Who is legally liable when wire fraud occurs in a real estate transaction?

Liability is contested and often results in litigation between the parties. Courts have held buyers liable when they failed to follow verbal verification procedures despite being warned. Title companies and attorneys have faced liability when their email accounts were compromised and used to send fraudulent wire instructions. Real estate agents have faced E&O claims when their communication failures contributed to the fraud. Cyber insurance with BEC coverage is the primary financial protection — but the coverage may be denied if basic controls like MFA weren't in place.

Can fraudulent wire transfers be recovered?

The FBI's Internet Crime Complaint Center (IC3) has a Financial Fraud Kill Chain process that can sometimes recover funds if reported within 72 hours. Recovery rates are below 20% overall. The faster you report — IC3.gov and your bank's fraud department — the better the odds. After 24–48 hours, the money has typically moved through multiple mule accounts and been converted or withdrawn. Cyber insurance with BEC coverage can cover the loss, subject to policy limits and deductibles.

What is DMARC and why does it matter for real estate firms?

DMARC (Domain-based Message Authentication, Reporting and Conformance) is an email authentication protocol that prevents attackers from spoofing your domain in outbound emails. If your firm's DMARC policy is set to 'reject,' an attacker cannot send a convincing email pretending to be from @yourfirm.com — the email will be rejected before it reaches the recipient. Most real estate firms either have no DMARC record or have it set to 'none' (monitor only), which provides no protection. Setting DMARC to 'reject' is a 30-minute configuration change your IT provider should make immediately.

Does cyber insurance cover wire fraud losses from BEC attacks?

It depends on the policy. Standard commercial crime policies often exclude 'voluntary' wire transfers, meaning if an employee was tricked into sending the wire, it may not be covered. Cyber liability policies with BEC (Business Email Compromise) or social engineering endorsements are specifically designed to cover this scenario. However, claims are increasingly being denied when MFA wasn't implemented — insurers argue the loss was preventable. Before assuming you're covered, review your policy language with your broker and confirm BEC is explicitly included.

How to Prevent Wire Fraud: A Real Estate IT Security Guide

Wire fraud targeting real estate transactions is not a new threat — but it's gotten dramatically more sophisticated. The FBI's 2023 Internet Crime Report showed real estate and rental fraud caused $446 million in losses, making it one of the highest-dollar cybercrime categories by industry.

The attacks work because they exploit trust at the most emotionally and financially charged moment in a buyer's life: closing day. Understanding exactly how these attacks happen is the first step toward preventing them.

How Real Estate Wire Fraud Actually Works

The most common attack vector is called Business Email Compromise (BEC). Here's the step-by-step playbook attackers follow:

Step 1: Gaining Email Access

The attacker needs to get inside a legitimate email account involved in the transaction. The most common entry points are:

Phishing: A fake Microsoft 365 or Gmail login page that captures credentials. Often delivered as a fake DocuSign notification or "your shared document is ready" email.
Credential stuffing: The attacker buys a list of breached username/password combinations and tries them against real estate professionals' email accounts. If you've reused a password that appeared in any data breach, you're exposed.
Weak passwords: Without MFA, a guessable or dictionary password is all that stands between an attacker and your inbox.

Step 2: Silent Monitoring

After gaining access, a skilled attacker does nothing visible for days or weeks. They set up a silent forwarding rule or simply monitor the inbox for transactions approaching closing. They're looking for: the property address, buyer and seller names, the expected wire amount, the title company and attorney involved, and the anticipated closing date.

This is why MFA alone isn't sufficient. If an attacker already has your credentials and MFA is added after the compromise, they may already have an active session. You need anomaly detection that flags new login locations, forwarding rules, and unusual access patterns — not just MFA at login.

Step 3: Sending Fraudulent Wire Instructions

The attacker sends a convincing email at the right moment — typically a few days before closing, when wire instructions would naturally be communicated. The email appears to come from the title company, escrow officer, or closing attorney. It may be sent from:

The actual compromised account (most convincing)
A lookalike domain: titlecompany-closing.com instead of titlecompany.com, or t1tlecompany.com
A spoofed "from" address that passes a casual glance but fails email authentication checks (DMARC)

The fraudulent wire instructions point to an attacker-controlled bank account, often a money mule account that will forward the funds within hours.

