Own Luxury Homes®

How Fraudsters Impersonate Title Companies

5 attack methods: domain spoofing (one-char difference), EAC (hacked real account — filters pass), conversation hijacking (reply in real thread), AI voice cloning (callback from cloned voice), urgency attack (time pressure to skip verification). One defense defeats all: call independently-obtained website number before any instructions arrive. Receiving callbacks cannot confirm legitimacy — caller ID and voice can be faked. Own Luxury Homes® 12-Point Agent Integrity Audit™ — all attack methods explained.

How Fraudsters Impersonate Title Companies: The Technical Methods and How to See Through Every One

BEC

Business Email Compromise is the primary attack method: fraudsters create spoofed email addresses with one-character differences that are invisible to most buyers reading quickly

EAC

Email Account Compromise attacks send from the real, legitimate email address — because the fraudster has hacked the actual account; the only defense is phone verification, not email inspection

AI voice

In 2025–2026, AI voice cloning enables fraudsters to impersonate agents and title company staff by phone; the defense is calling out, not receiving calls, using independently-verified numbers

Same thread

"Conversation hijacking" inserts the fraudster into the actual existing email thread, making their message appear as a legitimate reply in the ongoing closing conversation

Understanding how wire fraud is executed is the fastest way to understand why the verification protocol works and why no other approach is sufficient. The attacks are sophisticated. They are designed specifically to defeat email-based verification. They evolve as buyers become more aware. This guide explains every current method, why each is effective, and the specific element of the verification protocol that defeats it.

THE OWN LUXURY HOMES® DIFFERENCE

We prohibit dual agency and have no incentive to pocket-list. This guide gives you the honest analysis of when off-market serves you and when it serves your agent.

Talk to a specialist ›

Attack Method 1: Domain Spoofing

The Single-Character Attack

Fraudsters register domains that are nearly identical to legitimate title companies: titlecompany.com → titiecompany.com (lowercase L replacing i) titlecompany.com → title-company.com (hyphen added) titlecompany.com → titlecomapny.com (transposed letters) atxclosingco.com → atxclosingco-secure.net (different TLD, added word) The display name in the email will show "Sarah Johnson, ATX Closing Co" — the fraudster has copied the legitimate agent's name and company exactly. Most email clients show the display name, not the domain, by default. The domain difference is only visible if the buyer clicks to see the full address. How the protocol defeats this: you call the number from the official website, not the email. It doesn't matter how convincing the email looks if you don't use it as your verification channel.

Attack Method 2: Email Account Compromise (EAC)

When the Email Is Real and Still Dangerous

In EAC attacks, the fraudster doesn't spoof anything. They hack the legitimate email account of a real party — most commonly the title company, real estate agent, or attorney. Then they send from that actual account. Your email filters see a legitimate sender. The domain is real. The previous email history appears in the thread. There is no technical indicator of fraud in the email itself. The email simply contains fraudulent wire instructions. How the protocol defeats this: the verification call is to a number from the official website — which the fraudster cannot intercept simply by controlling the email account. Even if the fraudster is sending from the real account, they cannot answer your call to the real office phone. This is why EAC attacks make the phone verification protocol not optional but absolutely required.

Attack Method 3: Conversation Hijacking

Inserting Into Your Real Email Thread

The most sophisticated BEC variant: the fraudster monitors your email thread, waits until a natural point of transition (title company confirms receipt of executed contract, or sends a status update), then sends a message that appears to be a reply in that thread from a spoofed address with virtually identical formatting. The email appears in the middle of a thread you trust, surrounded by legitimate communications. The context makes it look completely legitimate. The wire instructions are in a "P.S." or an attachment attached to an otherwise normal-looking email. How the protocol defeats this: any set of wire instructions, regardless of where they appear in the thread, triggers the same verification call to the independently-verified phone number. The protocol applies every time, unconditionally.

