$2.9B+ in BEC losses in 2023 (FBI IC3). Real estate is the #2 targeted sector. Houston, DFW, and Austin title companies have logged multi-million-dollar wire diversion incidents in the last 18 months. The attacker's playbook: compromise a title agent's inbox, monitor closing activity, send a spoofed wire instruction the morning of closing. Average recovery rate after 72 hours: under 15%. CoreRecon delivers BEC defense, ALTA Pillar 3 compliance, and 30-minute incident response at $89–$129/endpoint — built for title companies, not enterprise banks.
Title companies and escrow agents sit at the most financially exposed moment in any real estate transaction — the day of closing. Attackers have studied this. Every threat vector below is engineered to intercept, divert, or destroy the closing wire.
Title companies face five overlapping compliance mandates — all of which have hardened since 2022. Lender requirements for ALTA certification have made documented security programs effectively mandatory for any title company that serves institutional lenders.
| Framework | What It Requires | Consequence of Non-Compliance | CoreRecon Coverage |
|---|---|---|---|
| ALTA Best Practices Pillar 3 — Information Security | Written information security program covering NPI protection, risk assessment, technical controls (MFA, encryption, access controls), employee training, and documented incident response procedures. ALTA certification requires third-party assessment against all 7 pillars. | Lenders — Fannie Mae, Freddie Mac, and most institutional lenders — require current ALTA certification for approved title company status. Loss of certification = loss of institutional lender business. | Fortress Written ISP, MFA enforcement, access controls, annual training, IR procedures — Pillar 3 control set documented for ALTA assessor review |
| TX Insurance Code Chapter 651 | Governs Texas title insurance agents and companies. TDI examinations now include cybersecurity controls review consistent with NAIC Model 668. Requires notification to TDI of a cybersecurity event affecting consumer NPI. | TDI enforcement: license suspension or revocation for failure to maintain required controls. Civil penalties for failure to notify. Reputational consequences from public TDI enforcement actions. | Fortress Cybersecurity controls documentation, TDI examination-ready evidence package, breach notification workflow |
| RESPA Section 10 — Escrow Account Management | Requires title and escrow agents managing RESPA-covered escrow accounts to maintain security of account information. CFPB examination scope includes data security practices for servicers and settlement agents. | CFPB enforcement actions for unfair or deceptive practices (UDAP) related to data security failures. Civil money penalties; restitution orders to affected consumers. | Fortress Escrow account data segmentation, access audit logging, CFPB examination documentation |
| GLBA Safeguards Rule (FTC, 16 CFR Part 314) | Title companies and closing attorneys that hold consumer NPI are financial institutions under GLBA. FTC Safeguards Rule (updated 2023) requires risk assessment, access controls, encryption, MFA on customer data systems, incident response plan, and annual board/owner report. | FTC enforcement: civil penalties up to $50,000/day for willful non-compliance. Class action exposure for consumer data breaches. State AG enforcement for TX consumer protection violations. | Command Full Safeguards Rule control set: risk assessment, access controls, encryption, MFA, IR plan, annual compliance report for ownership review |
| NAIC Insurance Data Security Model Law 668 | Texas adopted the NAIC Model Law (effective 2022). Requires licensed insurers and title companies to establish and maintain an information security program, conduct annual risk assessments, manage third-party vendor security, and notify TDI of cybersecurity events within 72 hours. | TDI enforcement including license action. 72-hour notification requirement creates operational urgency — companies without a pre-built notification workflow routinely miss the window. | Command 72-hour TDI notification workflow, vendor risk monitoring, annual risk assessment documentation, incident response retainer |
The incidents below are drawn from public breach notifications, FBI IC3 reports, and CoreRecon's Texas Breach Tracker database. Two are anonymized TX title incidents; one is a named national case.
A mid-size Houston title company suffered a $1.2 million wire fraud loss after an attacker compromised the email account of a senior escrow officer via a phishing email disguised as a DocuSign notification. The attacker monitored the inbox for 19 days before acting. On the day of a $1.2M residential closing, the attacker sent spoofed wire instructions to the buyer's lender from the compromised address. The wire was executed successfully. Recovery: $0. The IC3 FFKC was not initiated within 72 hours because the company had no wire fraud response procedure. The escrow officer's Microsoft 365 account had no MFA enabled at the time of compromise. Source: CoreRecon Breach Tracker database; Texas Breach Tracker — anonymized per subject request.
A DFW commercial escrow agent lost $780,000 in a lookalike domain wire fraud attack targeting a commercial property closing. The attacker registered a domain one character different from the agent's legitimate domain three weeks before the closing. Using transaction details obtained from public property records and LinkedIn research, the attacker sent wire instructions directly to the buyer's CFO impersonating the escrow agent two days before closing. The CFO had previously received legitimate email from the real domain and did not verify the slight difference. Recovery: $145,000 via FinCEN FFKC (partial, 18.6%). The agent had no DMARC enforcement, no lookalike domain monitoring, and no outbound buyer communication security protocol. Source: CoreRecon Breach Tracker database — anonymized per subject request.
