Taxes, fraud prevention, cybersecurity and working with individuals to resolve their tax issues are some of the topics I write about, discuss, and give presentations on.  Today’s topic is about escrow hijacking which is a type of business email compromise.  So what is escrow hijacking?   

Escrow hijacking—also called real estate wire fraud or business email compromise—happens when criminals divert a buyer’s down payment or closing funds into their own account by sending fake wiring instructions that look completely legitimate. It is one of the fastest‑growing forms of real estate fraud, with losses in the billions and individual victims often losing their entire down payment in a single transaction.

What escrow hijacking looks like today

In a typical case, hackers first gain access to the email account of someone involved in the transaction, such as the real estate agent, loan officer, title company, or attorney, and quietly monitor messages about the closing. Once they know the closing date and the amount of funds needed, they step in at the last moment with “updated” wiring instructions that send the money to a criminal’s account instead of the real escrow account.

These messages usually include correct property details, the buyer’s name, the closing date, and professional logos or signatures, which make them appear authentic to even cautious buyers. Some schemes also involve spoofed phone numbers or follow‑up calls from someone pretending to be a closing agent or assistant, reinforcing the illusion that the request is legitimate.

Why the problem is getting worse

Escrow hijacking is part of a broader category known as business email compromise (BEC), which the FBI tracks as one of the most costly cybercrime threats. In 2023, more than 21,000 BEC complaints were reported in the U.S., with adjusted losses approaching $3 billion, and real estate transactions are a prime target because they involve large one‑time transfers. Between 2020 and 2022, the FBI observed a roughly 72 percent increase in losses tied to real estate wire fraud, underscoring how quickly these schemes are evolving.

Fraudsters exploit the fact that many parts of a real estate closing are handled by email, PDFs, and electronic signatures, and they search for the “weakest link” in the communication chain—often a single compromised inbox or unsecured device. Once the funds are wired to the fraudulent account, the money is often moved through multiple banks and accounts within hours, which makes recovery extremely difficult and, in many cases, impossible.

Red flags buyers and sellers should watch for

Being alert to the warning signs of escrow hijacking can make the difference between a smooth closing and a financial catastrophe. Common red flags include:

• Last‑minute changes to wire instructions, especially within 24–48 hours of closing or labeled as “urgent updates.”
• Messages that pressure you to send funds immediately or warn that your closing will be delayed or canceled if you do not act right away.
• Email addresses that are slightly off—an extra letter, number, or domain (for example, “.net” instead of “.com”)—or messages coming from personal email accounts instead of business domains.
• Wire instructions sent as attachments or links you are asked to “confirm” through an unfamiliar website, including fake DocuSign or portal links.
• Requests for secrecy, unusual payment methods, or instructions not to call to verify because “the office is very busy with closings.”

If any of these warning signs appear, stop before sending money, and verify the situation through a trusted phone number or in‑person conversation with your real estate or title team.

Concrete steps to prevent escrow hijacking

Homebuyers, sellers, and professionals can take practical steps to reduce the risk of escrow hijacking without adding much friction to the process. Consider building the following habits into every transaction:

• Verify wire instructions by phone
  Always confirm wiring instructions using a phone number you already have on file from a signed engagement letter, business card, or the company’s official website—not from the email that contains the instructions. Ask the title company or closing attorney to read the account name, account number, and routing number back to you while you check them against the written instructions.
• Treat all emailed instructions as suspicious by default
  Assume that any email containing wire instructions, changes to payment details, or requests for large transfers could be fraudulent, even if it appears to come from a familiar person. Many firms now refuse to send or accept wiring instructions solely by email and require a verbal confirmation process to add an extra layer of protection.
• Use secure portals and strong digital hygiene
  When possible, exchange sensitive information only through secure portals provided by your lender or title company rather than regular email. Protect your own devices and accounts by using strong, unique passwords, enabling multi‑factor authentication, updating software, and avoiding public Wi‑Fi for anything related to your closing.
• Double‑check before and after sending funds
  Before initiating a wire, confirm that the receiving account name matches the title company, law firm, or escrow agent—not an unfamiliar individual or LLC. After sending funds, promptly notify the intended recipient, and ask them to confirm receipt; a delay or “we didn’t get it” response can be an early warning that something went wrong while there is still time to act.
• Consider alternatives and internal protocols
  For some buyers and smaller transactions, using a cashier’s check instead of a wire may reduce exposure to electronic hijacking, though checks carry their own risks and may not be accepted in all markets. Real estate brokerages, title companies, and lenders should implement written procedures—such as callback policies, shared passcodes, and staff training—to ensure no one sends or changes wire instructions without independent verification.

What to do if you suspect fraud

Even with good precautions, fast‑moving scams can still succeed, so having a response plan is essential. If you think you have sent money to a fraudulent account, act immediately:

• Contact your bank and request a recall of the wire transfer, making clear that it is a fraud case and asking them to activate any emergency recovery procedures.
• File a complaint with the FBI’s Internet Crime Complaint Center (IC3) and report the fraud through the BEC/IC3 wire fraud recovery channel, which has recovered a significant portion of compromised funds when notified within 24 hours.
• Notify your real estate agent, lender, and title or escrow company so they can halt the transaction, review their systems for compromise, and assist with documentation.
• File a police report with local law enforcement, as this documentation can be important for any insurance claims or future legal proceedings.

Escrow hijacking thrives on speed, confusion, and misplaced trust, but a few deliberate steps—verifying instructions by phone, treating last‑minute changes with skepticism, and securing your digital communications—can dramatically lower your risk. If you work with clients regularly on real estate transactions, consider incorporating these safeguards into your standard process and educating every buyer long before they get to the wire transfer stage so their down payment doesn’t become someone else’s payday.