When Something Feels Wrong: The First 48 Hours for an Independent Escrow Office

A wire funded yesterday and now won't confirm on the other end. Or a seller suddenly won't take a phone call. An instruction reads slightly off; an email thread's tone has changed.

A 48-hour incident timeline expands the first hour for immediate action and preserves a single incident log.

A wire funded yesterday and now won't confirm on the other end. Or a seller suddenly won't take a phone call. An instruction reads slightly off; an email thread's tone has changed.

Every escrow officer eventually gets the feeling, and the feeling is not paranoia, it's pattern recognition built on a thousand clean files. The difference between a near-miss and a claim is rarely the sophistication of the fraud. It's what the office does, and records, in the first hours after the feeling.

This is the playbook for that window: suspicious instructions, possible email compromise, wire recall, bank communication, escalation, and the paper trail that has to exist whether the money comes back or not.

Who this guide is for

Independent California escrow offices, the officer who first senses the problem, the owner who gets the call, and the manager coordinating between them. Especially small offices with no in-house counsel or IT, where the response plan is otherwise whatever gets improvised on the day.

What this guide helps you do

  • Act on suspicion immediately, without waiting for certainty.
  • Run the bank-recall sequence in the hours when recall has its best odds.
  • Contain a possible email compromise before it reaches other files.
  • Escalate to owner, bank, regulator, insurer, and counsel in the right order, with the right records.
  • Build a contemporaneous incident file that serves the office in recovery, claims, and any later review.

1. Act on the feeling, suspicion is the trigger, not proof

Officers wait to be sure before "making it a thing." Fraud exploits exactly that pause. The classic version: the officer spends a day quietly re-reading emails, hoping for an innocent explanation, while a fraudulent wire clears and the same compromised thread lines up a second file.

Check: one triage question sets the speed. Has money moved, is it about to move, or is this an instruction not yet acted on? Money moved, bank first, minutes matter. Money pending, freeze the file. Instruction only, reject and review per your late-change process.

Record: a first note, immediately: date, time, what you observed, in your own words. Two sentences now beat two paragraphs tomorrow. This note anchors the whole timeline.

Don't assume a false alarm costs anything next to a real one sat on. An office where officers escalate feelings freely is a control in itself.

2. Freeze the file, and check its neighbors

The instinct is to treat the suspicious item as one bad email on one file. But the attacker typically has visibility into a whole thread, and threads span files. You reject the fraudulent instruction on file A while the same compromised agent mailbox feeds a "corrected" instruction into file B, where a different officer, unaware, funds it.

Check: halt pending disbursements on the affected file. Then sweep: every open file with the same parties, same agent, same lender, or same email domain. Alert every officer in the office within the hour, verbally and in writing.

Record: the hold (who placed it, when), the sweep list, and the office-wide alert.

Don't assume the attacker only wants the biggest wire. Payoffs, commissions, and refunds are all targets.

3. Possible email compromise: contain before you diagnose

If any mailbox in the transaction is compromised, a party's, an agent's, or your own, everything sent by email is potentially read or forged, including your warnings. The office emails the seller "call us, we suspect fraud"; the attacker reads it, deletes it, and answers reassuringly.

Check: move sensitive communication off email now, verified phone numbers only. If office-side compromise is plausible, look for unfamiliar inbox rules, forwarding, and sent items; change passwords; enforce multi-factor; get your IT provider or email host in the same day. Whose mailbox is affected is a fact question, note what supports each possibility rather than guessing.

Record: channels shifted and when; the origin assessment labeled fact / interpretation / unknown; IT findings as they arrive; every remediation step, timestamped.

Don't assume a clean-looking inbox means a clean account, rules and forwarding are invisible in normal use. And don't announce conclusions ("the agent got hacked") to parties before facts support them. Record observations, not accusations.

4. The bank call: minutes, not meetings

If a wire went to a fraudulent account, the realistic recovery path runs through the banks, fast, your bank's fraud department requesting recall, and the beneficiary bank freezing funds before they move again. Funds at the receiving end typically disperse within hours. The failure mode is spending the first hour drafting an internal summary, or calling the branch's general line.

Check: call your bank's fraud department directly, have that number posted before you ever need it. Give the wire reference, amount, date, and beneficiary details; say plainly that you're reporting suspected fraud and requesting recall and a hold on the beneficiary account. Ask whether the bank needs a Hold Harmless Letter or Letter of Indemnity to act, ask what else it needs in writing, and send it within the hour. Ask whether it will contact the beneficiary bank and whether a hold was placed. Then file a detailed IC3 complaint with the full banking information, the bank call comes first; the complaint follows with the specifics. Recovery is never certain. Speed is the one variable the office controls.

