Rocky the Raptor here, RPost’s cybersecurity product evangelist. Let me tell you the story of a real estate transaction that could have possibly ended in BEC/wire or escrow fraud. Though I’ve got eyes sharper than a closing attorney reviewing a title commitment, I admit this one almost slipped through the cracks!
It started as thousands of legitimate transactions do. A title insurance company in the U.S. was doing its due diligence on a property in Coppell, Texas. Emails flew back and forth among them, and other parties, containing documents such as title commitments, tax certificates, and, later… a Power of Attorney.
Everything looked clean and…normal. And if you were just watching the sender’s network, this deal would have headed straight to closing. But I see beyond an enterprise network’s perimeter; watch what happens after messages leave your control.
The first crack appeared when one of those sensitive and important emails was opened in Lagos, Nigeria, on an Android device. Now that didn’t make sense to my Raptor brain at all.
Why was a Texas real estate deal being overseen by a U.S. title company, with a Gmail recipient, being viewed in Nigeria? And as I spotted on my Raptor radar, why is the device configured in English (ok), Dutch (unusual…), and Russian (very unusual!) languages?
This wasn’t a random coincidence of just a traveler checking email at the airport. This was a pattern anomaly. And here’s what likely explains it.
The adversaries weren’t sloppy. They were practical. They were likely operating from Nigeria - yes, a region long associated with financially motivated BEC activity. But their device? It was configured in English, Dutch, and Russian for a reason.
English was needed for interacting with U.S. targets and reading transaction documents. Dutch is fairly common in European fraud ecosystems, shared toolkits and templates, and often appears on systems reused across campaigns. Russian, on the other hand, is frequently seen in cybercrime forums, tooling environments, and cracked software ecosystems.
My Raptor brain immediately deduced this device isn’t “personal.” It’s a working platform used across multiple fraud campaigns, regions, and toolchains.
So, what exactly was the cybercriminal doing? Not attacking – at least, not yet, but silently watching. This is what is commonly known as the Recon Phase. In real estate transactions, BEC attackers gain visibility into email flows, monitor quietly, and wait for the right moment when the money is about to move.
If this had gone undetected, here’s what typically follows:
Everything looks legitimate, except the money goes somewhere else. And once it’s gone, it doesn’t come back.
This time, because of RPost’s RAPTOR AI, the title company didn’t just see the email delivery or opens. They saw WHO accessed it, WHERE they accessed it from, WHAT device they used, and HOW that behavior deviated from normal. Without this visibility, this would look like a normal Gmail open - no alarm, no signal, and no warning.
With RAPTOR AI, the firm was able to see:
Now, this wasn’t noise. This was someone watching the deal unfold in real time. And if no one had intervened, this transaction had a high probability of ending in wire or escrow fraud.
This matters because most cybersecurity tools protect the sender, scan the message, and maybe block a link. But they don’t see what happens after delivery. That’s the blind spot attackers live in, and that’s where I hunt…
In real estate fraud, the attack doesn’t start with a hack; it starts with visibility. And this time, the criminal had visibility. But so did we! Want your sensitive deals to go through without any glitches?
April 03, 2026
March 27, 2026
March 20, 2026
March 13, 2026
March 06, 2026
Blog