Social engineering is the attack class that targets the person, not the system. A fraudster impersonates a party, a lender, an IT vendor, or a bank employee, and talks or emails the office into releasing funds to an account the fraudster controls. The instruction looks legitimate because it arrives on a channel the office already trusts, and the urgency is engineered to push the office past its own verification steps.
The numbers are documented. The FBI's Internet Crime Complaint Center calls business email compromise, the engine behind most of these attacks, one of the "most financially damaging online crimes" facing businesses that move funds by instruction (FBI, Business Email Compromise). FinCEN's updated advisory identifies real estate as one of the top three sectors targeted by business email compromise schemes, citing the large dollar volumes and the common lack of strong authentication for verifying identity and instruction validity in real estate communications (FinCEN Advisory FIN-2019-A006). The DFPI, California's escrow regulator, issued a February 2025 escrow bulletin warning that licensed escrow companies have been hit repeatedly and describing a 2023 case where a single IT-impersonation phone call diverted close to $2 million and put the company into conservatorship (DFPI Escrow Bulletin, February 2025).
The natural reflex is to look for a tool that stops the attack. This article takes a different position. It argues that the control an escrow office can actually rely on is not a social engineering detector. It is a recorded exception path: a control doctrine where every departure from standard procedure is a named decision with a recorded reason, a named approver, and a timestamp on the file. The office decides. Veto records the review.
The argument is narrow. Recorded exception paths do not prevent social engineering, and this article does not claim they do. What they do is make a social engineering attempt reconstructable and attributable. When a fraudster impersonates a party and pushes the office to bypass its own callback procedure, the exception either has a name and a reason on the record, or it is a silent bypass with no record at all. That distinction is what separates a file the office can defend from one it cannot.
What social engineering in an escrow office actually looks like
Social engineering in this industry is almost always a business email compromise or a pretext phone call. The attack rides the same channels the office already uses to do its job, which is what makes it hard to catch.
The DFPI bulletin describes the pattern plainly. Criminals impersonate principals, real estate agents, title officers, or escrow agents to deceive victims into wiring funds to fraudulent accounts or disclosing confidential information (DFPI Escrow Bulletin, February 2025). The 2023 case it details is a textbook IT-impersonation call: a fraudster claiming to be a bank IT employee talked the escrow company into logging into its trust account for a fake data migration, then, while the office's internet was briefly down, initiated multiple outgoing wires diverting close to $2 million. The company could not halt all the wires or replace the shortage. The DFPI took the company into conservatorship.
The FinCEN advisory walks through the email-compromise variant. A criminal compromises the email account of a realtor, a buyer, or a seller, then alters payment instructions to divert sale proceeds, loan disbursements, or commissions to an account the criminal controls (FinCEN Advisory FIN-2019-A006). A slightly altered email address, a lookalike domain, a last-minute instruction change marked urgent. These are the red flags FinCEN lists, and they are the red flags every verification procedure is built to catch.
The FBI's December 2024 public service announcement adds a newer vector: generative AI. The agency warns that criminals now use AI-generated audio to clone voices and impersonate well-known figures or personal relations to elicit payments, and AI-generated video to pose as executives or authority figures in real-time video chats (FBI IC3 PSA I-120324-PSA). The secret-word recommendation the FBI issues for families applies in the office too: any identity claim made over a channel the office does not independently control should be confirmed against a source the office already holds. That confirmation, and whether it was completed or carried as an open item, is what the file should be able to show later.
What a recorded exception path is
An exception path is the documented route a covered instruction takes when the office proceeds with an open item. A payoff figure arrives verbally but is not yet documented. A callback to the party does not connect. A revised instruction lands at the end of the day and the parties cannot wait. In each case the office makes a judgment call: proceed, hold, or escalate.
A recorded exception path captures that judgment on the file. It records five things: who requested the exception, the reason given, who reviewed and approved it, the decision, and the timestamp. The exception appears on the Review Record alongside the rest of the office's review. It is not a silent bypass.
