Wire Fraud and BEC in Real Estate: Security Checklist for CRE Firms

Real estate closings move large sums of money on tight deadlines between parties who often communicate exclusively by email. That combination makes commercial real estate firms, title companies, and development organizations some of the highest-value targets for business email compromise. The FBI’s Internet Crime Complaint Center has flagged real estate wire fraud as a growing threat category, with individual transaction losses routinely exceeding $100,000.

Wire fraud and BEC are not ransomware. There is no malware to detect, no files get encrypted, and no security tool triggers an alert. An attacker sends a convincing email with modified wiring instructions, and someone in your closing chain sends money to the wrong account. By the time anyone notices, the funds are gone. This post covers the specific email security, access controls, and verification workflows that prevent it.

Why Real Estate Transactions Are Prime BEC Targets

The structure of a real estate deal creates several vulnerabilities that attackers exploit.

Multiple parties exchanging financial details. A single commercial transaction can involve a buyer, seller, both agents, a title company, an escrow officer, a lender, and attorneys. Wiring instructions pass between these parties by email, often with last-minute updates. Each handoff is an opportunity for an attacker to intercept or impersonate.

High dollar amounts per transaction. Commercial deals regularly involve wire transfers of $500,000 to several million dollars. A successful redirect of a single closing wire produces a larger payout than months of targeting smaller businesses with invoice fraud.

Deadline pressure. Closings have fixed dates. A financing contingency expires. A rate lock window is closing. When the title company receives an email at 4:30 PM the day before closing with “updated” wiring instructions from the seller’s attorney, the pressure to process quickly and close on time works directly in the attacker’s favor.

Predictable timing. Real estate transactions follow public records. An attacker can monitor MLS listings, county filings, and commercial real estate news to identify when a closing is approaching, then time their fraudulent wiring instructions for maximum plausibility.

These factors are why the FBI and the American Land Title Association have both issued repeated warnings about real estate wire fraud specifically. This is not a generic cybersecurity problem but an industry-specific threat that requires industry-specific controls.

Email Authentication: DMARC, DKIM, and SPF

The first line of defense is making sure no one can send emails that appear to come from your domain. Three email authentication protocols work together to accomplish this.

SPF (Sender Policy Framework) publishes a list of mail servers authorized to send email on behalf of your domain. If an attacker tries to send an email from a random server using your domain name, the recipient’s mail system can check your SPF record and flag or reject the message.

DKIM (DomainKeys Identified Mail) attaches a cryptographic signature to every outgoing email. The recipient can verify that the message content has not been altered since it left your mail server.

DMARC (Domain-based Message Authentication, Reporting, and Conformance) ties SPF and DKIM together with a policy that tells receiving mail servers what to do when authentication fails. The three options are none (monitor only), quarantine (move to junk), and reject (block entirely).

Most organizations have SPF configured because it is a basic DNS record. Far fewer have DMARC set to reject, which is the only setting that actually blocks spoofed emails. If your DMARC policy is set to “none,” attackers can still send emails that look like they come from your domain and they will reach the recipient’s inbox.

For a title company or CRE firm that sends wiring instructions by email, this is not optional. If your domain can be spoofed, an attacker can send your clients fake wiring instructions that appear to come directly from your email address. Setting DMARC to reject is the single most impactful technical control you can implement. We covered these protocols in detail in our BEC action plan, including how to check your current configuration.

Every organization in your transaction chain needs this configured. If your firm has strong email authentication but your escrow partner’s domain can be spoofed, your clients are still at risk. When evaluating third-party firms you work with on transactions, ask whether they have DMARC set to quarantine or reject. If they don’t know, that is useful information.

M365 Conditional Access and Account Protection

Most commercial real estate firms and title companies run on Microsoft 365. That means your email security depends heavily on how M365 is configured, and default settings are not sufficient for organizations handling wire transfers.

Conditional access policies go beyond basic multi-factor authentication. They let you define rules about who can access your email, from where, and under what conditions.

Block legacy authentication protocols. Older protocols like POP3, IMAP, and SMTP AUTH do not support MFA. Attackers use them to bypass your MFA requirements entirely. A conditional access policy that blocks these protocols eliminates one of the most common account compromise techniques.

Require compliant devices. Restrict email access to devices enrolled in your organization’s management system. This prevents an attacker with stolen credentials from logging in on an unmanaged device, even if they pass the MFA challenge.

