in this issue

In a recent sale transaction, a real estate agent had his email account hacked. The hacker was watching emails going to and from the agent and the escrow officer. When the transaction was getting ready to close, the hacker created a fake email account that, upon a cursory glance, looked like the escrow officer’s email account but was only slightly different.

Then, the hacker attempted to have the buyers wire their closing funds to an unrelated third party by sending an email to the agent, with a copy to the buyer, purporting to be from the escrow officer, using the faked email account.

The email from the hacker read as follows:

  Hi Guadalupe, closing on the 16 June by 4 pm & statement process is progressing and you will get the buyer to wire there fund this week today to enhance smooth closing

The buyers had already signed their closing documents and deposited their closing funds with a cashier's check in the amount of $33,000, and so the buyers responded:

  Sorry, I don't understand the request, my personal funds are already in the escrow account? Does this refer to me contacting my bank to get their funds deposited into the account or does that just happen?

The hacker's response:

  You are required to get your lender to get fund deposited into the account I will give you the wire instruction if you able to wire funds today so let me know.

The buyer:

  Okay will get it done today, please send instructions.


  Here you go, attached is the wire instruction kindly send the confirmation of transfer once done for reference purpose.

The buyers dutifully forwarded the emailed wire instructions to their lender, thinking they needed them in order to fund the loan. Much to the loan officer’s surprise, when she opened the attachment she discovered wire instructions to an account of an unrelated third party named Jane Doe. The loan officer then forwarded the email to the REAL email account of the escrow officer, who in turn shared the whole chain with FNF’s national escrow administrator.

The national escrow administrator sent the email string along with the wire instructions to the bank in Texas where Jane Doe's account was held, informing them their account holder was attempting to divert and steal $33,000 from unsuspecting buyers in a real estate transaction.

The bank in Texas immediately contacted Jane Doe only to discover she was not a criminal at all. Instead, Jane was actually a victim in the foiled crime. The bank representative called FNF's national escrow administrator to share additional details they learned from Jane.

The representative said Jane was an elderly woman who had been notified by email she had won a lottery amounting to millions of dollars. The notification stated she had to pay a fee to a law firm in order to collect her winnings. The notification went on to say the host of the lottery would loan her the money to pay the law firm until she received her winnings. Thereafter the amount of the loan would be deducted from her winnings.

Jane received a separate email notification asking for her bank account information so the loan funds could be wire transferred to her account. She obliged with the request and waited for the funds to arrive. She had every intention of turning around and remitting the funds to the "law firm." Thanks to this particular buyer, however, the funds never arrived. The bank told Jane she was involved in a scam and they are actively helping her change her bank account information.




In most cases, a non–FNF email account of a party to the transaction is compromised with the attacker sending fraudulent emails in each direction during the wire transaction.

  • Attacker compromises an email account of a party to the transaction and monitors emails relating to the transaction. As FNF accounts are protected through a variety of means, it is outside email accounts, like real estate agents, lawyers, buyers and sellers, which are being compromised.
  • Attacker sees emails containing wiring instructions, and intercepts and deletes the email within the compromised account.
  • Attacker sends a fake or spoofed email to a wire remitter (buyer or escrow officer) appearing to come from the party who had sent the legitimate wire instructions; and this faked or spoofed email contains fraudulent wiring instructions.
  • Buyer or escrow officer receives the fake email and unknowingly wires the money to the fraudulent account, then emails the sender that the transaction has been completed.
  • Attacker then intercepts and deletes further emails traveling both ways to create confusion, all the while covering their tracks and escaping with the money.

Customers have no reason to suspect the new wire instructions they receive are fraudulent since the email appears to be sent from a legitimate email address. As a result of this fraud, the Company and our customers can potentially be swindled out of large sums of money.

The Company is continuing to emphatically exhort our direct operations to educate their business partners on the latest scheme so that they can make the changes previously recommended by the Company to their internal policies relating to the acceptance of wiring instructions. Recommend any party to the transaction confirm all wiring instructions sent by email with a phone call to a known, good phone number.

Settlement agents sending out wire instructions to customers could include an alert in either their initial communications with customers or in their signature blocks. The alert could read that email recipients of wire instructions should immediately call the escrow settlement agent directly to confirm the legitimacy of the enclosed wire instructions. Here is a sample message added to escrow settlement agent's signature blocks:

**Be aware! Online banking fraud is on the rise. If you receive an email containing WIRE TRANSFER INSTRUCTIONS call your escrow officer immediately to verify the information prior to sending funds.**



stop fraud! share
FNF Home