Compliance
Closing-wire fraud is the most expensive cyberattack in real estate — and most title and settlement firms don't realize the FTC Safeguards Rule already treats them as financial institutions. Here's the exposure and the fix.
The most expensive cyberattack in real estate isn't a dramatic breach — it's a quietly altered wire instruction at the closing table. In 2025 the FBI's Internet Crime Complaint Center recorded $275,110,419 in reported real-estate fraud losses across 12,368 complaints (FBI IC3 2025 Annual Report). And there's a second surprise underneath it: most title and settlement firms don't realize the FTC Safeguards Rule already treats them as financial institutions, with the same security obligations as a bank.
If you run a title company, an escrow operation, or a brokerage that touches closing funds, this guide is for you: the exposure, the controls that actually stop it, and the regulation you may not know you're under.
The math is simple for an attacker. A real-estate transaction moves a very large sum on a known date, through a process that involves several parties emailing each other. The attacker doesn't need malware that encrypts your files. They need to sit in a mailbox, watch a deal progress, and send a believable email changing where the money goes.
This is business email compromise (BEC), and it's the dominant loss pattern in the vertical. The attacker rarely breaks anything — they wait for a closing and change the wire instructions. By the time anyone notices, the funds have been moved through accounts and are gone.
Here's what catches title and escrow firms off guard: under the Gramm-Leach-Bliley Act, a "financial institution" is defined broadly and non-exclusively. The FTC's guidance notes the Rule covers 13 named kinds of businesses and that even that list is not exhaustive (FTC Safeguards Rule: What Your Business Needs to Know) — and 16 CFR 314.2(h) explicitly names "an entity that provides real estate settlement services" as a covered financial institution (eCFR).
Practically, that means a title or settlement firm carries the same obligations as an accounting firm or an auto dealer: a written information security program, a designated person to run it, a risk assessment, and named technical controls including MFA and encryption. Most firms in this space have never been told this. It's not a reason to panic — it's a reason to build the program now, because the controls it requires are the same ones that stop the wire fraud.
A breach-notification duty rides along too: covered firms must notify the FTC within 30 days of discovering a breach affecting at least 500 consumers (FTC).
Cyber insurers have converged on a short list for this exact risk, and they require it with no dollar floor — meaning it applies to every transaction, not just the big ones:
None of these are exotic. They're process and configuration, and they're the difference between a near-miss and a six-figure loss.
The fastest path is to treat the wire-fraud controls and the Safeguards program as one project, because they overlap almost entirely. That's how Obsidian Ridge runs it for title, escrow, and brokerage firms — see the Real Estate, Title & Escrow security page for how the funds-transfer controls and managed detection line up against both the carrier's questions and the GLBA requirements.
If you'd rather start by finding the gaps, the Cyber Insurance Readiness Sprint maps your current state against the funds-transfer and Safeguards controls in a fixed-scope, seven-business-day engagement, and produces the documented process and evidence package underwriters want.
Closing-wire fraud is the most expensive cyber risk in real estate, the FTC Safeguards Rule likely already applies to your firm, and — usefully — the controls that satisfy the regulation are the same ones that stop the fraud. Verify every wire out-of-band, lock down the mailboxes, and document the program once for both the carrier and the regulator.
Had a near-miss on a redirected wire and want it to stay a near-miss? Book a wire-fraud and readiness assessment.
Last updated
June 17, 2026. We refresh this content as the threat landscape and tools evolve.
FAQ
Business email compromise that diverts a closing wire. An attacker quietly monitors a mailbox, waits for a transaction to near closing, and sends altered wire instructions to the buyer or the settlement firm. The FBI's IC3 recorded $275,110,419 in reported real-estate fraud losses across 12,368 complaints in 2025 — the attacker rarely 'breaks' anything; they redirect money.
Yes. The Safeguards Rule's definition of a covered 'financial institution' explicitly includes entities that provide real-estate settlement services. That means title and escrow firms carry the same written-information-security-program, MFA, and encryption obligations as accounting firms and auto dealers — a fact most settlement firms are surprised to learn.
The single most effective control is out-of-band verification: before sending or changing any wire, confirm the instructions by calling a known, independently verified phone number — never a number from the email itself. Pair that with MFA on every mailbox, monitoring for malicious inbox rules, and dual authorization above a threshold. These are also the exact controls cyber insurers require with no dollar floor.
It depends on the facts, but the financial and reputational damage usually lands hard on the firm whose email was compromised or whose process failed to verify — through errors-and-omissions claims, lost funds, and destroyed local referral relationships. Prevention is far cheaper than the dispute over who pays.
Related reading
Most dealerships that arrange financing are 'financial institutions' under the FTC Safeguards Rule — which means a specific, named cybersecurity program is required by regulation. Here's what's on the list and how to satisfy it.
Read articleProperty managers hold tenant SSNs and bank details, pull credit reports under FCRA, and move owner money — making them a prime target for wire fraud and data theft. The real exposures and the controls that close them.
Read articleContracting services were the second-most-reported non-critical sector in the FBI's 2025 ransomware data. The two exposures that actually hurt a construction firm — project downtime and progress-payment wire fraud — and how to close them.
Read article