not at closing day, but weeks earlier, when someone's email account is compromised.
Attackers gain access through phishing emails that trick the recipient into entering their credentials on a fake login page, through credential stuffing using passwords exposed in unrelated data breaches, or through brute force attacks against accounts without multi-factor authentication. The targets are agents, office managers, title officers, and anyone else involved in the transaction chain.
This is where wire fraud prevention actually starts. Most guides never address it.
Once an attacker has credentials, they log in and set up email forwarding rules or filters that keep their presence invisible. They can read everything in the inbox without the account owner seeing any evidence of unauthorized access.
Step 2: Surveilling the Transaction
With access to the compromised email account, the attacker monitors the transaction passively. They identify the parties involved, the deal timeline, the expected closing date, and the wire amount. This surveillance phase can last days or weeks. The attacker isn't in a hurry, they're waiting for the optimal moment to act.
During this period, your client or colleague is unknowingly communicating with someone who is watching every email related to the deal.
Step 3: Intercepting Wire Instructions at Closing
When closing approaches, the attacker moves. They send wire instructions, either from the compromised account directly, or from a spoofed address that looks nearly identical, directing the buyer or other party to wire funds to a different account.
The language mimics legitimate closing communications. The email may contain the correct property address, closing date, and parties' names because the attacker already has all of that information. The only change is the account number. A sense of urgency is added: "We need the wire sent today to avoid a closing delay."
The buyer follows the instructions. The money lands in the fraudulent account. The real closing agent has no idea this is happening until someone asks why the funds never arrived.
The Standard Wire Fraud Prevention Checklist
The advice you'll find from NAR, title companies, and mortgage lenders is accurate and important. Every real estate office should follow it consistently:
- Call to verify using a number you already have, not the number in the email, not a number provided in the same message as the wire instructions
- Verify any last-minute changes to wire instructions through a separate, pre-established communication channel
- Establish a code word or phrase with your clients at the start of a transaction, to be used when confirming financial instructions
- Never email wire instructions unencrypted, use a secure client portal if you're transmitting account numbers or routing numbers in writing
- Confirm receipt, after sending, call to verify that funds were received
- Brief your clients explicitly at the start of every transaction that you will never send last-minute changes to wire instructions by email alone
These steps save money. They're the right process. The problem is that they're designed to catch an attacker who is already inside the transaction, because the email account was already compromised in Step 1.
The checklist treats the symptom. Step 0 treats the cause.
Maria is a managing agent at a mid-sized brokerage in Riverside County. Her office followed verification procedures on every transaction. In the spring of 2024, a transaction coordinator's email account was compromised through a phishing link embedded in a fake DocuSign notification. For 19 days, an attacker monitored all email traffic on three pending deals. On the 20th day, the attacker sent fraudulent wire instructions to a buyer on one of those deals. The buyer called to verify using the phone number listed in the compromised coordinator's email signature. The attacker had already modified the forwarded confirmation template to include a fraudulent callback number. The buyer confirmed with what appeared to be the correct office. $387,000 was wired to a fraudulent account.
The verification procedure was followed. It failed because the compromise happened upstream, in the email account, weeks before closing.
Step 0: Securing the Email Account Before an Attack Happens
If the email account is never compromised, the wire fraud attack chain never starts. This is the layer that almost no one in real estate talks about, because it requires IT infrastructure knowledge rather than procedural compliance.
Multi-Factor Authentication: The Single Most Effective Control
MFA requires a second form of verification beyond a password when logging in. Even if an attacker steals or guesses a password, they can't access the account without the second factor.
For a real estate office using Microsoft 365 or Google Workspace, enabling MFA is an administrative configuration, it can be enforced for all users across the domain. An IT administrator can set this up in under an hour. The challenge isn't the technology. It's enforcement. MFA only protects accounts where it's actually enabled and consistently used.
Authenticator apps (Microsoft Authenticator, Google Authenticator) are more secure than SMS-based MFA. SMS is vulnerable to SIM-swapping attacks. Either satisfies the requirement, but the upgrade is worth making for staff who handle high-value transaction communications.
Email Authentication: Stopping Spoofed Addresses at the Source
SPF, DKIM, and DMARC are email authentication standards that, when properly configured, prevent attackers from sending emails that appear to come from your domain.
Without these records configured, anyone can send an email that looks like it came from [email protected]. That's how impersonation attacks work: the attacker doesn't compromise your account, they just make an email look like it came from you.
Most real estate office email domains have none of these records properly configured. A qualified IT provider can set them up in a few hours. FinCEN's analysis of BEC in the real estate sector specifically identifies domain authentication as a critical prevention control, and it's one of the least-implemented recommendations in the industry.
Email Security Gateway: Filtering Before It Hits the Inbox
Standard email platforms (Microsoft 365, Google Workspace) include basic spam and phishing filtering. An email security gateway adds a more sophisticated layer, one trained to recognize real estate-specific phishing patterns, flag suspicious links, and quarantine messages that share characteristics with known BEC campaigns.
For a real estate office that routinely receives messages from title companies, lenders, attorneys, and clients, all of whom are legitimate parties whose domains might be spoofed, advanced filtering matters. The gateway catches attacks that the standard platform's filters miss.