The distinction between a recorded exception and a silent bypass is the whole argument. A silent bypass is the absence of a record where one should exist. The office proceeds past its own procedure, and nothing on the file shows that it did, or why. A recorded exception is the opposite: the departure is named, the approver is named, and the reason is named. Both are decisions the office made. Only one is reconstructable.
This is the named-exception doctrine. Every exception is a named decision with a recorded reason, not a silent bypass. The Review Record captures the full exception path: officer requests exception with reason, approver reviews, and the decision, approver, and reason all land on the record. For how this fits the broader control layer that records what was reviewed before funds move, see Preventing wire fraud in escrow offices using automated control layers.
Why the exception is where social engineering lives
Social engineering attacks are designed to produce an exception. The fraudster does not need to defeat the office's callback procedure. The fraudster needs the office to skip it. Urgency, authority, and a plausible story are the tools, and their goal is to move the office past the step where the fraud would be caught.
This is why the exception is the highest-risk moment in any file. The standard procedure, the callback, the dual control, the independent verification, exists to catch exactly this kind of attempt. When the office proceeds past it, the protection the procedure provided is gone. The only question is whether the file can show what happened next.
A recorded exception path does not stop the fraudster from trying, and it does not detect the fraud. What it does is refuse to let the bypass be silent. If the office proceeds with an open callback, the approver's name and the stated reason are on the record. If the office proceeds because a "lender" called demanding immediate release, that call, the name of the person who approved release, and the reason given are on the record. A reconstructable path is an attributable path. When something goes wrong, the file shows who decided to skip the step and why. That is what an examiner, an underwriter, or a jury eventually wants to know.
What the record captures on an exception path
The Review Record captures the full path, not just the outcome. Five elements belong on the record whenever the office proceeds with an open item.
Who requested the exception. The escrow officer, the processor, or the person who flagged the open item and asked to proceed. Named, not anonymous.
The reason given. The payoff is verbal but matches the prior figure. The party is unreachable and the closing cannot wait. The instruction arrived late and the parties are at the table. The reason is recorded in the officer's own words, not paraphrased after the fact.
Who reviewed and approved it. The named approver, the person whose policy authorizes release despite the open item. If no approver signed off, there is no exception. There is a bypass.
The decision. Proceed, hold, escalate, or return. The office's decision, recorded at the moment it was made.
The timestamp. When the exception was requested, when it was approved, and when the decision took effect. The sequence matters because social engineering attacks depend on collapsing the time between the request and the release.
For how this record fits the five questions behind every disbursement dispute, see Before buyer funds move, build the record. For how staleness and material changes interact with exceptions, see Managing stale records and material changes in closing files.
What happens when the bypass is silent
When the bypass is silent, the file cannot answer. The question "did the office follow its own callback procedure?" becomes a reconstruction exercise that runs on memory and email threads. The question "who approved release when the callback did not connect?" has no answer, because no one was recorded as approving it. The question "why did the office proceed?" is a gap.
The consequences fall into three categories.
Regulatory exposure. The DFPI bulletin is explicit that licensees with trust shortages from social engineering must report immediately, and that knowingly or recklessly disbursing escrow funds resulting in a debit balance, or failing to report a shortage, can trigger administrative action up to license suspension, revocation, or DFPI possession of the business (DFPI Escrow Bulletin, February 2025). A file with a recorded exception shows the office made a documented decision. A file with a silent bypass shows the office made no decision it can prove.
Liability exposure. When a loss occurs, courts and claimants reconstruct the file. As the reported cases show, offices that confirmed instructions but could not prove they resolved the open item against an independent source were held responsible. A recorded exception is evidence of a considered judgment. A silent bypass is evidence of none.
E&O exposure. Errors and omissions carriers ask whether the office has documented procedures and can produce evidence of what was reviewed before a loss. A named exception with an approver and a reason is evidence the carrier can work with. A silent bypass is a hole in the file. The record does not guarantee a favorable outcome. It gives the office something concrete to stand on.
