Real-Estate Wire Fraud: 3 Variants and the Verified-Callback Rule That Stops Them

The Anatomy of a $335,000 Wire

What This Scam Actually Is

Real-estate wire fraud is a specific application of Business Email Compromise (BEC) — the highest-dollar fraud category in the FBI's 2024 IC3 report. The FBI attributed "$2.77 billion across 21,442 reported incidents" to BEC overall; cumulative BEC losses since 2015 have "skyrocketed by more than 1025%, totaling $17.1 billion over the last decade." Real estate is the dominant individual-consumer vertical inside BEC because property transactions involve large one-time wires to unfamiliar bank accounts on a known timeline.

Mechanically, the script has four phases:

1. Initial compromise. The scammer takes over an email account belonging to one party in the deal — most often the closing attorney's paralegal or the title company's escrow officer. The compromise is typically a phishing email weeks or months before any specific deal, and the attacker may sit dormant in the inbox for months.
2. Reconnaissance. Once a real-estate transaction shows up in the compromised inbox, the attacker reads every email in the thread — closing date, wire amount, parties' names, communication cadence, language style, signature blocks. They learn enough to convincingly impersonate the compromised party.
3. Injection. Two or three days before closing, the attacker sends a polished email from the compromised account (or a near-identical lookalike domain) with new wiring instructions. The email matches prior tone and signatures perfectly because the attacker has read months of correspondence.
4. Wire-out and disappearance. The buyer wires the closing funds to the scammer's account. Within hours the funds are forwarded to a second account, then a third, often international. By closing day — when everyone realizes the title company never received the money — the trail is cold.

The script is effective because every detail looks correct: the email comes from the right address, in the right tone, at the right time, with the right amount. The only red flag is that the bank account is new — and if the buyer doesn't think to call and verify, the fraud completes. CertifID's 2024 State of Wire Fraud Report found "22% of fraudulent communication appears to come from the victim's real estate agent" and that "one in two surveyed consumers professed to being insufficiently aware of real estate fraud risks prior to closing."

One rule, three attacks. The variants below trace each route the scammer takes when the rule isn't followed — and the third trace shows what happens when the rule is followed but executed wrong.

The 3 Variants

Variant #1

The Last-Minute Wire-Instruction Swap

⚠️ High

💬 Channel: Email from a compromised closing-attorney, paralegal, or title-company escrow account, two to three days before closing day. Subject line is benign ("Wiring instructions update," "Final closing details").

An email from the closing attorney's known address arrives 48 hours before closing with "updated" wiring instructions. The email matches every prior email perfectly because the scammer has been in the attorney's inbox for weeks. The buyer wires the closing funds to a different bank than the one originally provided.

A first-time homebuyer in r/FirstTimeHomeBuyer ("Wire Fraud is No Joke," 742 upvotes) describes the textbook case. Her closing agent had warned about wire fraud explicitly. Two days before closing, an email arrived from the agent's address, with the agent's photo, signature, and contact info. The email said the closing wire instructions had been updated; please use the new bank account. The buyer almost wired it. She paused only because her husband had asked her to call the agent before sending any wire. She called. The agent had not sent the email.

A second case, on r/RealEstate ("wire fraud $100k+," 692 upvotes), describes the same pattern from the opposite outcome. The author had asked his real estate attorney's paralegal whether he could pay closing costs by cashier's check; the paralegal (whose email was compromised) replied that they preferred wire and attached a PDF of which bank to wire funds to. The PDF was a lookalike. By the time the author's bank caught the discrepancy, the wire had cleared. The defense the thread surfaces, top reply with 323 upvotes: "Wow. That's a lot more advanced than all the scams I'm used to." The advance is in the patience — by closing day the attacker has read every prior email and writes in the paralegal's exact voice.

The polished email cannot be distinguished from a real one in 30 seconds; that is the design. So the test cannot live in the email itself — it has to live in a separate verification ritual the scammer can't touch. Treat any "updated" or "revised" wiring instructions arriving by email as suspect by default. Verify by callback to the firm's known main number — not the number in the email — before the wire is sent. ALTA's 2024 State of Wire Fraud Study reports "the average title insurance fraud and forgery claim costs over $143,000." The first-time-homebuyer in r/FirstTimeHomeBuyer who paused only because her husband had asked her to call had no other defense — the email was that good.