Attack Method 4: AI Voice Cloning — The 2025–2026 Evolution

When the Phone Call Itself Is Faked

AI voice cloning technology allows fraudsters to clone a person's voice from as little as 3 seconds of audio (available on social media, voicemail recordings, or YouTube videos of agents, brokers, and title company staff). The attack sequence: (1) Buyer receives fraudulent email with fraudulent wire instructions. (2) Buyer calls to verify (smart). (3) Fraudster, who has compromised the title company's call routing or uses a spoofed number, answers or calls back with an AI-cloned voice of the legitimate agent or title officer. (4) The "verification call" appears to confirm the fraudulent instructions. (5) Buyer wires the money. The defense: you must call out, not receive a call back, using only the independently-verified number from the official website. Ask the person to confirm a specific transaction detail that only the legitimate party would have in their records: "Can you confirm the exact dollar amount and the property address in our file?" An AI voice impersonator who has not hacked the actual closing software cannot confirm those details accurately.

Attack Method 5: The Urgency Attack

Creating Pressure to Bypass Verification

Even unsophisticated fraudsters can succeed if they create enough pressure to prevent the buyer from completing the verification protocol. Common urgency attacks: "If the wire is not received by 2pm today, your closing will be delayed" "The seller has indicated they will cancel if funds aren't confirmed by end of day" "Due to our banking partner change, funds sent to the old account will be returned, causing a 5-day delay" These messages are designed specifically to make the three-minute verification call feel like it would cost you the deal. The reality: legitimate title companies do not issue ultimatums over wire timing that would override standard verification practices. Any pressure to wire quickly without verification is itself a signal that something is wrong. The urgency is the attack.

Attack Type	How It Works	What Defeats It
Domain spoofing	Near-identical domain; display name hides difference	Call independently-obtained number; domain doesn't matter
Email account compromise (EAC)	Sends from legitimate hacked account; filters pass	Call out to verified number; fraudster can't answer your call to the real office
Conversation hijacking	Inserts into real thread; appears as legitimate reply	Verification protocol applies to ALL wire instructions regardless of thread context
AI voice cloning	Calls back with cloned voice of legitimate agent	Call out (don't receive calls); verify specific transaction details attacker can't know
Urgency attack	Creates time pressure to prevent verification	Urgency is itself a red flag; legitimate closings accommodate the 3-minute verification call

“The question I get asked most by buyers who've heard about wire fraud: "Couldn't I just check the email address?" The honest answer: in 2026, no. Domain spoofing makes one-character differences almost invisible. Email account compromise means the real address sends the fraud. AI voice cloning means a callback can be faked. The only attack-proof verification is: call a number you obtained independently, before the attack happened, from a source the attacker cannot control. The title company's official website, obtained at contract signing, before any wire instructions arrive, is that source. Every other approach has a known attack vector. This one doesn't.”

— Ryan Brown, Principal Broker & CEO, Own Luxury Homes®

How do fraudsters impersonate title companies in real estate?

Five primary methods: (1) Domain spoofing: register nearly identical domain with one-character difference; copy legitimate display name. (2) Email account compromise: hack the real email account and send from the legitimate address. (3) Conversation hijacking: insert fraudulent email appearing as reply in legitimate thread. (4) AI voice cloning: clone agent or title officer voice for fraudulent callbacks. (5) Urgency attacks: create time pressure to prevent buyer from completing verification. The defense against all five: call the title company using a phone number from their official website, obtained before receiving any wire instructions.

Can I trust a callback to verify wire instructions?

No. Receiving a callback cannot confirm legitimacy because fraudsters can spoof caller ID and now clone voices with AI. The safe verification method: you initiate the call to a number obtained independently from the title company's official website. Do not call any number provided in an email. Do not trust a callback even if it sounds like your agent or title officer. Call out, using your pre-verified number, every time.

Related Guides

Own Luxury Homes® — wire fraud attack methods explained to every buyer before closing. 12-Point Agent Integrity Audit™. Request a verified buyer specialist ›

"The introduction Own Luxury Homes® makes is to a specialist with documented closing history in your specific market — not the county, not the metro, the submarket you're actually selling or buying in. That's the standard we verify before your name goes anywhere."

— Ryan Brown, Principal Broker & CEO, Own Luxury Homes® (FL License BK3626873)