How recorded exception paths map to DFPI, ALTA, and FinCEN expectations
Three external frameworks converge on the same expectation: the office should be able to show what it reviewed, what it decided, and why it proceeded. Each framework phrases the expectation differently, but they all point at the record, not at a claim of prevention.
The table below maps how a recorded exception path on every covered instruction addresses each framework's expectations.
| Framework | What it expects of the office | How a recorded exception path addresses it | |---|---|---| | DFPI Escrow Bulletin (February 2025) | Strict procedures for verifying identity before initiating financial transactions, documented incident response, and immediate reporting of trust shortages (DFPI Escrow Bulletin) | The recorded exception path is the file-level artifact that the office applied its verification procedure and, when it departed from that procedure, documented who approved the departure and why. That is the documentation the bulletin asks licensees to maintain. | | ALTA Best Practices Pillar 2 (Escrow Trust Accounting) | Written procedures for disbursement and dual control on wires, with documented reconciliation (ALTA Best Practices) | The exception record is the evidence that dual control was applied even when the office proceeded with an open item. It captures the named approver, which is the dual control Pillar 2 expects on each file. | | FinCEN Advisory FIN-2019-A006 (BEC red flags) | Awareness of BEC red flags, multi-factor verification of instruction changes, and a transaction verification process that does not rely on the same channel the fraud is riding (FinCEN Advisory) | The recorded exception path shows which source the office used to verify the instruction and whether the verification completed or was carried as a named exception. It documents the independent channel FinCEN asks institutions to use. | | FBI IC3 PSA I-120324-PSA (AI-enabled fraud) | Awareness that criminals use AI-generated audio and video to impersonate trusted parties, and verification of identity claims against a source not controlled by the caller (FBI IC3 PSA) | The exception record captures whether an identity claim was verified against an independent source or carried as an open item with a named approver. It documents the verification step the PSA recommends, or the deliberate, recorded decision to proceed without it. |
The convergence is the point. None of these frameworks ask the office to prevent social engineering. They ask the office to show its work, document its exceptions, and maintain a record that survives reconstruction. A recorded exception path on every covered instruction is the artifact that answers all four.
How this differs from social engineering prevention tools
The social engineering and BEC prevention market is crowded. Most vendors lead with a claim this article deliberately avoids. Closinglock markets "fraud prevention" and "secure wire instructions" (Closinglock). CertifID backs every transaction with up to $5 million in direct insurance per file (CertifID wire fraud prevention). Qualia Shield and FundingShield occupy similar ground, each framing the product as a layer that stops the fraud.
Those tools do useful work. They verify identities, confirm bank accounts, encrypt instruction delivery, detect lookalike domains, and in some cases insure the transaction. The evidence they produce can feed directly into the office's review. What they do not produce is the office's own record of what it decided to do with that evidence, especially when something did not match and the office proceeded anyway.
That is the gap a recorded exception path fills. It records the decision the office made at the moment of release, including the decision to override an open item, who authorized the override, and why. The override at release is the one record the prevention tools do not capture, because their job is to stop the bad instruction, not to document the office's judgment when the office decides to proceed. For how account-level checks fit this picture without becoming approval, see Account checks are evidence, not approval. For how the full ALTA control set fits alongside recorded exceptions, see Implementing ALTA Best Practices for settlement fund security.
The boundary between recording and deciding
This is where the doctrine draws its line, and it is important to state it plainly.
Veto records the review. It does not approve, authorize, guarantee, insure, verify, release funds, validate identities, confirm bank accounts, authenticate payees, detect social engineering, prevent social engineering, or make wires safe to send. The escrow office remains the release authority.
The office decides. Veto records the review.
That boundary is what makes the recorded exception path useful. The record is not a stamp of correctness. It is a timestamped account of what the office reviewed, what the evidence showed, what stayed open, who approved proceeding, and why. It is valuable precisely because it does not pretend to be more than it is. A record that claimed to detect or prevent social engineering would overstate what any record can do. A record that honestly states the exception path, the approver, and the reason is the artifact that holds up when the file is examined. The honesty is the utility.
