Title Company Impersonation: How It Works and How to Prevent It

The Entity Buyers Trust Most at Closing Is the One Fraudsters Impersonate Most

In a real estate transaction, the title company holds a specific kind of authority in the buyer's mind. They are the neutral, professional party handling the most sensitive mechanics of the closing — the custody of funds, the confirmation of clear title, the final wire instructions. When a buyer receives a communication that appears to come from the title company, they are primed to trust it without question. That trust is exactly what fraudsters exploit.

A fraudster impersonating a trusted party — a title company, agent, or lender — is one of the primary mechanisms behind business email compromise, which remains one of the highest-loss cybercrime categories in the country. Closinglock

The criminal uses fake email accounts, phone numbers, or websites to impersonate a legitimate business and convince the buyer to divert their closing costs into a fraudulent account. The buyer then mistakenly wires money to the criminal rather than to the title company. Proliantsms

Title company impersonation is not a fringe tactic. It is the dominant fraud pattern in real estate wire theft. A survey of title professionals found that 17% of title companies experienced wire fraud and 28% had customers who experienced fraud. In every one of those cases, the fraud began with someone or something appearing to be the title company when it was not. First American

This post walks through exactly how title company impersonation is executed, what forms it takes, and — most importantly — how agents, buyers, and transaction coordinators can build the habits and processes that prevent it.

What Title Company Impersonation Actually Means

Title company impersonation encompasses several related fraud techniques, all of which share a common goal: convincing a buyer or seller that they are receiving legitimate wiring instructions from the title company when they are, in fact, receiving instructions from a fraudster. The specific execution varies, but the four primary methods are consistent across documented cases nationwide.

Method 1: Spoofed Email Addresses

This is the most common and widely documented form. The fraudster creates a sending address that is visually similar to the title company's real domain but differs in one or two characters.

Some criminals will create a fake website with a domain name that is slightly different from the title company's real website. Even a slight difference in the email address indicates the email is likely from a fraudster. First American

Common variations include: adding a hyphen to the domain (title-company.com instead of titlecompany.com), swapping a letter for a visually similar character ("rn" for "m," capital "I" for lowercase "l"), changing the top-level domain (.net or .co instead of .com), or adding a word to the domain (titlecompanyllc.com instead of titlecompany.com).

Most email clients — Gmail, Outlook, Apple Mail — display only the sender's name by default, not the actual sending address. A buyer who has been receiving legitimate emails from "Premier Title" for six weeks will not instinctively check whether the seventh email came from premierttitle.com versus premiertitle.com. That single transposed letter is the entire foundation of the fraud.

Method 2: Compromised Inbox Impersonation

More sophisticated than address spoofing — and harder to detect — is the scenario where a fraudster gains actual access to the title company's legitimate email account and uses it directly.

Attackers often monitor communications to insert themselves at crucial moments, such as just before a wire transfer. It's not uncommon for attackers to create mail rules upon entry to provide filtering or backdoor capabilities. Stewart

When a fraudster operates from inside the real inbox, the buyer has no way to detect the fraud through email inspection alone. The sending address is correct, the signature is real, the thread history is intact. The only protection that works in this scenario is independent phone verification using a number that was saved before the suspicious email arrived — not a number from any email in the thread, which the fraudster can alter.

In 2024, a Connecticut homebuyer named Richard Bates lost $597,000 after receiving a fraudulent email with fake wire instructions. The hackers had accessed sensitive transaction details by breaching the law firm's emails involved in the transaction. Bates, believing the email to be legitimate, wired the funds, of which only $129,000 was recovered. Certifid

Method 3: Cloned or Spoofed Websites

Fraudsters create fake websites — spoofed sites dressed up to look identical to the real, legitimate site. The spoofed site tricks users into entering login credentials or other sensitive information. These deceptive URLs may contain subtle misspellings, additional characters, or unfamiliar domain extensions. Qualia Insight

A buyer who receives a suspicious email and attempts to "verify" it by clicking a link in that email may find themselves on a website that looks exactly like the title company's real site — same logo, same fonts, same page layout, same contact information — but is entirely under the control of the fraudster. Any phone number listed there is the fraudster's phone number. Any form submitted there sends data to the fraudster. Any wire instructions provided there are fraudulent.

This is why the rule "use a phone number from the email to verify" is so dangerous. The entire environment of a sophisticated impersonation attempt — the email, the website, the phone number — may be fabricated. The only truly safe verification step is calling a number that was saved from an independent source before any suspicious communication arrived.

Method 4: Lender and Payoff Impersonation

Title company impersonation is not limited to buyer-side wire fraud. It also encompasses a growing attack category targeting seller proceeds.

