01 · PatternsThis week's patterns
Three techniques appeared across reported cases and regulatory actions this period. Each names the method, not the office.
Lookalike-domain redirect
A fraudster registers a domain that differs from the legitimate seller or agent by a single character — swapping an "m" for "rn," or adding a hyphen — then sends revised wiring instructions from that domain. The mismatch is visible if the office compares the sender domain to the one already in the file, but invisible if the reply is read in isolation.
Source: Mago v. Arizona Escrow & Financial Corp. (Ariz. Ct. App. 2023) →Channel-convergence closure
The office flags an open item — a payee name that does not match, a new account, a changed bank — and asks for confirmation. The confirmation comes back through the same compromised channel the fraud is riding on. The open item gets "closed" without the office ever checking an independent, known-good source. The question was raised. The question was never resolved against a source the fraud could not reach.
Source: Chicago Title v. Earnspark (S.D.N.Y. 2026, pending) →Filtering-rule suppression
A fraudster infiltrates a party's email account and sets up mailbox filtering rules that hide the other side's messages from the account holder. The fraudster sends revised instructions to the paying party, collects the funds, and the legitimate account holder never sees the warning messages that would have exposed the redirect. The office wires against instructions it believes are confirmed, because no one on the compromised side objects.
Source: Beau Townsend Ford v. Don Hinds Ford (6th Cir. 2018) →