Location-based restrictions. If your firm operates in Texas and Oklahoma, there is no reason for someone to access your email from Eastern Europe at 3 AM. Conditional access can block sign-ins from countries or IP ranges outside your normal operations.

Risk-based sign-in policies. Microsoft Entra ID Protection assigns a risk score to each sign-in based on factors like impossible travel, anonymous IP addresses, and password spray patterns. Conditional access can automatically block or require additional verification for high-risk sign-ins.

Beyond conditional access, enable mailbox audit logging to track who accesses each mailbox and what actions they take. When an attacker compromises an email account, they typically set up inbox forwarding rules to redirect copies of incoming mail to an external address. Audit logs let you detect this quickly.

Priority account protection allows you to flag high-value accounts such as partners, closing coordinators, escrow officers, and controllers for stricter security policies and enhanced monitoring. Microsoft 365 Defender applies additional heuristics to messages involving these accounts.

If you are running M365 and haven’t configured conditional access policies, your IT provider should make this a priority. The license for conditional access is included in Microsoft 365 Business Premium, which most SMBs already have.

Payment-Change Verification Workflows

Technical controls reduce the attack surface, but verification workflows are what stop a wire from going to the wrong account when an attacker does get through. Every firm that sends or receives wiring instructions needs a written policy that covers these scenarios.

Out-of-band verification for every wiring instruction change. If you receive updated wiring instructions by email, verify them by phone using a number you already have on file. Not a number from the email. Not a number from the signature block. A number from your CRM, your vendor master file, or your original engagement letter. This single step prevents the majority of real estate wire fraud.

Verbal confirmation with a pre-established passphrase. Phone callbacks alone are not sufficient against AI-powered voice cloning. Establish a verbal passphrase with every counterparty at the beginning of a transaction. When you call to verify wiring instructions, ask for the passphrase. A cloned voice cannot provide a code it does not know.

Dual authorization for outgoing wires. No single person should be able to initiate and approve a wire transfer. Require two authorized individuals to sign off on every outgoing wire, with the second approver independently confirming the recipient’s bank details through a separate channel.

Wiring instruction lockdown period. Establish a policy that wiring instructions received within 24 hours of closing receive enhanced scrutiny. Last-minute changes to bank details are the most common real estate BEC pattern. If wiring instructions change close to closing, pause and verify through multiple channels before proceeding.

Document and distribute the policy. A verification process that exists only as an informal understanding between two people will fail under pressure. Write the policy down, distribute it to every person involved in payment processing, and make it clear that no exception exists for urgency, seniority, or confidentiality. We have published a Wire Transfer Verification Policy Template that you can download and adapt to your firm’s specific operations.

The Full Checklist

Here is the complete set of controls, organized by implementation priority.

Email Authentication (implement immediately)

• SPF record configured and accurate for all sending domains
• DKIM signing enabled for all outbound email
• DMARC policy set to quarantine or reject (not “none”)
• DMARC reporting configured to monitor authentication failures
• Email authentication status verified for key transaction partners

M365 Account Protection (implement within 30 days)

• Multi-factor authentication enforced on all accounts
• Legacy authentication protocols blocked via conditional access
• Conditional access requires compliant or managed devices for email
• Location-based sign-in restrictions configured
• Risk-based sign-in policies enabled in Entra ID Protection
• Mailbox audit logging enabled
• Priority account protection configured for key personnel
• Inbox forwarding rules reviewed and external forwarding disabled

Payment Verification Workflows (implement immediately)

• Written wire transfer verification policy distributed to all staff
• Out-of-band verification required for all wiring instruction changes
• Pre-established passphrases used with transaction counterparties
• Dual authorization required for all outgoing wire transfers
• Enhanced scrutiny policy for wiring changes within 24 hours of closing
• Contact numbers verified from original records, not from emails

Training and Awareness (implement within 60 days)

• Security awareness training program with BEC-specific scenarios
• Real estate wire fraud simulations for finance and closing teams
• Incident response procedure documented for suspected BEC
• Regular review of verification policy compliance

Where to Start

If you are a CRE firm, title company, or development organization that has not implemented these controls, start with two actions: set your DMARC policy to reject and distribute a written wire transfer verification policy. Those two steps address the highest-risk attack patterns at zero or minimal cost. From there, move into M365 conditional access configuration and formalized security awareness training.

For a deeper look at BEC trends and the financial data behind these recommendations, see our coverage of the FBI’s $55 billion BEC report and our BEC action plan for SMBs.