Vol. 1, No. 1 · 2026-06-28

RADAR Weekly Brief

What fraud is hitting escrow now. Techniques, one sourced signal, and a field note — published weekly from public records and reported cases.

01 · Patterns

This week's patterns

Three techniques appeared across reported cases and regulatory actions this period. Each names the method, not the office.

Lookalike-domain redirect

A fraudster registers a domain that differs from the legitimate seller or agent by a single character — swapping an "m" for "rn," or adding a hyphen — then sends revised wiring instructions from that domain. The mismatch is visible if the office compares the sender domain to the one already in the file, but invisible if the reply is read in isolation.

Source: Mago v. Arizona Escrow & Financial Corp. (Ariz. Ct. App. 2023) →

Channel-convergence closure

The office flags an open item — a payee name that does not match, a new account, a changed bank — and asks for confirmation. The confirmation comes back through the same compromised channel the fraud is riding on. The open item gets "closed" without the office ever checking an independent, known-good source. The question was raised. The question was never resolved against a source the fraud could not reach.

Source: Chicago Title v. Earnspark (S.D.N.Y. 2026, pending) →

Filtering-rule suppression

A fraudster infiltrates a party's email account and sets up mailbox filtering rules that hide the other side's messages from the account holder. The fraudster sends revised instructions to the paying party, collects the funds, and the legitimate account holder never sees the warning messages that would have exposed the redirect. The office wires against instructions it believes are confirmed, because no one on the compromised side objects.

Source: Beau Townsend Ford v. Don Hinds Ford (6th Cir. 2018) →
02 · Signal of the week

Signal of the week

815DFPI enforcement actions in 2024

815 enforcement actions were recorded by the DFPI in 2024, the second-highest annual total across 30 years of indexed records, behind 821 in 2007. Source: DFPI Actions and Orders.

03 · Field note

Field note

Three cases this quarter turned on the same gap: the office asked, got an answer, and wired — without checking whether the answer came from anywhere the fraud could not reach.