Record: every bank contact, time, number, person and department, exactly what you requested, what they said, case numbers, and every written follow-up.

Don't assume the recall succeeded because the bank "took the request." A hold is a separate fact. Chase the confirmation and get it in writing.

5. Owner escalation: one decider, one voice, one log

Incidents go badly when it's unclear who decides, who speaks, and who writes things down. Two people call the bank with different versions. Nobody notifies the carrier inside the policy's notice window. A well-meaning email to the parties makes an admission the office didn't intend.

Check: the owner (or designated manager) is notified immediately and takes the incident, one decision-maker, one external voice, one log-keeper. The officer who found it keeps working the facts; the owner works the notifications and decisions.

Record: when the owner was notified and by whom; who holds each role; every decision, with the alternative considered where it matters.

Don't assume you should shield the owner until the picture is complete. The picture is never complete in the window when the owner's decisions matter most.

6. Insurer and counsel: notice early, statements carefully

Fidelity, crime, cyber, and E&O policies carry notice conditions, and late notice can jeopardize coverage. Meanwhile, everything the office writes to parties during an incident may be read later in a dispute. The two failure modes: waiting to notify the carrier until the loss is "confirmed," and an apologetic email that reads, in a later claim, as an admission.

Check: read your policies' notice provisions now, not during an incident, your actual terms govern, and this guide is neither legal nor coverage advice. When something happens, err toward early notice through your broker or the carrier's claims line. Get counsel before written communications to parties about cause or responsibility, and before answering any demand. If personal information may have been acquired by an unauthorized person, have counsel evaluate California breach-notification duties under Civil Code section 1798.82.

Record: notice given, when, to whom, how, claim number; counsel engaged and when; who reviewed each outbound party communication.

Don't assume sympathy language costs nothing later. "We're working urgently on this with our bank" informs. "We should have caught this" concludes. Facts and actions only, until counsel weighs in.

7. Talking to the parties

Buyers, sellers, and agents deserve prompt, honest communication, delivered without speculation, blame, or promises the office can't keep. Silence breeds panic and lawyers; overstatement ("we'll make you whole") creates commitments the office shouldn't be conceding.

Check: call at verified numbers. Say what's factually true: a suspicious instruction was identified, funds are held or a recall was requested, the bank and authorities are engaged, here's your single point of contact, don't act on emailed instructions. If a party's mailbox looks compromised, tell them to secure it now, that warning protects them on every transaction they have.

Record: each contact, time, channel, who spoke, what was said. Follow with counsel-reviewed written confirmation where appropriate.

Don't assume the parties' other professionals have been told by someone else. Coordinate through the single voice.

8. Build the incident file as you go

Whether funds return or not, the incident has a second life: claims, possible litigation, insurer questions, and your own post-mortem, all of it running on the record made during the incident, not after. The trap is letting recovery consume all attention while the log stops, then reconstructing three chaotic days from memory and phone bills.

Check: one running log, kept contemporaneously by one person, every event timestamped. Preserve everything in original form, the fraudulent emails with full headers, the instruction versions, the inbox rules found. Don't "clean up" the compromised mailbox before IT and counsel say so. The artifacts are evidence.

Record: the log; the preserved originals; the outcome of every recall and hold; the final disposition of funds; and, once the dust settles, a dated post-incident review, what happened, what worked, what changed.

Don't assume a recovered wire ends the matter. The weakness that let this attempt in is still there until the review closes it.

A 48-hour incident timeline expands the first hour for immediate action and preserves a single incident log.

First-48-hours table

HourActionOwner
0First note written; triage: moved / pending / instruction onlyOfficer
0-1File frozen; neighbors swept; office alertedOfficer + manager
0-1Money moved: bank fraud line called; recall/hold requestedOwner
0-2Owner notified; roles set (decider / voice / log-keeper)Officer → owner
0-4Compromise containment; IT in if office-side plausibleManager + IT
0-4IC3 complaint filed with full banking details if funds movedOwner
0-4Escrow funds stolen or misappropriated: DFPI Commissioner + EAFC reportedOwner
0-8Parties called at verified numbersOwner (single voice)
0-24Carrier notice per policy; counsel engagedOwner
24-48Bank follow-ups; hold confirmed in writing; log currentOwner + log-keeper