Phishing Simulation and Security Awareness Training
The majority of email account compromises begin with someone clicking a link they shouldn't have. Phishing simulation programs send realistic, fake phishing emails to staff on a regular cadence. When someone clicks, they receive immediate training rather than a reprimand.
The goal is behavioral change through repetition. Staff who receive monthly simulations and targeted training recognize phishing attempts faster and report them instead of acting on them. For a real estate office, simulations should include realistic lures: DocuSign notifications, wire instruction attachments, and messages that appear to come from lenders or title companies.
Monitoring for Account Compromise Signs
Even with all of the above in place, account compromises can occur. The critical question is how quickly they're detected.
Signs that an email account may be compromised include: login activity from unusual geographic locations or devices, email forwarding rules the account owner didn't set up, sudden changes to email signature templates, unusual sent folder activity, or unexpected account recovery emails. In most real estate offices, nobody is monitoring for these indicators. Attackers exploit that.
A managed IT provider monitors email environments for these signals and can detect account compromises often within hours rather than days. The 19-day surveillance window in the story above would have been substantially shorter with active monitoring in place.
What to Do If Your Email Has Already Been Compromised
If you discover or suspect that an email account in your office has been compromised, act immediately. Every hour of delay is additional exposure.
Immediate steps:
- Change the account password and sign out of all active sessions across all devices
- Check for forwarding rules and delegates, attackers often set these up to maintain access after password changes; remove any you didn't create
- Audit the sent folder and deleted items for any messages sent without the account owner's knowledge
- Notify all active transaction parties through a verified channel that is separate from email, call every client, title officer, lender, and attorney connected to any pending deal and inform them that the account was compromised
- Verify wire instructions on all pending transactions regardless of whether anything looks wrong
- Report to the FBI IC3 at ic3.gov, real estate wire fraud is a federal crime and the FBI does pursue these cases
- Contact your cyber insurance carrier immediately if you have a business owner's policy with cyber coverage
- Engage IT support to conduct a forensic review of what the attacker accessed, how long the compromise lasted, and whether any other accounts or systems were affected
Time is critical. Wire transfers are difficult but not impossible to reverse if the bank is notified quickly enough. The FBI's financial fraud team can sometimes coordinate with receiving financial institutions to freeze fraudulent accounts within 72 hours of a complaint.
What This Means for Real Estate Offices Without Internal IT
The standard prevention checklist, call to verify, use code words, never change wire instructions by email alone, requires no technology. Any brokerage can implement it today.
The technical layer is different. Enforcing MFA across all staff accounts, configuring SPF/DKIM/DMARC, deploying an email security gateway, running phishing simulations, and monitoring for account compromise signs requires IT administration capabilities that most real estate offices don't have internally.
A 10-agent brokerage typically has no IT staff. The office manager sets up new email accounts when agents join, and the previous IT vendor handles computers when something breaks. That configuration leaves the entire technical prevention layer unaddressed.
A managed IT provider fills that gap. For a flat monthly fee, the provider enforces MFA across all staff accounts, configures and monitors email authentication, deploys advanced email filtering, runs phishing simulations with training, and monitors for account compromise indicators in real time.
The cost comparison is straightforward. The median wire fraud loss for a real estate office is more than $70,000. Managed IT for a 10-agent office runs a fraction of that annually. The economics are not close.
James runs a 12-agent independent brokerage in Orange County. After a competitor's office lost $280,000 in a wire fraud incident, James decided to audit his office's email security. His IT vendor confirmed that none of his staff accounts had MFA enabled, the domain had no DMARC record, and he had no visibility into whether his email accounts had been accessed from outside the office. Six weeks and a modest IT engagement later, all three issues were resolved. He now receives a monthly report showing his staff's phishing simulation results and any suspicious login activity. No incidents since.
If you want to understand exactly where your office stands on email security and wire fraud prevention, a free IT risk assessment covers your current configuration, identifies the specific gaps, and gives you a clear picture of what it would take to close them.
The Bottom Line
Real estate wire fraud is a $446 million annual problem, growing year over year, and the average victim never recovers their money.
The standard prevention advice, verify wire instructions by phone, use code words, never send wire changes by email only, is correct and every office should follow it. But it addresses step 1 of a two-step problem.
Step 0 is securing the email account so the attacker never gets in. MFA, email authentication (SPF/DKIM/DMARC), advanced email filtering, phishing simulations, and account compromise monitoring are the technical controls that prevent the attack from starting. They require IT infrastructure, not just office procedures.
Real estate offices that have only the procedural checklist are one compromised email account away from a six-figure loss. The ones that have both layers have substantially reduced their exposure.
Cobrix provides managed IT and cybersecurity for real estate offices, including the email security stack, MFA enforcement, and monitoring that stops wire fraud before step 1 ever becomes relevant. Our managed security services include dark web monitoring for compromised staff credentials, which is often the first signal that an attack is coming.
Schedule a free IT risk assessment and we'll show you exactly where your office stands, and what it would take to close any gaps before your next closing.