Stewart Title Guaranty Company, one of the four largest U.S. title insurers, disclosed a data breach affecting consumer NPI following a ransomware incident in 2021. Stewart notified state regulators in Texas and multiple other states per applicable breach notification laws. Consumer data including SSNs, financial account information, and property transaction details were exposed. The Stewart incident demonstrated that enterprise-scale title companies are not immune — and that ransomware on title infrastructure triggers multi-state regulatory notification obligations that require pre-built compliance workflows to execute within the required windows. Lesson: Size doesn't substitute for SOC coverage. Pre-built notification workflows are the difference between controlled response and regulatory penalty exposure. Source: State AG breach notification filings; Stewart Title public disclosure, 2021.
10-endpoint minimum. Month-to-month. No 3-year lock-ins. Sub-20 endpoint title shops get everything they need in Sentinel. Most Texas title companies land in Fortress (ALTA Pillar 3 + dedicated analyst). Multi-branch operators scale to Command.
Wire fraud response SLA applies to Command tier. The 30-minute clock starts when our SOC detects anomalous account activity — inbox rule creation, forwarding rule addition, or credential stuffing attempt — not when you call us after a wire has already gone out. Detection at the inbox compromise stage is the only intervention point that matters. After the wire executes, the window narrows to 72 hours and recovery rates drop below 15%.
We assess your email security posture, DMARC/DKIM configuration, MFA enforcement on transaction platforms, and ALTA Pillar 3 gap against current controls. 14-day delivery. No commitment.
Get your wire fraud posture report — free →No credit card • No commitment • SDVOSB-certified team
ALTA Best Practices Pillar 3 (Information Security) requires title companies and escrow agents to adopt and maintain a written information security program that protects non-public personal information (NPI) of consumers and clients. It requires risk assessments, written policies, technical controls (encryption, access controls, MFA), employee training, and incident response procedures. Lender requirements for ALTA certification have made Pillar 3 compliance effectively mandatory for title companies that serve institutional lenders. CoreRecon Fortress tier builds and maintains the full Pillar 3 documentation package — including the evidence format required by certified ALTA assessors.
The most common pattern: an attacker compromises a title agent's email account (often via phishing or credential stuffing), monitors closing activity for weeks, then sends a spoofed wire instruction to the buyer or their lender 24–48 hours before closing. The email appears to come from the legitimate title company — same branding, similar domain, correct transaction details obtained from monitoring. The buyer wires funds to an attacker-controlled account. Recovery rate after the wire leaves: under 15% if not reported within 72 hours. CoreRecon's BEC defense detects the initial email compromise — the inbox rule creation or credential anomaly — before the fraud wire is sent. That's the only intervention point that stops a loss.
Yes. TX Insurance Code Chapter 651 governs Texas title insurance agents and companies. The Texas Department of Insurance (TDI) has expanded its examination scope to include cybersecurity controls review consistent with NAIC Insurance Data Security Model Law (Model 668). Title companies that suffer a cybersecurity event affecting consumer NPI must notify TDI within 72 hours. Companies without a pre-built notification workflow routinely miss this window and face enforcement. TDI examinations now ask for written ISPs, risk assessments, MFA records, and IR procedures — the exact controls CoreRecon Fortress and Command tiers build and maintain.
Qualia, ResWare, and RamQuest are the three most widely deployed title and escrow transaction management platforms in Texas. All three have been identified in vendor compromise scenarios. Attackers gain access by compromising a title company user's credentials or by targeting the platform vendors through supply-chain vectors. Once inside a transaction management system, attackers have full visibility into closing schedules, wire amounts, and buyer/lender contact information — everything needed to execute a convincing fraud wire. CoreRecon Fortress and Command tiers monitor for anomalous activity in these systems and include vendor security monitoring as part of the coverage package.
Recovery is possible but time-critical. The FBI's IC3 operates a Financial Fraud Kill Chain (FFKC) that can freeze or recover wired funds — but only if reported within 72 hours and the funds haven't yet been converted or moved overseas. After 72 hours, recovery rates drop below 15%. CoreRecon Command tier includes a pre-built wire fraud response workflow: immediate FBI IC3 FFKC submission, FinCEN SAR filing guidance, title insurance carrier notification, TDI notification within the 72-hour window, and buyer/lender communications. The workflow starts at inbox compromise detection — not after the wire executes — which is why Command tier's 30-minute SLA is the only response time that actually matters in a wire fraud scenario.
We map your full wire fraud attack surface — email security posture, MFA gaps on transaction platforms, DMARC/DKIM configuration, lookalike domain exposure, and ALTA Pillar 3 compliance gaps. You get a 12-page report you can put in front of your lender, TDI examiner, or cyber insurance carrier. No credit card. No commitment. Delivered in 14 days.
Get your wire fraud posture report — free →Delivered within 14 days • No credit card • SDVOSB-certified team
Need a SOW for your lender or TDI examiner? Build your Scope of Work PDF →