Authored By: Ryan A. Featherstone, Esq.
rfeatherstone@dunlapmoran.com or 941.366.0115
In today’s fast-paced digital real estate world, email, Wi-Fi, smartphones, and other contemporary technology remain vital tools for communication. But with this convenience comes growing risk. “1 in 3 real estate transactions are targeted for wire fraud.” (ALTA 2021 Wire Fraud Survey)
Why Real Estate Agents Are Prime Targets
Real estate agents deal with:
- High-value transactions
- Sensitive client information
- Tight deadlines and fast and voluminous communication
This combination creates the perfect storm for cybercriminals looking to exploit a moment of distraction or urgency. In particular, wire fraud scams—where schemes are used to trick buyers into sending closing funds to the wrong account—are rampant and devastating.
What Is Email and Domain Spoofing?
“Email spoofing” occurs when a cybercriminal forges the “From” address in an email to make it appear as if it’s coming from someone you trust—like a title company, lender, attorney, or even your broker. “Domain spoofing” is a type of cyberattack in which a malicious actor forges or impersonates a legitimate domain to deceive recipients or systems into believing that the communication is coming from a trusted source (e.g. g00gle.com vs google.com). These fraudulent emails often contain links or attachments designed to steal information, install malware, or redirect financial transactions.
Real-Life Scenarios
Imagine this: You’re finalizing a sale. A client receives an email that looks like it’s from you, giving updated wiring instructions. Trusting the sender, they wire hundreds of thousands of dollars straight to a scammer’s account. This kind of attack happens every day, and it’s not just the clients who suffer. Your reputation—and potential liability—are on the line too. And even if you don’t handle wiring instructions yourself, falling for a spoofing scheme could allow access to your inbox and thus access to the parties involved in your transactions. From there, the fraudster could then easily impersonate your client’s title agent, banker, lawyer, etc. and divert funds.
How to Spot Spoofing
Even savvy professionals can be fooled, but here are a few red flags:
- The email address is slightly off (e.g., johndoe@examp1e.com instead of example.com)
- Unusual tone, poor grammar, or unexpected urgency
- Requests for money, wire transfers, or login credentials
- Suspicious links or attachments
Always double-check before clicking or acting, especially when money is involved. And if you’re suspicious, forward the email to the party you’re attempting to communicate with, instead of selecting reply.
Best Practices for Real Estate Cybersecurity
- Use Verified Communication Channels
Encourage clients and partners to confirm sensitive details (like wiring instructions) by phone using known numbers—not those found in the email. Always use encrypted Wi-Fi networks, never conduct business over public Wi-Fi without using a VPN. Also consider using encrypted document-sharing platforms (e.g. Dropbox, DocuSign). - Enable Multi-Factor Authentication (MFA)
Require MFA on your email accounts and transaction platforms. It adds an extra layer of protection if your credentials are ever compromised. MFA has become a standard basic-level security aspect, anyone not utilizing it is likely being negligent. - Educate Yourself and Your Clients Early
At the beginning of every transaction, explain the risk of wire fraud and set a policy for how financial information will be shared. Ask the closing agent involved what their wire instruction delivery methods are, and what security protocols they take to protect private and financial information. See more on this below. - Invest in Email Security Tools
Avoid free email providers (e.g. Gmail or Yahoo) as these are not end-to-end encrypted services. Use professional-grade domain-specific email services with spoofing protection (e.g. SPF, DKIM, and DMARC protocols). Use a password manager to create and store unique passwords (e.g. LastPass, Keeper, 1Password). Do NOT reuse the same password or similar passwords that simply change one or more characters. - Keep Software Updated
Regularly update your devices (operating system), antivirus software and applications to patch security vulnerabilities. - Work with a Cybersecurity Professional
Having a tech partner familiar with real estate security needs can give you a critical edge. If you are with a brokerage, get to know your company’s IT and/or cybersecurity vendor. - Education and Training
Take regular cybersecurity awareness training, including how to spot phishing and social engineering attacks. Subscribe to real estate cybersecurity blogs. Consider security awareness training from companies like KnowBe4.com.
8.Check Yourself Regularly
Run your email domain through Valimail.com and your email address through haveibeenpwned.com for evidence of security weaknesses in your domain and incidents of your email address being involved in any data breaches. If you see any, change your passwords immediately to something unique.
The Cost of Complacency
According to the FBI’s Internet Crime Complaint Center (IC3), real estate wire fraud resulted in losses of $16.6 billion in 2024 (yes, with a “B”). But the damage isn’t just financial—your credibility, trust with clients, and legal exposure are also at risk.
What to Ask
When working with a closing agent, whether you work with a title company or a law firm, ask the following questions: (1) Do you have a fire/sonic wall? (2) How do you deliver your wiring instructions? (3) How do you verify outgoing wiring instructions (e.g. for sellers, Realtors, mortgage payoffs)? (4) Do you use encrypted email? (5) Do you use multi-factor authentication? (6) Do you have DMARC, SPF and BIMI on your email service? (7) Do you have a cybersecurity partner? (8) Do you have cyber insurance? (9) Do you have MDR/EDR/XDR set up? (10) Do you have an identity verification partner?
Conclusion
Cybersecurity may not be the most glamorous part of being a real estate agent, but it’s quickly becoming one of the most important. By taking proactive steps to protect yourself and your clients from cyber threats, you position yourself as a trustworthy, tech-savvy professional in an increasingly digital world.
Stay safe, stay smart—and when in doubt, don’t click.
Disclaimer: The information provided on this blog is for general informational purposes only and is not intended to be, nor should it be construed as, legal advice. While we strive to provide accurate and up-to-date content, laws and regulations in the State of Florida are subject to change, and we make no guarantees regarding the completeness, accuracy, or timeliness of the information presented. Your use of this blog or communication with us through this website does not create an attorney-client relationship. If you need legal advice specific to your situation, you should consult a licensed attorney in your jurisdiction. This blog is intended for residents of Florida or those with legal matters pertaining to Florida law. Legal outcomes vary depending on individual circumstances and the specifics of your case. Links to external websites or references to third-party content are provided for convenience only and do not constitute an endorsement or guarantee of the accuracy or legal validity of such content.