Red Flags

• Wiring instructions arrive in an email rather than being handed to you on paper at the office
• An "updated" or "revised" version of instructions arrives close to closing day, after the original instructions
• Receiving bank name on the instructions does not match the title company or law firm name exactly
• Email asks you to confirm by replying to the email rather than calling a phone number you've used before
• Subject line creates closing-day urgency ("urgent," "final," "must be completed today")

How to Avoid

• Apply the verified-callback rule to every wire over $1,000: call the firm's main number from their website and confirm verbally before sending.
• If your attorney will accept a cashier's check, use one. The check is delivered in person, eliminating the wire-interception window.
• Read account and routing numbers back to the verified contact digit-by-digit. A single transposed digit between the legitimate and fraudulent account is a common attacker trick.
• Do not respond to "updated" wiring instruction emails by reply. Pick up the phone. Use a number you already have.
• Tell your closing attorney upfront that you will be calling to verify any wire — make it explicit so the timing isn't surprising on the day.

"I work in real estate. We make every client sign a form about wire fraud before closing. Every reputable attorney and title company I deal with has email footers and/or documents about this issue. The scammers compromise the email chain and follow the emails, then send very real looking emails right at closing." — r/fatFIRE top reply, on the $335K parents-loss case (905 upvotes)

The basic email-injection variant assumes the scammer can read prior emails and impersonate them. The next variant goes further — actively rewriting messages mid-conversation.

Variant #2

Email-Editing Man-in-the-Middle ("They're Editing Our Emails")

⚠️ High

💬 Channel: An ongoing email thread between buyer, seller, agent, and attorney where one party's account is compromised. The attacker silently modifies messages mid-conversation, changing details before they reach the recipient.

More sophisticated than a one-shot fake email. The attacker is logged into the compromised account in real time, intercepting incoming messages, modifying details (bank account, signature), and forwarding the altered version. Both parties believe they are corresponding directly. The attacker is editing the conversation as it happens.

The r/RealEstate thread "REALTOR WIRE FRAUD ALERT: They're editing our emails" (267 upvotes) describes a deal where the buyer noticed something subtly wrong on a third or fourth round of email correspondence about closing details. Account numbers in earlier emails the agent had supposedly sent didn't match the agent's current memory. The agent insisted she had sent specific instructions; the buyer's inbox showed different instructions. They eventually realized that someone had compromised the agent's email account, was reading every outbound email before it left, and editing wiring details before forwarding the modified message.

This variant is harder to detect because there is no single "fake email" — every email looks authentic, comes from the real address, in the real tone. The attacker's edits are surgical: change a single account number, leave everything else intact. From either party's perspective, the conversation is normal until the wire fails. The top community comment on this thread (284 upvotes) describes a defense one buyer used: "When we bought our current house in 2023, I had to physically go to the title office and pick up a piece of paper with the wiring instructions on it because of scams like this one. We were told repeatedly that any instructions sent by email were invalid."

When email itself can no longer be trusted, the defense moves off the screen. Pick up the phone. Confirm verbally. Better yet, pick up the wiring instructions in person — printed paper handed across a desk. The man-in-the-middle attacker cannot edit a phone call and cannot rewrite a sheet of paper. CertifID's 2024 report notes that "fraudsters have become increasingly skilled at leveraging public records, breaching broker and title agency systems, and deploying AI-enabled tactics to impersonate real estate professionals" — email-only verification is no longer sufficient on either side.

Red Flags

• Wiring details in your inbox don't match what the other party remembers having sent
• Subtle inconsistencies across the email thread — one email says X, another says Y, both apparently from the same sender
• The other party's email signature has slightly different formatting than usual (font weight, line spacing) — a sign the attacker is reformatting messages
• Replies arrive at unusual hours for the sender's time zone, or at unusually fast/slow cadence
• The other party seems unaware of details they should know from prior emails — because their original messages were edited before delivery

How to Avoid

• Treat email as untrusted for any specific dollar amount, account number, or bank name. Verify all numerical details by phone callback.
• Pick up wiring instructions in person at the title company's office whenever possible — printed paper handed across a desk.
• If you suspect mid-conversation editing, call all parties on numbers you've used before and ask each to read back their version of the agreed details.
• For high-value transactions, escrow services (Earnnest, Plaid Pay-by-Bank, or title-company-integrated platforms) bypass the wiring-instruction email entirely.
• Report any suspected email compromise immediately to the affected party so they can investigate their account, change passwords, and enable MFA. The longer the attacker remains in the inbox, the more deals are exposed.

