One inbox. One wire. One closing gone.
Title companies are the number one target for real estate wire fraud. Every closing moves a large wire on a predictable schedule, coordinated almost entirely over email — which makes one compromised inbox worth more to an attacker than an entire law firm's file room.
What a wire fraud actually costs a title company
In one closing we responded to, an attacker took over a closer’s inbox and sent fraudulent wire instructions on a real pending transaction — a high-six-figure wire, moving on a real deadline, to the wrong account. We documented the entire response in our BEC wire fraud incident report. That is the scenario every title company is one bad login away from, every single day it has closings on the calendar.
The math is brutal because there’s no partial version of this loss. A wire that clears to a fraudulent account is gone. Recovery through the bank’s fraud department is possible in the first hours, unlikely after that. Beyond the money: a lost closing, a client relationship that doesn’t survive the story, a call to your E&O carrier, and in most states a breach notification review. None of that is optional once the wire clears.
Why title companies specifically get targeted
Attackers target title and escrow companies because the transaction structure does the targeting for them: a large, time-sensitive wire, coordinated by email, between parties who have often never spoken by phone. Compromise one mailbox — a closer, an escrow officer, a lender’s loan coordinator — and you have visibility into which deals are closing this week and for how much.
In our BEC case, the attacker didn’t send one fraudulent email and disappear. They stayed logged into the account and created mail-blocking rules against the firm’s funding desk and a coworker who would have caught the fraud — an attempt to keep the scheme alive long enough for the wire to actually move. That’s the pattern we look for in every closing-day compromise: not just the fraudulent email, but the filters and forwarding rules an attacker sets up to keep watching.
Where the door was left open
The entry point in that incident was multi-factor authentication enrolled but not enforced at the tenant level. The account “had 2SV” in the sense that the user had set it up — but Google Workspace only challenges for 2SV when a sign-in looks suspicious, and the attacker’s login never tripped that heuristic. Password alone got them in. That gap — the difference between MFA turned on for a user and MFA enforced across a tenant — is one of the most common findings we see auditing title company email systems, and it is entirely closable before it costs anyone a closing.
What ALTA Best Practices requires here
The American Land Title Association’s Best Practices framework exists largely because of this exact threat. The wire fraud and information security pillars call for verified, out-of-band confirmation of wire instructions, documented information security controls, and an incident response plan — the things underwriters and lenders check for during a Best Practices review. We build the technical controls to match: enforced MFA, email authentication (DMARC/SPF/DKIM) that makes spoofed sender domains harder to pull off, and monitoring tuned to catch the mailbox rules and login anomalies that show up during an active compromise.
How Limehawk builds the wire fraud prevention program
Every title company we work with gets the same baseline, then we layer on what the firm’s transaction volume and closing software require:
- Enforced MFA, tenant-wide — not optional, not per-user opt-in.
- Email authentication and filtering — DMARC/SPF/DKIM plus the core security suite’s email filtering included in every managed plan.
- Out-of-band wire verification procedures — documented steps for confirming any change to wire instructions by phone, to a number on file, before funds move.
- Monitoring for compromise indicators — mailbox forwarding rules, new inbox filters, and sign-ins from unexpected locations, the exact signals that showed up in our BEC case.
- Staff training — closing-day social engineering recognition for the people who actually receive the fraudulent emails.
- Documentation for ALTA and underwriter review — the controls and audit trail written down, not just configured.
This runs on top of our standard managed IT and security baseline — $150 per user per month, 24/7 monitoring, endpoint detection and response, and patch management included, with a <15 minute response commitment on anything critical. No multi-year contract; month-to-month, published pricing.
Fifteen minutes with Corey Watson — the person who wrote the BEC report above and who will design your wire fraud controls.
Book a call →or call +1-865-500-4055
Book fifteen minutes with Corey Watson to review your email security and wire verification controls before a closing, not after.
Title company IT, plainly explained
Pricing included — because “call for pricing” is how IT companies hide the number.
See full pricing →Why are title companies such a common wire fraud target?
Every closing routes a large wire through the title company on a predictable timeline, and the coordination happens almost entirely over email. An attacker who compromises one inbox — a closer, an escrow officer, a lender contact — can insert fraudulent wire instructions into a real transaction and walk away with the funds before anyone checks a phone number.
What does a business email compromise actually cost a title company?
In the case documented in our BEC incident report, the funds at risk were high six figures on a single closing. Beyond the wire itself, a successful fraud means a lost closing, a client who no longer trusts your firm, likely notification obligations, and a conversation with your E&O carrier. The cost of prevention is a rounding error next to that.
Does Limehawk work with ALTA best practices?
Yes. We build controls around the ALTA Best Practices framework — particularly the wire fraud and information security pillars — including email authentication, verified wire instruction procedures, and the documentation trail underwriters and lenders expect to see during a review.
Is enrolling in MFA enough to stop this?
No, and that gap is exactly what caused the incident in our BEC report: the account had multi-factor authentication enrolled but not enforced at the tenant level, so a clean-looking login slipped through on a password alone. We configure and verify enforcement, not just enrollment.
What's included in the wire fraud prevention program?
Email security and authentication (DMARC/SPF/DKIM), enforced multi-factor authentication across the tenant, out-of-band wire instruction verification procedures, monitoring for the mailbox rules and forwarding filters attackers use to hide fraud in progress, and staff training on closing-day social engineering.
What does this cost?
Base managed IT and security is $150 per user per month, minimum 3 users, month-to-month with no contract. That includes 24/7 monitoring, EDR, patch management, and email security. Security awareness training is $3/user/month on top. Full pricing is published at /pricing.