Real Fraud, Real Lessons: What Title Agents Learned the Hard Way

March 19, 2026

Fraud in real estate isn’t hypothetical, and for many title professionals, it isn’t rare. It’s real, it’s costly and it often unfolds in a matter of minutes.

At ALTA EDge, the session “Real Fraud, Real Lessons: What Happened, What We Did, and What You Should Do Next” brought that reality into sharp focus. Industry leaders Craig Burns, CEO of Security 1st Title; Craig Haskins, CEO and president of Knight Barry Title; and Lisa Walt, vice president of operations at First International Title, walked through actual fraud events that impacted their companies, offering an unfiltered look at what went wrong, what saved them and what others must do differently.

Their stories weren’t just cautionary tales. They were roadmaps for survival.

‘We Had Nothing’: When Ransomware Shuts Down a Company

For Burns, the moment everything changed came early on a Sunday morning. Unusual network activity quickly escalated into a full-scale ransomware attack. Within hours, his company—spanning multiple states, hundreds of employees and dozens of offices—was completely locked out of its systems.

“We had no emails, no phones, no files. We had nothing,” Burns recalled.

The root cause? A single compromised attachment clicked nearly a year earlier. The bigger issue, however, was structural. By consolidating critical systems such as email, phones, title production and backups into a single environment, the company had unintentionally created a single point of failure.

“Once they got in, they got everything,” he said.

The recovery process was grueling. Negotiations with threat actors stretched over days. Millions of dollars in ransom were paid—only to discover the decryption key didn’t fully work, leaving systems partially locked and data still compromised. Even with insurance, the financial and operational toll was staggering.

Gone in 20 Minutes

While Burns’ story highlights system-wide disruption, Walt’s experience shows how quickly money can disappear. The attack began with a deceptively simple a Google search.

An employee searching for a bank function clicked on a spoofed website that was identical in appearance to the real one. When credentials and multi-factor authentication were entered, the fraudsters captured them in real time. Within minutes, they gained administrative access and began moving money.

“In about 20 minutes, they had stolen a large amount of money,” Walt said.

The attackers were strategic. They initiated wires in amounts that looked like normal transaction activity, making detection harder. At the same time, they flooded employees’ inboxes with spam—hundreds of emails per minute—to bury legitimate security alerts.

The timing was no coincidence. The attack occurred just before a federal holiday, when offices were closing and vigilance was lower. Had the activity gone unnoticed, the losses could have been catastrophic. Ultimately, the company recovered about a little less than half that was stolen. The rest was lost for good.

The First Day as CEO—and a Cyberattack

For Haskins, the crisis hit at the worst possible moment—his first day as CEO. Within minutes of stepping into the role, he received a call about suspicious activity that had been detected, and systems were being compromised.

“It was my first minute as CEO,” he said. “And I thought I had ruined a 173-year-old company.”

His organization was hit with ransomware but, unlike Burns’ company, had diversified systems and functioning backups. That preparation limited downtime to about two days and allowed the company to avoid paying a ransom.

Still, the disruption was significant, and the aftermath lasted far longer than the initial outage. Months later, customers were still receiving notifications, and the company was fielding calls triggered by opportunistic lawsuits and social media posts amplifying the incident.

What These Cases Reveal About Modern Fraud

Across all three stories, several themes emerged:

1. Small Mistakes Lead to Big Losses

  • A single click. A single login. A single missed alert.
  • Each event began with a seemingly minor action that opened the door to a much larger breach.

2. Fraudsters Exploit Timing

Attacks frequently occur:

  • Before holidays
  • After business hours
  • During high-volume closing periods

These windows give criminals time to act before detection.

3. Systems Are Only as Strong as Their Design

  • Centralized systems may be efficient, but they can also amplify risk.
  • Diversification across vendors, platforms and banks can mean the difference between a disruption and a shutdown.

4. Speed Is Everything

  • In wire fraud cases, minutes matter.

“If we hadn’t caught it when we did, it would have been gone,” Walt said.

The Hidden Costs: Reputation, Recovery and Legal Exposure

Beyond the immediate financial losses, panelists emphasized the long-term consequences of fraud.

  • Operational disruption: Companies may be unable to close transactions for days or weeks.
  • Liquidity strain: Firms must often cover missing funds immediately to keep deals moving.
  • Reputational damage: Even when consumers aren’t directly harmed, perception can spread quickly.
  • Legal exposure: Notification requirements, class-action lawsuits and regulatory scrutiny can persist for years.

“You’re not just dealing with the event,” Haskins said. “You’re dealing with it long after it’s over.”

Practical Steps Title Agents Should Take Now

The session emphasized actionable steps agents can implement immediately:

1. Strengthen Banking Controls

  • Regularly audit all users with access to escrow accounts
  • Limit administrative privileges to a small, controlled group
  • Require dual authorization for critical changes

2. Eliminate Risky Habits

  • Never access bank websites via search engines
  • Use bookmarked or verified links only
  • Treat all unexpected emails and calls as suspicious

3. Build Redundancy Into Systems

  • Avoid relying on a single vendor for all operations
  • Maintain offline backups not connected to the network
  • Diversify banking relationships

4. Prepare for the Worst

  • Develop and test a fraud response plan
  • Maintain offline access to critical documents and forms
  • Ensure the ability to continue closings manually if needed

5. Invest in Insurance—and Understand It

  • Cyber insurance is essential, but it’s not a silver bullet. Claims take time, and companies often need to front significant costs during a crisis.
A Shift in Mindset Is Required

Perhaps the most important lesson from the session is psychological. Many companies still operate under the assumption that fraud is unlikely to happen to them. The panelists made clear that mindset is no longer viable.

“If you have a computer or a phone, you can be hacked,” Burns said.

The goal is no longer to avoid being targeted. It’s to be prepared when it happens.

From Awareness to Action

The stories shared at ALTA EDge were sobering—but they also offered valuable clarity. Fraud is evolving. Attackers are faster, more organized and increasingly precise. But the industry is not powerless. By learning from real incidents—what failed, what worked and what changed afterward—title professionals can better protect their businesses, their clients and the integrity of the transaction itself. The difference between a close call and a company-ending event often comes down to preparation.

Resources


Contact ALTA at 202-296-3671 or [email protected].