The first two variants assume the buyer trusts email and can be tricked into wiring to a fake account. The next variant attacks the defense itself — the verification call.

Variant #3

Spoofed Callback Number (defeats the call-to-verify rule)

⚠️ High

💬 Channel: Email from compromised real-estate agent or title-company account containing fraudulent wiring instructions plus a "call to verify" phone number. The phone number is the scammer's, not the firm's.

The buyer follows best practice and calls to verify wiring instructions. But the phone number on the email is the attacker's — not the firm's. The verification call goes to the scammer, who confirms the fake instructions in a professional voice. The buyer wires the funds, having "verified" them.

A title-company employee on r/RealEstate ("Home buyer scammed out of $400,000 down payment") describes the case directly: "We had a case where the agent's email got hacked. The bad actor put their number down as the title company's number to call and confirm." (156 upvotes). The buyer did everything right — the email instructed them to call to verify, they called, they got a professional voice that confirmed the wiring details. Every box was checked. The defense had been weaponized.

This is the most insidious variant because it specifically targets buyers who have learned the verified-callback rule but execute it incorrectly — calling the number provided in the email instead of a number obtained independently. CertifID's 2024 report measured "$500 million" of all 2024 IC3 losses attributable to real-estate wire fraud, much of it from victims who believed they had verified. The Silicon Valley executive who lost $400,000 in mid-2024 (CNBC, July 2024) had checked the email signature, checked the domain, and called the number on the email. The number went to a call center the scammer operated.

So how do you verify a verification? The phone number itself has to come from outside the deal channel. Get the title company's or law firm's main number from the firm's official website — not from any email, document, or business card delivered through the deal. Write it down on day one. Tape it to the inside of the transaction folder. Use that number, no other. If the email says "call to verify at this number," the email number is the scam. The Silicon Valley executive who lost $400,000 had checked the email signature, checked the domain, and called the number on the email — every box checked, every box checked wrong.

Red Flags

• Email instructs you to call a specific number to verify the wiring instructions — but the number is presented in the email, not from your transaction file
• Phone number on email signature differs from the firm's main switchboard number on their website
• Caller you reach answers as the firm but doesn't know specific deal details that the real firm would know
• Verification call routes through an unfamiliar IVR ("press 1 for closings") that you haven't encountered in prior calls to the firm
• Caller gets impatient or pressures you to wire quickly — real escrow officers give you time to confirm details

How to Avoid

• Get the firm's main switchboard number from their official website on day one of the transaction. Save it on paper. That is the only number you will use to verify wires.
• If the email provides a "verification number," ignore it. Call the website number instead. Ask for the closing officer by name.
• If the closing officer's direct line was given to you in person at a meeting, that is also acceptable. A direct line emailed to you mid-transaction is not.
• Test the website number with a low-stakes call early in the transaction (e.g., a clarifying question about closing). Confirm you reach the same firm.
• If you suspect the email number is fraudulent, do not call it — even to "see what they say." It identifies you as a target and may accelerate the script.

The Numbers (and Where They Come From)

Every figure below is from a primary source with the verbatim quote on file in our research log. Where a stat is an industry estimate rather than agency-reported, the source card is shaded differently.

Two additional facts worth knowing. ALTA's 2024 study found that "in 2023, 28% of title insurance companies experienced at least one seller impersonation fraud attempt, and in April 2024 alone, two in 10 title companies experienced attempts." CertifID's consumer survey found that "22% of fraudulent communication appears to come from the victim's real estate agent" — meaning the most-trusted contact in many transactions is also a frequent compromise target.

Recovery Reality (and the 24-72 Hour Window)

Recovery from real-estate wire fraud is possible but rare, and the window is narrow. The CFPB's mortgage-closing-scam guidance is direct: "Filing within 24 hours, but no more than 72 hours, provides the best chance of recovery." If the wire has not yet cleared at the receiving bank, your originating bank can sometimes recall it. After 72 hours the funds are typically wired out internationally and recovery becomes very rare.

