While the share of mortgage files with errors that pose wire and title fraud risks is lower compared with prior quarters, the mortgage industry is still creating the same vulnerabilities, the latest FundingShield Fraud Analytics Report found.

Total issues found during the first quarter were down to 43.7% for the three-month period, the best since the second quarter of 2022, when 41.2% of files were affected.

In the fourth quarter, 46.1% of files were found to have at least one issue, while for last year's first quarter, it was 46.8%.

This data follows the release earlier this month of the Federal Bureau of Investigation's Internet Crime Complaint Center (IC3) annual report. Business email compromise, the driver of most wire fraud attempts on real estate transactions, accounted for over $3 billion of total losses during 2025.

Real estate losses, a separate category in the report, topped $275 million in 2025, up from $174 million one year prior.

What FundingShield found from mortgage file reviews

FundingShield's first quarter review of a portfolio of $106.7 billion of residential, commercial and non-qualified mortgages, as well as securitized collateral, found an average of 2.2 issues per transaction. This is an improvement from the record 3.2 issues in the fourth quarter.

By far, the leading category for fraud vulnerabilities was in closing protection letters. CPL discrepancies were found in nearly 43.5% of transactions reviewed. However, the share is down from 48.8% for the fourth quarter.

These defects were primarily found in borrower data, vesting information, titleholder details and property identifiers.

Wire instruction defects appeared in 6.92% of the files. Transaction participant licensing irregularities totaled 2.37%, driven by credential mismatches, expired licenses, and inconsistent insurance records, FundingShield said.

Trends spotted during fraud file reviews

Ike Suri, CEO of FundingShield, stated in a blog post that the growing differences between lender and title datasets emphasize the necessity for independently verified source-level data. This verified data is critical for confirming identity, authority, and permissions throughout title issuance, payoff processing, wiring, and settlement activities.

FundingShield clients conducted deeper engagement in remediation, workflow refinement and curative processes as part of strengthened collaboration with title companies. This led to a 14% improvement in remediation efficiency plus a measurable reduction in issues per loan by lenders embedding verification earlier in the lifecycle, Suri said.

During the first quarter, federal directives increased pressure on mortgage lenders to strengthen their data accuracy and vendor oversight, which are the core drivers of wire and title fraud.

"The administration's mortgage credit executive order pushed the Consumer Financial Protection Bureau and the Federal Housing Finance Agency, along with banking regulators "toward an effectiveness-based compliance posture, raising expectations for live verification, audit trails, and defensible controls across closing and settlement workflows," Suri said.

Causes of fraud issues in non-conforming mortgages

Meanwhile, activity in the non-conforming, non-government, mortgage market remained strong. Those products typically have a fragmented vendor ecosystem, with lenders showing greater variability in the level of operational controls, which FundingShield said leads to them have higher rates of wire, title and documentation in its reviews.

"The combination of heightened supervisory expectations, increased cyberthreat activity, and operational inconsistency across these lending channels reinforced the need for clean, source level data and independently validated information, pressures reflected in Q1's elevated defect and fraud risk metrics," the blog said.

Events affecting the first quarter

Among the material cyber fraud events still affecting the first quarter's activity was the SitusAMC November 2025 data breach. SitusAMC completed its data reviews and customer notifications by March 17. Class action scrutiny and financial impact assessments continued through the first quarter, which showed the "systemic risk posed by large mortgage tech and outsourcing providers," FundingShield said.

The Trump Administration's decision to enter into a military conflict with Iran resulted in "sustained and escalated cyber activity" from threat actors aligned with the Middle Eastern nation to target infrastructure in this country.

"Iranian groups also continued leveraging ransomware‑style extortion and collaboration with criminal affiliates, increasing risks to financial services, personally identifiable information and wiring‑related data," Suri said.

"These incidents/events mirror the defects FundingShield continues to observe in closing workflows — particularly around wiring instructions, CPL validation, and settlement agent oversight — and reinforce the need for independent, transaction level controls."