Last reviewed: July 2026
Their playbook
Weeks before closing, attackers compromise an email account in your deal — an agent's, a lender's, occasionally yours — or register a lookalike domain one character off. They read silently, learn names and dates and deal rhythm, then strike near closing with instructions (or an 'update') that reference your actual transaction with perfect fluency. The tone is helpful, the timing plausible, the pressure gentle. Nothing about it 'looks phishy' — that's the point.
Your ritual (four steps, zero exceptions)
- Independently source the phone number: from this website or your title commitment — NEVER from the email carrying the instructions
- Call and verify verbatim: bank name, account name, account number, every digit, read back both ways
- Treat ANY change as an attack: our instructions do not change mid-transaction; 'updated instructions' means call immediately, wire nothing
- Confirm receipt: after sending, confirm the escrow received it — same day, affirmatively
If money already moved
Minutes matter more than anything you will do afterward: (1) your bank's fraud line — demand a recall and SWIFT/Fedwire trace; (2) the receiving bank's fraud department; (3) us; (4) IC3.gov complaint (triggers the FBI's Financial Fraud Kill Chain, most effective in the first 72 hours on wires over $50,000); (5) preserve every email with full headers for investigators. Partial recoveries happen — nearly always for victims who moved within hours.
Questions to ask ANY title company
- How do you deliver wiring instructions, and will they ever change?
- Do you verify disbursement instructions by callback? To numbers sourced from where?
- Is your escrow account segregated and reconciled three ways?
- What happens at your office when something feels wrong — can staff stop a wire?