Risk / what to check / what to record

RiskWhat to checkWhat to record
Recall window lostFraud line reached within minutes/hoursBank log: times, names, requests, case numbers
Spread to other filesSame parties/agent/domain across open filesSweep list; alert; holds placed
Attacker reading remediationSensitive comms off emailChannel-shift note; IT findings
Coverage jeopardizedPolicy notice terms; early notice givenNotice date, recipient, claim number
Inadvertent admissionsCounsel review of written party commsReviewer; versions sent
Evidence destroyedOriginals preserved; mailbox untouched until clearedPreservation note; artifact list

Incident opening note template

Incident Note, File [number] Date/time: ____ Author: ____ Observed (facts only, own words): ____ Triage: money moved / disbursement pending / instruction only Immediate actions: file hold ____ / bank called ____ / owner notified ____ Origin assessment (fact / interpretation / unknown): ____ Log-keeper: ____

Bank recall call script

"This is [name], [title] at [office name], account [number]. I'm reporting a suspected fraudulent wire and requesting an immediate recall and a hold on the beneficiary account. Wire reference ____, sent [date], amount ____, to [beneficiary bank / account]. Three things: is a hold being requested from the beneficiary bank now, what case number is assigned, and what do you need from me in writing, including any Hold Harmless Letter or Letter of Indemnity? I'll send it within the hour."

Common mistakes

  • Waiting for certainty before calling the bank.
  • Investigating quietly for a day before telling the owner.
  • Emailing warnings through the channel that may be compromised.
  • Three people calling the bank and the parties with three versions.
  • Notifying the insurer only after the loss is confirmed and quantified.
  • Cleaning the mailbox, deleting the fraudulent emails and rules, before anyone preserves them.
  • Ending the incident when the money comes back, with no post-incident review.

What to save in the file

The contemporaneous, timestamped log. The fraudulent communications in original form, with headers. Every instruction version, status-labeled. The bank log with case numbers and written hold confirmations. The neighboring-file sweep list. IT findings and remediation steps. Carrier notice records and claim numbers. Counsel engagement date. Every party contact note. The final funds disposition. The post-incident review memo. Together they answer the one question every later reader, bank, carrier, regulator, court, or your own office, will ask: what did the office know, when, and what did it do?

When to escalate

Owner: immediately, on suspicion, always. Bank fraud department: within minutes if money moved. DFPI and the Fidelity Corporation: per DFPI guidance, an escrow agent must immediately report theft or misappropriation of escrow funds to the Commissioner and to the Escrow Agents' Fidelity Corporation, and DFPI encourages reporting a cyber incident with a California nexus within 48 hours or as soon as possible. IT: same day if office-side compromise is plausible. Insurer or broker: promptly per policy notice terms, when in doubt, notify. Counsel: before written statements to parties about cause or fault, and on any demand. Law enforcement: IC3 promptly for moved funds; further contact as counsel advises. Underwriter or key lender partners: as contracts and counsel require. Policy terms and counsel govern; this is operational guidance, not legal advice.

How Veto fits

An incident is a stress test of your records. The offices that come through cleanly are the ones whose files already showed, before anything went wrong, what changed, what was checked and against which source, what stayed open, who reviewed, what the office did. Veto is that review-record layer in ordinary operation, so when the extraordinary day comes, the pre-incident record already exists and the incident log picks up from evidence instead of memory.

Money leaves. The record stays.

Printable checklist

INCIDENT RESPONSE, FILE #____   Started: ____ (date/time)

Immediate (Hour 0-1):
[ ] First note written (facts, own words, timestamp)
[ ] Triage: MONEY MOVED / PENDING / INSTRUCTION ONLY
[ ] File frozen, all pending disbursements held
[ ] Money moved: bank FRAUD LINE called, time: ____
[ ] Recall/hold requested, case #: ____
[ ] Owner notified, time: ____

Containment (Hour 0-4):
[ ] Neighboring files swept (same parties/agent/domain)
[ ] Office-wide alert issued
[ ] Sensitive comms moved to verified phone only
[ ] Inbox rules / forwarding checked; IT engaged: Y / N
[ ] Originals preserved, nothing deleted

Notifications (Hour 0-24):
[ ] Roles set: decider ____ voice ____ log-keeper ____
[ ] IC3 filed with banking details if funds moved
[ ] DFPI + EAFC reported if escrow funds stolen/misappropriated
[ ] Parties called at verified numbers, single voice
[ ] Carrier notice per policy, claim #: ____
[ ] Counsel engaged before written party statements

Follow-through (24-48+):
[ ] Bank hold/recall confirmed IN WRITING
[ ] Incident log current and timestamped
[ ] Funds disposition recorded
[ ] Post-incident review scheduled, date: ____

One page in the file before money moves.

Your office decides. Veto records what was reviewed, what stayed open, and who reviewed it.