Real Estate Wire Fraud: Stopping Deposit Theft at BC Brokerages

Canadian real estate has four characteristics that attackers love: large transactions, tight timelines, email-driven communications between parties who often have never met, and multiple handoffs between brokerage, conveyancer, lender, and lawyer. The industry trend across Canada, reported by the Canadian Anti-Fraud Centre and mirrored in BC, is that email-driven deposit and closing-fund redirection has grown sharply since 2022. Brokerages, conveyancers, and real estate lawyers are all in scope.

How the Scam Works

The attack does not begin at the moment the fake wire instructions land. It usually begins weeks earlier with a compromised mailbox, frequently at a realtor, assistant, or small brokerage that has weak or missing MFA. The attacker lives silently, reads the transaction thread, waits for the offer to be accepted, and learns when deposits are due. Then, near the deadline, they send an email from a look-alike domain (brokerage-ca.com instead of brokerage.ca, or yourbrokerage.realestate instead of yourbrokerage.ca) with "updated trust account" details attached on what appears to be the brokerage's letterhead.

The buyer, under time pressure and trusting the thread, wires to the attacker's account. The money clears. By the time the brokerage and buyer reconcile, it is gone.

Why BC Brokerages Are a Target

• High transaction values create high per-successful-attack payoffs.
• Small brokerage IT footprints (Microsoft 365 or Google Workspace, one or two staff) often lack full MFA, conditional access, and email authentication.
• Managing brokers and unlicensed assistants frequently share mailboxes or forward email in ways that expand the attack surface.
• Document and instruction flow is primarily by email.
• Transaction timelines create pressure that reduces verification discipline.

None of these are fixed by a single product. They are fixed by a layered set of technical and procedural controls.

Technical Controls: Make Impersonation Fail

1. DMARC, SPF, and DKIM on the brokerage domain

If a brokerage does not publish DMARC at a policy of at least p=quarantine, attackers can send email that appears to come from exactly the real brokerage domain and it will land in buyer inboxes. SPF alone does not prevent this. DKIM alone does not prevent this. All three together, with DMARC enforced, make direct spoofing fail. Get this in place first. It costs nothing and protects every email you send.

2. MFA on every mailbox, not just the brokers

Assistant mailboxes, admin mailboxes, shared inboxes, licensed and unlicensed staff, everyone. MFA that uses number-matching or FIDO2 keys is more resistant to modern phishing kits than SMS or basic push. If licencing permits, conditional access should also block legacy authentication protocols.

3. External-sender banners and look-alike flagging

Configure Microsoft 365 or Google Workspace to tag external emails clearly, and to flag first-time senders or display-name impersonation. The goal is to make a look-alike domain visually obvious in the inbox before a recipient reads the contents.

4. Shared mailbox discipline

Shared mailboxes are convenient and problematic. If five people log in to "deals@", credential hygiene collapses. Use delegated access from individual accounts wherever possible, and audit who has access to shared mailboxes at least quarterly.

5. Mailbox audit hygiene

Quarterly, run an Entra ID audit log pull on each licensed user: foreign sign-ins, OAuth consents, inbox rules. The single most common forensic finding in deposit fraud cases is an inbox rule that was silently auto-forwarding every email containing "wire", "deposit", or "trust account" to an external address.

Procedural Controls: Make the Redirect Fail Even If Impersonation Succeeds

Technical controls stop the easy attempts. Procedure stops the sophisticated ones.

Verification call before every wire, no exceptions

Before any client wires funds to the brokerage or to a third party, require a phone call to a previously verified number. "Verified" means from the original engagement paperwork or from the brokerage's published website, never from the email with the wire instructions. Document the call: who verified, who answered, what was confirmed.

Wire instructions never change by email

The brokerage's trust account does not change. Publish that clearly in the client welcome pack. Instruct clients in writing, at engagement, that any email claiming to update wire instructions is a fraud attempt and should be reported.

Dual authorization for outbound wires

For wires from brokerage or trust accounts outbound, require two authorized signers with separate logins and MFA devices. This is already standard at many larger brokerages and is straightforward to implement at smaller ones with most Canadian business banking platforms.

A written policy, shared with staff and clients

The policy does not need to be long. One page. It should state the verification requirement, the authorisation requirement, the reporting channel if something looks wrong, and the fact that the brokerage will never send wire instructions by unsolicited email. Give a copy to every client.

Client Education Materials

The last line of defence is the buyer who pauses before hitting "send". A short client-facing notice, printed and handed out at offer signing, dramatically improves outcomes. It should cover:

• Our trust account details will only be provided on [defined channel], and will not change.
• If you receive an email asking you to change the account, assume it is fraud and call us at [verified number] before doing anything.
• Before you wire, call us to verify.
• If you have already wired funds you now suspect were redirected, call your bank fraud line immediately.

BCFSA Compliance Angle

The BC Financial Services Authority (BCFSA) regulates real estate services in BC, including brokerage trust accounts and record-keeping. While specific cybersecurity requirements evolve, the Rules of real estate services and the expectations under the Real Estate Services Act impose obligations around trust account handling, record retention, and protection of client funds that a successful deposit fraud clearly engages. FINTRAC reporting obligations under the PCMLTFA also apply to brokerages and should be factored into any incident response.

In parallel, if personal information was exposed during the email compromise (buyer SIN, banking details, passports for ID verification), PIPEDA and PIPA breach notification obligations apply. See our 72-hour playbook.

A Short Hardening Plan for a Small Brokerage

If you run or manage IT for a 5 to 50 person brokerage, here is the order we recommend:

1. Publish DMARC, DKIM, SPF on the brokerage domain. Enforce DMARC at quarantine or reject.
2. Enforce MFA on every Microsoft 365 or Google Workspace account. Block legacy authentication.
3. Add conditional access to block sign-ins outside Canada unless justified.
4. Deploy EDR to every workstation and laptop.
5. Implement external-sender banners and first-time-sender warnings.
6. Write the wire verification policy. Print it. Share it with every client at engagement.
7. Run a tax-season-style phishing simulation with real-estate-themed lures once a quarter.
8. Audit Entra ID sign-in logs, OAuth consents, and inbox rules quarterly.
9. Set up a cyber insurance renewal readiness review (see our cyber insurance requirements article).

Related articles: CEO Fraud and Wire Transfer Recovery · Cyber Liability Insurance in BC · PIPEDA 72-Hour Playbook

← Back to Blog