The FBI's Financial Fraud Kill Chain is the formal recovery protocol — it's a coordinated effort between the FBI, the originating bank, and the receiving bank to reverse a fraudulent wire that has not yet been withdrawn. To activate it, the victim must file at ic3.gov within the first 72 hours and contact the FBI field office for amounts over $50,000. Most successful recoveries happen in the first 48 hours.

Beyond the bank, several civil paths exist. If the closing attorney's or title company's email account was compromised, their professional liability (E&O) insurance may apply — but pursuing this requires civil litigation and the burden is on the buyer to demonstrate the firm's negligence in protecting its email systems. Some buyers carry their own cyber insurance (increasingly recommended for high-value home purchases). ALTA introduced a seller-impersonation endorsement in 2024 that covers some seller-side fraud but does not cover the more common buyer-side closing wire losses.

The blunt summary: the 24-72 hour window is everything. Beyond that, expect to need litigation, insurance, and patience for what is rarely full recovery.

If You're a Buyer About to Close — The Checklist

1. Day 1 of the transaction: Get the title company's main switchboard number from their official website. Get your closing attorney's office number from their firm website. Write both on paper. Tape to the inside of your transaction folder.
2. Two weeks before closing: Ask your closing attorney whether they will accept a cashier's check instead of a wire. If yes, plan to use one — it eliminates the wire-interception window entirely.
3. Three days before closing: If you receive any "updated" or "revised" wiring instructions, treat them as suspect by default. Call the verified number from your transaction folder before doing anything.
4. Wire day: Call the verified number, ask for the closing officer by name, read the routing and account numbers back digit-by-digit, confirm the receiving bank name matches the firm. Only after that, send the wire.
5. If anything goes wrong: The next 24 hours determine whether recovery is possible. Call your bank's fraud line within hours, request a wire recall, file at ic3.gov, contact your local FBI field office for amounts over $50K. Don't wait.

If You're Reporting Outside the United States

Real-estate BEC targets English-speaking property buyers across the entire Anglosphere. Reporting paths exist in every major jurisdiction.

• United Kingdom: Action Fraud within 24 hours; the Financial Conduct Authority handles regulatory complaints. UK Finance has published BEC-specific guidance for solicitors and conveyancers.
• Canada: Canadian Anti-Fraud Centre (CAFC) and the RCMP. Some provincial Law Societies have published wire-fraud guidance for real-estate lawyers.
• Australia: Scamwatch (run by the ACCC) and IDCARE. Australian conveyancers have specific PEXA-platform protocols for closing-day verification.
• European Union: Report to your national fraud office (e.g., German BKA, French ANSSI, Dutch Fraudehelpdesk) and to Europol's online crime portal. The EU's NIS2 directive (effective 2024) increased reporting requirements for affected service providers.
• Ireland: An Garda Síochána Garda National Cyber Crime Bureau (GNCCB).

Related Reading

Real-estate wire fraud shares operational infrastructure with other BEC and impersonation attacks documented on tabiji. Internal: the Everywhere hub; AI Voice-Clone Scams (the cloned-CFO and cloned-closing-officer call is now a routine secondary attack alongside email compromise); Pig-Butchering (different victim profile, same email-thread-monitoring patience pattern); Recovery Scams (wire-fraud victims who post publicly become recovery-scam targets within weeks; the no-upfront-fee rule applies to victims of every variant on this page). External authorities: the FBI IC3 2024 Annual Report; the FBI BEC PSA — "The $55 Billion Scam"; ALTA's State of Wire Fraud 2024; CertifID's 2024 State of Wire Fraud Report; the CFPB mortgage closing scam advisory.

This page is consumer education, not legal or financial advice. The scams documented here are real and the defenses are drawn from patterns across 4,045+ Reddit posts and comments (276 threads, 3,769 comments) plus the federal-agency, NGO, and industry sources cited inline, but every situation is different. If you have lost money to wire fraud, consult a licensed attorney through your state bar's referral service before paying anyone for "recovery" services. Reddit thread upvote counts are reported as of April 2026 and may have changed since publication. Last updated: April 29, 2026. Next scheduled refresh: July 29, 2026.