Lender or broker impersonation involves criminals posing as a lender or broker and sending false payoff statements or last-minute disbursement changes. Closesimple

A growing scam involves fraudsters impersonating mortgage lenders to divert payoff funds during real estate transactions. Using phishing or hacking, they intercept and alter payoff instructions, pressuring title companies with urgent requests. According to the 2024 State of Wire Fraud report, this accounted for 47% of all real estate wire fraud losses in 2022. Certifid

In this variation, the target is not the buyer but the title company itself — which receives what appears to be updated payoff instructions from a lender or notice of banking changes, processes the wire according to those instructions, and discovers later that the funds went to a fraudulent account rather than the legitimate lender. Both parties are victimized: the title company faces liability and reputational damage, and the seller's transaction is thrown into legal chaos.

Why Title Company Impersonation Is So Effective

Understanding why this scam works at such scale is important, because the answer points directly toward the preventive measures that actually make a difference.

The first reason is timing. These conditions make it easier for fraudsters to insert themselves into the transaction at the right moment — real estate transactions create a unique environment for fraud risk. The fraudulent instruction arrives in the closing window — when a buyer is emotionally invested, under time pressure, and expecting to hear from the title company about exactly this topic. A message about wire instructions from the title company two days before closing is not suspicious. It is expected. Closinglock

The second reason is authority. Buyers hold title companies in a specific kind of professional regard. The title company is not the agent, who the buyer has a personal relationship with. It is a specialized professional entity whose job is precisely to handle this kind of information correctly. When an instruction arrives from what appears to be that authority, buyers feel they are receiving guidance from the right source — and the instinct to verify rather than trust is suppressed.

The third reason is technical accessibility. Without DMARC enforcement, there is nothing stopping a fraudster from sending an email that looks like it comes from your title company's domain to a borrower with fake wire instructions. Checking dozens of real title company domains nationally, researchers found that roughly 30% had no email spoofing protection at all — meaning anyone with basic technical knowledge could send a convincing impersonation email without compromising a single inbox. The barrier to executing a basic impersonation attack is extraordinarily low. Pinpointfieldservices

What a Real Impersonation Attempt Looks Like

The anatomy of a title company impersonation follows a consistent pattern that agents and buyers can learn to recognize.

The setup email: A few days before closing, a buyer receives an email that appears to be from the title company. The subject line is professional — something like "Closing Day Wire Instructions for [Property Address]" or "Important: Final Settlement Details." The email uses the title company's name, often its logo copied from the real website, and addresses the buyer by name using details obtained from monitoring email threads or public records.

The instruction: The email provides routing and account numbers for the buyer's closing funds wire and explains when the wire must be sent to ensure on-time closing. It may include a plausible explanation for why this is being sent now — a routine pre-closing checklist, a confirmation of previously discussed instructions, or a note about updated banking procedures.

The urgency trigger: The email includes a soft or hard deadline — "Please wire by 3:00 PM Thursday to avoid any delay to your closing" — that is designed to limit the buyer's available time to verify independently. The shorter the window, the less likely the buyer is to make an outbound call to a previously saved number.

The false verification path: The email often includes a phone number "for questions." That number rings to the fraudster. If the buyer calls it to confirm, they receive confirmation from the same party that sent the fraudulent instructions — and walk away believing they have verified something that was never legitimate.

The Prevention Framework: What Actually Stops This

Prevention of title company impersonation is not primarily a technology problem — it is a process problem. The technical tools exist. What is missing, in most cases, is the consistent process that makes those tools effective.

Prevention Layer 1: Establish Verified Contacts Before Any Wire-Related Communication Arrives

Always carefully examine the sender's email address when you receive updates on your transaction from your escrow officer or settlement agent to verify it is the same as a prior confirmed email address. First American

The critical word is "prior." Verification only works if there is an independently established baseline to compare against. This means the buyer must save the title company's direct phone number — and the closing officer's direct line — from a source that predates any suspicious communication. During the first introduction call or email with the title company, verified contact information should be saved immediately in the buyer's contacts. That number is what gets called when any wire-related instruction arrives. Not the number in the instruction email. Not the number found on a website reached through a link. The number already in the phone.

This is one of the most important functions a professional transaction coordinator performs. When a TC introduces every party to the file at opening — with verified email addresses and direct phone numbers — they establish the baseline contact directory that makes independent verification possible for every party in the transaction.

Prevention Layer 2: Build a Firm Policy That Wire Instructions Are Never Changed by Email Alone

Establish a "call-before-you-wire" policy. Instruct clients to always verify wiring instructions by calling a trusted number — not the one in the suspicious email. Firstam

This rule should be communicated to buyers at the start of every transaction, in writing and verbally. The title company will not change wire instructions by email alone. If any email arrives claiming the instructions have changed, the buyer calls the direct number saved from the initial introduction — regardless of how legitimate the email looks, regardless of urgency language, regardless of who appears to be in the "From" field.

