Real-Estate Wire Fraud: 5 Variants and the Verified-Callback Rule That Stops Them

An email from the closing attorney's known address arrives 48 hours before closing with "updated" wiring instructions. The email matches every prior email perfectly because the scammer has been in the attorney's inbox for weeks. The buyer wires the closing funds to a different bank than the one originally provided.

A first-time homebuyer in r/FirstTimeHomeBuyer ("Wire Fraud is No Joke," 742 upvotes) describes the textbook case. Her closing agent had warned about wire fraud explicitly. Two days before closing, an email arrived from the agent's address, with the agent's photo, signature, and contact info. The email said the closing wire instructions had been updated; please use the new bank account. The buyer almost wired it. She paused only because her husband had asked her to call the agent before sending any wire. She called. The agent had not sent the email.

A second case, on r/RealEstate ("wire fraud $100k+," 692 upvotes), describes the same pattern from the opposite outcome. The author had asked his real estate attorney's paralegal whether he could pay closing costs by cashier's check; the paralegal (whose email was compromised) replied that they preferred wire and attached a PDF of which bank to wire funds to. The PDF was a lookalike. By the time the author's bank caught the discrepancy, the wire had cleared. The defense the thread surfaces, top reply with 323 upvotes: "Wow. That's a lot more advanced than all the scams I'm used to." The advance is in the patience — by closing day the attacker has read every prior email and writes in the paralegal's exact voice.

The defense is procedural rather than auditory. The polished email cannot be distinguished from a real one in 30 seconds; that is the design. The single decision rule that breaks the funnel: any "updated" or "revised" wiring instructions received by email are treated as suspect by default and verified by callback to the firm's known main number — not the number in the email — before the wire is sent. ALTA's 2024 State of Wire Fraud Study reports "the average title insurance fraud and forgery claim costs over $143,000."

The basic email-injection variant assumes the scammer can read prior emails and impersonate them. The next variant goes further — actively rewriting messages mid-conversation.

More sophisticated than a one-shot fake email. The attacker is logged into the compromised account in real time, intercepting incoming messages, modifying details (bank account, signature), and forwarding the altered version. Both parties believe they are corresponding directly. The attacker is editing the conversation as it happens.

The r/RealEstate thread "REALTOR WIRE FRAUD ALERT: They're editing our emails" (267 upvotes) describes a deal where the buyer noticed something subtly wrong on a third or fourth round of email correspondence about closing details. Account numbers in earlier emails the agent had supposedly sent didn't match the agent's current memory. The agent insisted she had sent specific instructions; the buyer's inbox showed different instructions. They eventually realized that someone had compromised the agent's email account, was reading every outbound email before it left, and editing wiring details before forwarding the modified message.

This variant is harder to detect because there is no single "fake email" — every email looks authentic, comes from the real address, in the real tone. The attacker's edits are surgical: change a single account number, leave everything else intact. From either party's perspective, the conversation is normal until the wire fails. The top community comment on this thread (284 upvotes) describes a defense one buyer used: "When we bought our current house in 2023, I had to physically go to the title office and pick up a piece of paper with the wiring instructions on it because of scams like this one. We were told repeatedly that any instructions sent by email were invalid."

The defense remains the verified-callback rule, applied with extra discipline: do not rely on email for any single fact about wiring details, even if the same fact is repeated across multiple emails. Pick up the phone. Confirm verbally. The man-in-the-middle attacker cannot edit a phone call. CertifID's 2024 report notes that "fraudsters have become increasingly skilled at leveraging public records, breaching broker and title agency systems, and deploying AI-enabled tactics to impersonate real estate professionals" — meaning email-only verification is no longer sufficient on either side.

The first two variants assume the buyer trusts email and can be tricked into wiring to a fake account. The next variant attacks the defense itself — the verification call.

The buyer follows best practice and calls to verify wiring instructions. But the phone number on the email is the attacker's — not the firm's. The verification call goes to the scammer, who confirms the fake instructions in a professional voice. The buyer wires the funds, having "verified" them.

A title-company employee on r/RealEstate ("Home buyer scammed out of $400,000 down payment") describes the case directly: "We had a case where the agent's email got hacked. The bad actor put their number down as the title company's number to call and confirm." (156 upvotes). The buyer did everything right — the email instructed them to call to verify, they called, they got a professional voice that confirmed the wiring details. Every box was checked. The defense had been weaponized.