Run a live-file control test
The way to see whether this doctrine belongs in your file is to run it on one real disbursement, before the next one closes.
Take a covered instruction from a recent or pending file where the office proceeded with an open item. Build the exception record: who requested the exception, the reason given, who reviewed and approved it, the decision, and the timestamp. Then ask whether that record would answer the questions a social engineering loss surfaces if the file were reconstructed six months from now. Did the office follow its own callback procedure? If not, who approved proceeding, and is that name on the file? What reason is recorded, and does it match what the office would say today?
If the exception is already named on the record, the doctrine is already operating. If it is not, the file test is where to start. The office's own evidence, on one real file, is the test that matters. Run a live-file control test and see what the file can prove today.
Frequently asked questions about recorded exception paths and social engineering
### What is a recorded exception path in an escrow office?
A recorded exception path is the documented route a covered instruction takes when the office proceeds with an open item. It records who requested the exception, the reason given, who reviewed and approved it, the decision, and the timestamp. The exception appears on the Review Record alongside the rest of the office's review. It is not a silent bypass. It is a named decision with a recorded reason.
### Does a recorded exception path prevent social engineering?
No, and this article does not claim it does. A recorded exception path does not detect, block, or prevent social engineering. What it does is make a social engineering attempt reconstructable and attributable. When a fraudster pushes the office past its own verification procedure, the exception either has a name and a reason on the record, or it is a silent bypass with no record at all. The doctrine targets the silence, not the fraud.
### How does a recorded exception path differ from a social engineering prevention tool?
Prevention tools verify identities, confirm bank accounts, encrypt instruction delivery, and detect lookalike domains. They produce evidence the office can review. A recorded exception path consumes that evidence and records what the office decided to do with it, including the decision to proceed when something did not match and who authorized the override. The override at release is the one record prevention tools do not capture, because their job is to stop the bad instruction, not to document the office's judgment when the office decides to go forward.
### What should the office record when it proceeds with an open callback?
The office should record who requested the exception, the reason given, who reviewed and approved it, the decision to proceed, and the timestamp. If a callback did not connect and the office proceeded anyway, the approver's name and the stated reason belong on the record. The record is timestamped at sign-off and retained for the life of the file. A silent bypass, where the office proceeds with no record at all, is the pattern that creates the most exposure when a loss is later examined.
### Can the office proceed if an identity claim cannot be verified against an independent source?
Yes, if the office's own policy allows it and the approver signs off. The recorded exception path does not forbid exceptions. It requires that they be named. The FBI's December 2024 PSA on AI-enabled fraud recommends verifying identity claims against a source not controlled by the caller, but it does not mandate a specific method (FBI IC3 PSA I-120324-PSA). The control doctrine requires that if the office proceeds without that verification, the decision is recorded with the approver and the reason, not carried silently.
### How does the DFPI escrow bulletin on social engineering affect what the office should record?
The DFPI's February 2025 escrow bulletin warns that licensed escrow companies have been repeatedly targeted and describes a 2023 case where a single IT-impersonation call diverted close to $2 million (DFPI Escrow Bulletin). It expects licensees to implement strict procedures for verifying identity before initiating financial transactions, report trust shortages immediately, and document incident response. A recorded exception path on every covered instruction is the file-level artifact that the office applied its procedure and, when it departed from that procedure, documented who approved the departure and why. That is the documentation the bulletin asks licensees to maintain.
This article describes a control doctrine for escrow offices. It is not legal advice and does not classify any office as compliant or noncompliant with DFPI requirements, ALTA Best Practices, FinCEN advisories, or E&O carrier expectations. Veto does not verify, approve, certify, guarantee, insure, detect social engineering, prevent social engineering, or make wires safe to send. Veto records the review, captures named exceptions with approver and reason, marks records stale, blocks releases on stale records, and logs the audit trail. The office decides. Veto records the review.
