The Hover Test: 3 Email Checks That Catch AI-Powered Phishing

For years, the advice was simple: look for typos. Bad grammar. Weird formatting. If the email looked sloppy, it was probably a scam.

That advice will get your clients robbed.

AI writes flawless emails now. Perfect grammar. Correct formatting. Professional tone. And here's the part that should concern you: scammers don't send random emails anymore. They use AI to read your social media, see your Friday closing, and send a specific email about it.

Context-aware phishing is the new normal. A scammer sees your "Just closed!" post on Instagram, cross-references the property address from public records, identifies the title company from the listing, and sends your client a perfectly written email with "updated wiring instructions" — from what appears to be the title company's address.

The FBI reported $446 million in real estate wire fraud attempts in 2023, with 9,521 real estate cyber crime complaints filed that year. Those numbers were before AI-powered phishing hit its stride. The old defenses are gone. You need new ones.

Hover your mouse over the sender's email address. Not the display name — the actual address. What does the domain say?

The display name might read "John Smith — Pacific Title Company." But hover over it and the actual address is john@pac1fic-title.com. See the "1" where the "i" should be? That's a spoofed domain.

Real examples that fool agents every day:

support@titlecompany.com vs. support@titlec0mpany.com
closing@firstamerican.com vs. closing@first-american-closing.com
sarah@abcrealty.com vs. sarah@abc-realty-group.com

On mobile, tap and hold the sender's name to reveal the full address. On desktop, hover. Takes two seconds. This single check catches roughly half of all phishing attempts because scammers rely on you reading the display name and moving on.

Make it a habit. Every email that mentions money, wiring, or closing — hover first. No exceptions.

This one is sneakier. The sender's address looks legitimate. The domain checks out. But hit reply and look at the "To" field before you send.

Scammers can set a reply-to address that's different from the displayed sender. The email arrives from sarah@pacifictitle.com — a real address. But the reply-to is set to sarah@pacifictitle-secure.com — a scammer's domain. Most people never notice because they don't look at the reply field before hitting send.

On Gmail, click reply and check the "To" field. On Outlook, same thing. Does it match the address the email came from? If not, stop. That mismatch is deliberate.

This is especially dangerous in real estate because you're often emailing with people you've never met. You've never emailed this title officer before, so you don't have a baseline. You don't know what their normal email address looks like. The reply-to trap exploits that unfamiliarity.

"Wire must be sent by 3pm today or the closing falls through."

That sentence is a red flag. Not because urgent things don't happen in real estate — they do. But because scammers manufacture urgency to bypass your judgment. They need you to act before you think.

The Urgency Audit is simple: the higher the urgency, the higher your suspicion. If an email demands immediate action on anything involving money, slow down. Call the sender directly using a saved number. Verify the request through a different channel.

Legitimate title companies and lenders don't typically send last-minute wiring changes via email. When they do, they expect you to verify. A real professional will never be offended by a callback. A scammer will pressure you to skip it.

This maps directly to the OODA Loop framework from the AI Acceleration course. Observe the email. Orient — recognize the urgency trigger. Decide to verify before acting. Act only after confirmation through a separate channel. The agents who get burned are the ones who skip from Observe straight to Act.

Five words: "Updated wiring instructions attached."

This is the single most dangerous email a real estate professional can receive. Title companies change wiring instructions sometimes — it happens. Scammers know this. They exploit the fact that it's plausible.

Here's how the attack works. A scammer monitors your public transaction timeline. They know the closing date from public records or your social media. Two days before closing, they send your buyer an email — from what appears to be the title company — with new wiring instructions. The email is perfectly written, references the correct property address, uses the right names, and includes a professional-looking PDF.

68% of Realtors now use AI tools, which means more digital footprint, more public transaction data, and more attack surface for scammers. 75% of U.S. brokerages now use AI tools — the industry's digital exposure has never been higher.

Apply the OODA Loop. Observe: you received updated wiring instructions. Orient: this is one of the most common attack vectors in real estate fraud. Decide: you will not act on this email without verification. Act: call the title company on their known number and confirm.

AI voice cloning can replicate a voice from 3 seconds of audio, so don't even trust a phone call that comes TO you about wiring changes. You call them. You initiate. That's the only safe path.