This is the most insidious variant because it specifically targets buyers who have learned the verified-callback rule but execute it incorrectly — calling the number provided in the email instead of a number obtained independently. CertifID's 2024 report measured "$500 million" of all 2024 IC3 losses attributable to real-estate wire fraud, much of it from victims who believed they had verified. The Silicon Valley executive who lost $400,000 in mid-2024 (CNBC, July 2024) had checked the email signature, checked the domain, and called the number on the email. The number went to a call center the scammer operated.

The defense is the version of the verified-callback rule that uses a number obtained independently of the deal. The phone number must come from the title company's or law firm's main website — not from any email, document, or business card delivered through the deal channel. Write the number down on day one. Tape it to the inside of the transaction folder. Use that number, no other. If the email says "call to verify at this number," the email number is the scam.

The first three variants target homebuyers and individual consumers. The next two scale the same script up to businesses, where the dollar amounts grow and the email accounts under attack are larger.

A business's accounts-payable team receives invoices from a known vendor. The scammer has compromised the vendor's email account, deletes the real invoices on arrival, then resends spoofed copies with the same content but updated bank-account info. The business pays — to the scammer's account. Losses are typically $50K to $500K per incident.

The r/Scams thread "Business email was hacked, 200K lost" describes the canonical case (58 upvotes). The author's company received invoices from regular vendors via a shared business inbox. The scammer compromised that inbox, deleted real invoices on arrival, and resent spoofed versions with the vendor's name, the right amounts, and the right line items — but with new payment-routing details. The accounts-payable team did the ACH transfers as usual. By the time the real vendor called asking why their invoices had not been paid, $200,000 was gone.

This variant scales BEC from individual closings to business operations. It is the same script — compromised email account, patient reconnaissance, surgical modification of legitimate communications — applied to the AP function instead of the homebuyer wire. The FBI's 2024 IC3 PSA on Business Email Compromise updated the cumulative losses to "The $55 Billion Scam" globally between 2013 and 2023. Vendor-payment fraud is the most-reported sub-category for businesses.

Defense at the business level is procedural and infrastructural. Mandate dual approval for any vendor banking-detail change. Require a callback to the vendor's known phone number — not a number on the new invoice — for any change to payment instructions. Most companies that ship cyber insurance discover after a loss that their policy required these procedures and now exclude the loss because the procedure wasn't followed. The r/Scams top reply on the $200K case (65 upvotes): "If your business has cyber insurance it may be covered." A second top reply: "Call police. Call a lawyer. Call police."

The vendor-invoice variant compromises one party in a chain of transactions. The final variant compromises a high-privilege account that opens the door to many transactions at once.

Higher-stakes than a single-account compromise. Once the attacker has a privileged exec's M365 credentials, they can blast malicious OneDrive/SharePoint share links to all internal users plus external clients. Each clicked link harvests another credential. The cascade can produce dozens of compromised accounts inside hours, multiplying the wire-fraud surface area exponentially.

The r/sysadmin thread "Had my first real email compromise incident this week" (186 upvotes) walks through the cascade in detail. A VP-level M365 account at a 250-mailbox SMB got compromised. The attacker used the VP's account to send malicious OneDrive/SharePoint sharing links to 82 internal users plus a wider list of external partners. Each link routed to a fake login page. Recipients who entered credentials were themselves compromised, expanding the attack laterally. By the time IT detected the activity, the attacker was inside multiple accounts and had begun monitoring active deals for wire-fraud opportunities.

This variant matters for real estate because title companies, real-estate brokerages, and law firms typically run on M365 or Google Workspace and have weak Conditional Access policies. A single compromised exec account becomes a launchpad for monitoring every deal across the firm. Multiple sources cite this as the entry point for the most damaging wire-fraud cases — losses aren't limited to one buyer; they're distributed across every deal that account had access to. The r/sysadmin top reply (107 upvotes) emphasized the defensive controls: "CA can be set up to force MFA on risky signs, or require a password, all kinds of things. Look into these at a minimum. You can also utilize Defender for Cloud Apps with CA to set up a session policy."

Defense at this level is purely IT-procedural. Every M365 / Google Workspace account at a firm handling real-estate transactions must have phishing-resistant MFA (FIDO2 hardware keys or Windows Hello), Conditional Access policies that block legacy authentication, and Defender for Cloud Apps (or equivalent) session monitoring. Buyers cannot defend against this variant directly — but they should ask their closing attorney and title company what their M365 hardening looks like before transferring large sums. ALTA's 2024 study found "nearly all title companies surveyed (91%) currently provide or plan to provide education and resources to train employees on fraud," but training alone doesn't prevent credential-phishing attacks; technical controls are required.