This single habit stops the vast majority of title company impersonation attempts. The fraud depends on the buyer acting on the email. If the buyer's default behavior is to call before wiring — always — the email instruction cannot succeed.

Prevention Layer 3: Examine Every Sending Address Before Acting

Fraudsters change just one letter in legitimate email addresses. Before acting on any wire-related communication, verify sender addresses. Certifid

Agents and buyers should develop the habit of clicking on the sender's display name in every wire-related email to reveal the actual sending address behind it, then comparing that address character by character against a previously confirmed address. This takes 15 seconds and catches the most common impersonation technique used against buyers.

For agents and title professionals, implementing DMARC email authentication on company domains provides a technical backstop against domain spoofing. DMARC doesn't prevent all wire fraud, but it prevents the most common entry point: someone impersonating your email domain. The fix is a single DNS record that can be added in about 15 minutes. It is one of the most cost-effective security measures available to any real estate professional. Pinpointfieldservices

Prevention Layer 4: Use a Secure Portal for All Wire-Related Communication

Email's security weaknesses have made portal-based communication the safer alternative for exchanging transaction details. Secure portals allow title and escrow companies to communicate with all parties in real time while avoiding email's risks. By moving interactions into a unified hub with bank-level security, title professionals can reduce their exposure to email-borne threats. Qualia Insight

When wire instructions are delivered through a verified, authenticated portal rather than open email, the impersonation attack loses its primary delivery mechanism. A buyer who knows that all legitimate transaction communications — including wire instructions — arrive through the portal will immediately recognize that an email appearing to be from the title company is either supplementary information or something requiring verification. The impersonation email cannot succeed if the buyer knows it should not be the channel through which instructions are delivered.

Prevention Layer 5: Train Every Party Who Touches the Transaction

Train your team to recognize red flags. Watch for urgent requests, slight changes to email addresses, and requests that bypass normal procedures. Fraudsters evolve their tactics constantly. Monthly fraud prevention training sessions keep everyone alert. Certifid

For buyers, training means the conversation an agent has at the first meeting — explaining what the impersonation scam looks like, establishing the phone verification rule, and making clear that urgency in an email about wire instructions is a red flag, not a reason to act faster.

For title company staff, training means regular review of real fraud examples, simulated phishing tests, and clear documented protocols for how wire instruction changes are communicated and verified — both outbound to clients and inbound when claimed to come from lenders or other parties in the chain.

A Real Case: How Verification Stopped a $449,000 Loss

Not all title company impersonation attempts succeed. The FBI's own reporting includes documented cases where preparation and process made the difference.

Individuals closing on a house received an email impersonating their attorneys and mistakenly sent a large wire transfer of over $449,000 to a scammer. After the fraud was discovered, the individuals reported the fraud to their bank, and their attorneys made separate attempts to contact the recipient bank with negative results. Upon receiving an IC3 complaint filed about the incident, the Recovery Asset Team immediately initiated the Financial Fraud Kill Chain to request a freeze of the fraudulent account at the recipient bank. The RAT received notification that the full amount was still in the account and on hold. National Association of Realtors

This case succeeded on recovery — barely, and only because of rapid reporting. But the case also illustrates the baseline: the buyers had the presence of mind to contact the FBI quickly enough for the freeze to work. Most victims do not act that fast. Most funds are moved within hours of receipt.

The far better outcome is the fraud that never completes. The buyer who calls the title company using a number saved weeks earlier. The coordinator who flags an incoming email as suspicious before any funds move. The title professional who recognizes that a "lender payoff update" arriving by email requires independent phone verification before processing. These are the interventions that stop the scam at every point before recovery becomes necessary.

The Agent's Role in Protection

Agents are not passive participants in this. Because buyers trust them most, and because fraudsters impersonate them most frequently, agents are both the most effective educators and the most common impersonation targets.

The number-one thing real estate agents can do to prevent fraud in the closing process is to communicate not only with their clients from the start, but with the title company they're working with. Agents should connect with the title company and learn how wire instructions are sent and who will be sending them — then communicate this information to clients so they know exactly what to expect. Chicago Agent Magazine

This establishes the most important thing a buyer can have going into the closing window: a clear picture of what legitimate title company communication looks like, so that anything deviating from that picture triggers verification rather than compliance.

Agents who partner with professional transaction coordinators extend this protection. A TC who has introduced every party at file opening, who communicates through a secure portal, and who maintains a consistent and documented process throughout the transaction creates an environment where impersonation attempts are easier to spot — because the buyer already knows what the legitimate communication channel looks like.

Work With a Transaction Coordinator Who Makes Impersonation Harder to Execute

At Signed to Keys, we establish verified contact information for every party at the start of every file. We route sensitive communications through a secure portal rather than open email. We introduce every transaction participant — including the title company — at file opening, so buyers know exactly who to expect communication from and how to reach them independently. And we maintain a firm policy that wire-related instructions are never delivered or changed through email alone.

