Every year, real estate wire fraud costs Canadian buyers and sellers over $145 million. In the US the number is many multiples higher. The mechanic is familiar to anyone in the industry: a buyer is told to wire down-payment or closing funds to what looks like the correct trust account. The wire lands somewhere else. By the time anyone notices, the money is out of reach.
The response from brokerages, title insurers, and lender associations has settled around a single tactic. Warn the client. Add a disclaimer to every closing email. Instruct buyers to verify wiring instructions verbally, using a phone number they already had, not one from the email. Put a red banner on the closing package. It is defensible advice, and it works when clients follow it. Most do not.
The advice also misses the point.
By the time an attacker sends a redirected wire instruction, the fraud has been in motion for about 38 days. That is the average dwell time the FBI's Internet Crime Complaint Center reports for a business email compromise where the attacker has taken up residence inside a targeted inbox. During those 38 days the attacker is not guessing. They are reading real closing schedules, real vendor calendars, real client correspondence. They know when the wire is going to be sent, to which bank, in which amount, from which lawyer's trust account. They have the vocabulary of the brokerage down cold. The redirected wire instruction reads as authentic because it is written by someone with access to the authentic template.
Verifying verbally with the closing agent, when the attacker is already inside the agent's inbox, is a control that gets defeated at the moment the agent picks up the phone and confirms the fraudulent instructions they think they sent themselves.
The actionable question is not "how do we get buyers to verify?" The actionable question is: how did the attacker get 38 days of resident access in the first place?
The reconnaissance chain
Attackers do not choose targets at random. Brokerage-directed wire fraud follows a repeatable reconnaissance pattern that begins in publicly available data and ends with a live inbox.
Step one: identity mapping from public records
Canadian brokerages, like most professional-services businesses, appear across multiple public registries. Provincial corporate filings. Real-estate council rosters. Industry directory listings. The information published is not sensitive by itself: broker of record, sales representatives, primary business address, principal broker's home address in some jurisdictions. Aggregated across sources, this is enough to construct a personnel map of the brokerage. Attackers do not scrape one directory. They correlate a dozen.
Step two: breach-database credential correlation
With names and emails identified, attackers query breach databases for credential exposures matching those addresses. Not the current password, necessarily. Historical passwords across a decade of consumer data breaches produce patterns. A broker who used a variant of the same password on a professional network in 2016, on a design suite in 2013, on a file-hosting service in 2012 is telling the attacker exactly how they construct their passwords. In practice, most brokerage staff email accounts are protected by passwords that a determined attacker can guess inside three attempts once the historical exposure pattern is known.
Step three: multi-factor authentication bypass, not brute force
The industry has largely moved to multi-factor authentication on business email accounts. This does not stop the reconnaissance. Adversary-in-the-middle phishing pages, sold as commercial kits, capture the session cookie after multi-factor authentication passes. The attacker does not need the second factor. They need the session, and session lifetimes on default Microsoft 365 or Google Workspace configurations run into weeks. In FBI-reported business email compromise cases where investigators reconstructed the initial intrusion, over 80 percent of victims had multi-factor authentication enabled at the time of compromise.
Step four: persistence through inbox rules, not new logins
Once the attacker has the session, they do not sit visibly logged in. They create inbox rules. Auto-forward specific message threads to an external address. Move replies from the real closing lawyer into an archive folder the broker never checks. Filter incoming messages containing the words "wire," "invoice," "closing" out of the primary inbox. From the broker's perspective, nothing is different. The dashboard shows one active session. The audit log, if anyone checks it, shows the expected sign-in from the expected city. The inbox rule is the persistence mechanism, and it is invisible unless someone is looking directly at it.
By day 38, the attacker has watched a full closing cycle, learned the brokerage's wire-instruction template, identified a live transaction with a large enough amount to justify the effort, and can time the redirected instruction to arrive between the closing agent's outgoing message and the buyer's next check-in.
What every brokerage's external surface reveals
The reconnaissance chain relies on data the brokerage already publishes, plus data that leaked in incidents outside the brokerage's control. Neither is fixable through better closing procedures. Both are addressable through concrete configuration.
Across the professional-services landscape LeakTrace analyzes, three exposures show up on almost every brokerage's external surface, and each one shortens the attacker's path by weeks.
Missing or misconfigured email authentication
DMARC, SPF, and DKIM are the three DNS records that determine whether an inbound mail server will accept a message claiming to be from your domain. On most brokerage domains, at least one of these records is missing, weakly configured, or in permissive mode. When email authentication is not enforced, the attacker does not need to compromise an inbox to send a message that appears to come from the brokerage. They send from anywhere. The recipient's mail server does not have the information to reject it.
Executive personal data on public broker sites
The broker of record's home address, phone number, family members, and property history are aggregated by data broker sites, republished, and made searchable. This is the material used to construct pretext phone calls to reception staff, to bypass "verify with a person you know" controls, and to add the personal detail that makes a phishing message land. Executives cannot stop this at the data broker level once, because the brokers re-scrape public records every thirty to ninety days. Continuous removal is the only durable control.
Weak conditional access on business email
Default Microsoft 365 and Google Workspace configurations grant session lifetimes measured in weeks, allow sign-ins from any country, and do not require re-authentication when the client fingerprint changes. Every one of those defaults is configurable. Almost none of them are configured on typical brokerage tenants.
None of these exposures require a breach to fix. Each one is a configuration decision.
What actually stops the redirected wire
The controls that actually break the reconnaissance chain sit in the 38 days before the wire, not the seconds after it.
Enforce DMARC at "reject." Rotate DKIM keys on a fixed schedule. Publish MTA-STS so mail servers accepting messages from your domain use encrypted transport. These changes take a knowledgeable IT contact under two hours. They do not require buying anything.
Configure conditional access on business email to reject sign-ins from countries the brokerage does not operate in. Set session lifetime to a value measured in hours, not weeks. Require re-authentication when the sign-in fingerprint changes. Enroll every mailbox in phishing-resistant multi-factor authentication, not SMS.
Audit every mailbox in the tenant for user-defined rules that forward externally, move messages on financial keywords, or hide replies from specific senders. This is the single highest-yield check for detecting an in-progress compromise. In every documented business email compromise case, the attacker created one of these rules to maintain persistence. Reviewing the ruleset takes a mail administrator about an hour per tenant.
Continuously monitor executive personal data across the North American data broker landscape and submit removal requests through each site's opt-out flow. This is a subscription operation. Attempted once and abandoned, it decays inside sixty days.
None of these controls prevent the buyer from being told to wire funds. They prevent the attacker from ever getting the 38 days of resident access that makes the redirected instruction credible in the first place.
Why this matters now
The wire-fraud number in Canadian real estate is not going down. The mechanic works, the reconnaissance chain is repeatable, and the industry's response continues to focus on the last three seconds of a fraud that has been operating for over a month. Adding another disclaimer to a closing email does not touch it.
Brokerages that want to actually reduce exposure have to intervene at the reconnaissance stage. That means treating the external attack surface, the credential exposure landscape, and the executive personal data footprint as three continuously monitored surfaces, not three one-time projects. It also means auditing every tenant mailbox in the brokerage for the persistence mechanisms attackers actually use, and doing it on a schedule that reflects the 38-day window.
The exposure is already indexed. The question is whether the brokerage has mapped its own footprint before the attacker did.