Why Mortgage Companies Are Losing Millions to Wire Fraud And How to Stop It

The average mortgage company processes 50-200 wire transfers per month. Each one is a $150,000 to $500,000 transaction. And each one is vulnerable to the same attack that has cost the industry over $1.5 billion since 2021.

Wire fraud is not a theoretical risk for mortgage companies. It is the primary cyber threat you face. This post explains how the attack works, why mortgage companies are perfect targets, and exactly what you need to do to protect your closings.

The Anatomy of a Mortgage Wire Fraud Attack

Here is how it actually happens, step by step, based on real FBI case files and our forensic work with attacked firms.

Phase 1: Reconnaissance (Days 1-14)

The attacker researches your company. They find your:

Loan officers and their email addresses
Closing attorneys you work with
Typical transaction timeline (how many days from application to closing)
Wire transfer patterns (do you use the same title company repeatedly?)

They subscribe to your email newsletters. They follow your loan officers on LinkedIn. They learn your communication style.

Phase 2: Initial Compromise (Days 15-30)

The attacker sends a phishing email to your loan officer. It looks like:

A document sharing link from a “prospective borrower”
A voicemail notification from your phone system
An e-signature request that seems legitimate

Someone clicks. Now the attacker has access to your email.

They do not act immediately. They wait. They watch. They learn who handles wires, what your templates look like, and when your busiest closing days are.

Phase 3: The Interception (Days 31-45)

A borrower emails asking about wiring closing funds. Or a title company sends final instructions. The attacker sees this in real-time.

Tactic A: The Redirect

Attacker replies from a spoofed email address (nearly identical to yours or the title company’s)
Changes the wire instructions mid-conversation
“Update: Please use this account instead”
Your borrower wires $187,000 to the attacker’s account

Tactic B: The Injection

Attacker compromises the title company’s email too
Sends wire instructions directly to your borrower
Instructions look perfect, use the right logos, right language
Account number is just slightly different (or completely different if the title company was the first target)

Phase 4: The Money Vanishes (Day 46)

The wire hits the attacker’s account. Within 2 hours, it is moved through 3-5 intermediary accounts. Within 24 hours, it is converted to cryptocurrency or withdrawn as cash overseas.

Average loss per incident: $187,000

Recovery rate: Under 15%

Time to discovery: Usually 1-3 days after the wire (often a weekend when banks are slow)

Why Mortgage Companies Are Perfect Targets

High Transaction Values

A typical business email compromise nets $50,000-$75,000. A mortgage wire fraud averages $187,000. Some closings exceed $500,000. Same effort, 3x the payout.

Time Pressure

Closings have hard deadlines. If a wire is delayed, the deal falls through. This pressure makes people skip verification steps. Attackers know you will prioritize speed over security.

Multiple Parties = Confusion

A typical closing involves: borrower, loan officer, processor, underwriter, title company, closing attorney, real estate agents. With this many people communicating, verifying who said what is hard.

Limited Cybersecurity Investment

Most mortgage companies spend on LOS software, CRMs, and marketing. They underspend on email security, MFA, and wire verification protocols. Attackers know this.

The Real-World Consequences

Customer trust: Your borrower just lost their down payment. They will tell everyone. They will sue you. They will post on social media.
E&O insurance: Your errors and omissions policy may not cover cyber fraud. Even if it does, premiums spike after a claim.
Regulatory scrutiny: State mortgage regulators are increasingly asking about cybersecurity. A public breach invites examination.
Staff morale: Who clicked the phishing link? Do they get fired? Do they quit from guilt? Wire fraud destroys teams.
Business continuity: A major loss can put a small mortgage company out of business permanently.

Prevention: The Wire Verification Protocol

The Golden Rule

Verify every wire instruction change via phone call to a known, trusted number. Never via email. Never via text. Always via phone.

The Full Protocol

At loan application: Document the borrower’s phone number in your LOS. Not the phone number they email from. The one you call and verify at application.
At closing: When wire instructions are sent, call the title company using the number on their website (not the email signature). Confirm the account details verbally.
For changes: If anyone sends “updated” wire instructions, stop. Call the title company directly using a number you independently verified. Ask: “Did you send new wire instructions? Can you confirm the account number verbally?”
For large wires: If the amount exceeds $100,000, require dual verification. Two people must make the confirmation call.
Document everything: Log the call, time, who confirmed, and the account number verbally stated. If fraud occurs, this documentation protects you legally.

Technical Defenses That Actually Work

Email Security

DMARC enforcement
Advanced threat protection
Outbound filtering

Access Controls

Multi-factor authentication
Privileged access management
Session timeouts

Monitoring

Email rule alerts
Login alerts
Wire threshold alerts

What to Do If It Happens

Within 1 hour:

Contact your bank’s wire fraud hotline
File report with FBI Internet Crime Complaint Center (IC3.gov)
Notify your cyber insurance carrier

Within 4 hours:

Engage a forensics firm to preserve evidence
Notify the title company and borrower
Document everything for law enforcement

Within 24 hours:

Engage legal counsel
Prepare regulatory notifications (state mortgage regulators)
Prepare customer communications

Reality check: Recovery is rare. Prevention is everything.

How Capital Cyber Helps Mortgage Companies

Wire fraud prevention assessment: Review your current protocols and close gaps
Email security hardening: DMARC, advanced threat protection, outbound filtering
Staff training: Role-specific training for loan officers, processors, and closers
Incident response planning: Documented playbooks for when fraud occurs
Ongoing monitoring: 24/7 threat detection tailored to mortgage workflows

Wire Fraud Prevention Assessment – Starting at $3,500

Phone: (571) 410-3066

The Bottom Line

Wire fraud against mortgage companies is not a sophisticated, hard-to-stop attack. It succeeds because firms skip basic verification steps under time pressure.

The solution is cultural, not just technical. Your team must prioritize verification over speed. Management must support this, even when borrowers complain about delays.

Every wire that goes out without phone verification is a $187,000 bet against cybercriminals. Stop gambling.

Want to assess your wire fraud risk? Schedule a call with Rick: https://capital-cyber.com/rick

Capital Cyber provides cybersecurity services, wire fraud prevention, and compliance support to mortgage companies, accounting firms, and government contractors in Virginia, DC, and nationwide.