We serve real estate agents across Pennsylvania, New Jersey, New York, Maryland, Connecticut, and Delaware.

If you want a coordinator who treats impersonation prevention as a core part of the transaction — not a footnote — let's talk.

Request Your Free Consultation → signedtokeys.com

No long-term commitment. No obligation. Just 30 minutes to find out whether we're the right fit for your business.

Frequently Asked Questions

What is title company impersonation in real estate?

Title company impersonation is a fraud technique where a criminal pretends to be the title company or escrow officer in order to direct a buyer's closing funds — or a seller's sale proceeds — to a fraudulent account. It is carried out through spoofed email addresses, compromised inboxes, cloned websites, or fabricated phone numbers, and it typically arrives just before closing when buyers expect to hear from the title company about wiring funds.

How do fraudsters get enough information to make a title company impersonation email convincing?

Through two primary routes: monitoring a compromised email inbox, or using publicly available data. When a fraudster gains access to any email account in the transaction chain, they read every message and learn the property address, purchase price, closing date, parties' names, and title company details. When a compromised inbox is not available, MLS listings, county records, and sometimes social media posts provide enough detail to construct a convincing fraudulent communication.

What is the difference between a spoofed domain and a compromised inbox?

A spoofed domain means the fraudster created a new email address that looks similar to the real one — like titlesolutions-llc.com instead of titlesolutions.com. They do not have access to the real account. A compromised inbox means the fraudster has actually logged into the real account using stolen credentials and is sending messages from the genuine address. Both are used in title company impersonation, and compromised inboxes are harder to detect because the sending address is legitimately correct.

What is the single most effective thing a buyer can do to prevent this scam?

Save the title company's direct phone number — the closing officer's direct line — from the initial verified introduction, before any wire-related communication arrives. Then call that number, from their own phone, before wiring any funds. Not a number found in an email. Not a number from a website reached through a link in a suspicious message. The number already saved in their phone. This one habit stops the vast majority of title company impersonation attempts.

Can a buyer be victimized by this scam even if they work with a reputable title company?

Yes. The fraud does not target the title company's reputation — it targets the communication channels around the transaction. A highly reputable title company can have an email account compromised, or a buyer can receive a spoofed email that appears to come from that company, through no fault of either party. The protection is not in the reputation of the title company — it is in the verification habits of the buyer and the communication process the professionals involved have built.

What should a buyer do if they receive a wire instruction email from what appears to be the title company?

They should not act on it without first calling the title company at a number saved at the start of the transaction. They should examine the actual sending address — by clicking on the display name — and compare it character by character against a previous confirmed address. They should treat any urgency language as a red flag rather than a reason to move quickly. And if anything seems off — the sending address doesn't match, the request references a banking change, the phone number provided is different from one previously saved — they should call their agent before doing anything else.

How does a secure client portal protect against title company impersonation?

When all legitimate transaction communications — including wire instructions — are delivered through an authenticated portal, buyers know that the portal is the expected channel. Any email arriving claiming to be from the title company with wire instructions falls outside that established pattern and can be immediately recognized as requiring independent verification. The fraudster's email cannot succeed if the buyer already knows that legitimate wire instructions arrive through a different, verified environment.

What is DMARC and how does it relate to title company impersonation fraud?

DMARC (Domain-based Message Authentication, Reporting, and Conformance) is an email security protocol that prevents fraudsters from sending emails that appear to come from a company's legitimate domain without authorization. When a title company implements DMARC with enforcement, a fraudster cannot simply send an email that appears to come from that company's domain to a buyer. Research found that approximately 30% of title company domains had no DMARC protection at all — meaning impersonation emails from those domains could be sent with no technical barrier.

Does title insurance protect against wire fraud losses from impersonation?

Title insurance protects against defects in the title — forged deeds, undisclosed liens, seller impersonation fraud. It generally does not cover wire fraud losses from buyer funds sent to a fraudulent account based on an impersonation email. Once a buyer wires money based on fraudulent instructions, that is typically a wire fraud loss rather than a title defect, and recovery depends on the speed of reporting to the bank and the FBI rather than an insurance claim. Buyers and agents should verify their specific coverage with their insurance provider, as policies vary.

How does working with a transaction coordinator reduce title company impersonation risk?

A professional TC establishes the baseline the buyer needs at the start of the transaction: verified contact information for every party, including the title company's direct phone number and closing officer's contact details. They introduce every party through documented communications so buyers know who to expect to hear from. They route sensitive information through a secure portal. And they maintain a consistent, documented process so that any deviation — an unexpected email about wire instructions, a request that falls outside normal transaction workflow — is immediately recognizable as something requiring verification before action.