Step 4: Discovery

Fraud is typically discovered when the real title company calls about the missing wire — often on closing day or the day after. At that point, the money has usually already been moved and converted. The FBI's financial fraud response team may be able to freeze funds if contacted within 24–48 hours, but success rates are below 20%.

The IT Controls That Break Each Step

Breaking Step 1: MFA on Every Account

Multi-factor authentication (MFA) prevents credential theft from turning into account access. Even if an attacker has your username and password from a phishing attack or breach, they can't log in without the second factor. MFA must be enforced on:

Every email account (M365, Google Workspace, or any email provider)
The transaction management platform (Dotloop, SkySlope, etc.)
The CRM
Any cloud storage used for transaction documents

Authenticator apps (Microsoft Authenticator, Google Authenticator) are more secure than SMS-based MFA. Use Conditional Access policies in Microsoft 365 to enforce MFA — not just "recommended" MFA that users can skip.

Breaking Step 2: Email Anomaly Detection

Microsoft Defender for Office 365 Plan 2 (or equivalent) monitors for:

Impossible travel logins (account logged in from New York and then from Romania 10 minutes later)
New inbox rules created (especially forwarding rules to external addresses)
Unusual email access patterns (account accessing mail at 3am from an unfamiliar device)
Mass email deletions (attacker covering tracks)

These alerts can detect a BEC attack in progress — before any fraudulent wire instruction is sent.

Breaking Step 3: DMARC, DKIM, and SPF

These three email authentication standards work together to prevent domain spoofing:

SPF (Sender Policy Framework): Lists the mail servers authorized to send email from your domain. Any server not on the list is flagged as unauthorized.
DKIM (DomainKeys Identified Mail): Cryptographically signs outbound emails so recipients can verify they genuinely came from your server.
DMARC (Domain-based Message Authentication): Combines SPF and DKIM, and tells receiving mail servers what to do with emails that fail authentication. A policy of p=reject causes emails that fail your authentication checks to be rejected outright — not delivered to the recipient at all.

Check your firm's DMARC status by searching for "yourdomain.com DMARC check" using any free DMARC lookup tool. If you have no DMARC record or it's set to p=none, you have no protection against domain spoofing.

The Verbal Verification Protocol: Your Last Line of Defense

Technology controls can fail. The verbal verification protocol is the backstop that doesn't depend on IT configuration being perfect:

Any wire instruction — or any change to previously confirmed wire instructions — must be verified by phone call to a number independently obtained (not from the email). Never call the number in the email. Never reply to the email asking for confirmation.

This policy should be communicated to buyers at the beginning of a transaction, documented in writing, and practiced by every agent, TC, and closing officer. It's the one control that stops wire fraud even when every technical control has failed.

Lookalike Domain Monitoring

Attackers register lookalike domains (homoglyph attacks, hyphenated variants, transposed letters) weeks or months before they use them. Monitoring services like Bolster and DomainTools alert you when domains similar to yours are registered, giving you time to report them and warn clients before they're weaponized.

What to Tell Clients About Wire Fraud

Every buyer and seller should be warned at the listing or buyer consultation:

"We will never send you wire instructions via email without a phone confirmation. If you receive wire instructions by email, call us at the number on our website or business card — not the number in the email — before wiring anything."
"Any last-minute change to wire instructions is a major red flag. Stop and call us immediately."
"Once a wire is sent, recovery is nearly impossible. Take extra time to verify."

After a Fraud Attempt: What to Do

If you discover a fraudulent wire instruction was sent from your or a partner's account:

Call your bank's fraud line immediately — ask for an emergency wire recall
File a complaint at IC3.gov (FBI's Internet Crime Complaint Center)
Call 1-800-CALL-FBI and request the Financial Fraud Kill Chain process
Notify your cyber insurance carrier
Preserve all email headers and logs — don't delete anything
Contact your IT provider to determine how the compromise happened and contain it

Real estate firms need IT support built specifically for real estate — not a general IT provider who's never seen a wire fraud case. The controls above aren't optional features. They're the baseline for operating safely in today's threat environment.