Is your law firm protected from business email compromise (BEC)?

Read Time: 5 Min
Law firms are at particular risk for business email compromise. These 10 red flags can help your firm identify a potential attack and avoid becoming a victim.

Law firms are attractive targets for cybercriminals. Many lawyers act in a fiduciary capacity for funds held in trust and regularly exchange highly confidential information. In addition to the wealth of valuable and sensitive information you store, you might pay litigation service providers, or transfer, receive or manage settlement funds. You store private information. You conduct much of your business by email. You’re often on a client or court deadline, or you’re sometimes dealing with a crisis.

All of this makes your law firm vulnerable to “business email compromise,” or BEC. This involves fraudulent communications in which bad actors try to get you to transfer money, divulge private information, or take some other action for nefarious purposes. BEC hackers often pose as senior-level professionals in your organization, donning a digital mask that is meant to seem familiar to you.

In this scenario, based on real events, a law firm learned its lesson the hard way. It was 4:30 p.m. on a Friday. All the firm’s employees were working remotely due to the COVID-19 pandemic. An important deadline loomed in litigation involving one of the firm’s biggest clients. Hackers infiltrated a senior partner’s email account (we will call him “Bill”) and sent a spoofed email to another member of the firm, “Paul,” even using his nickname, “P.J.” Posing as Bill, the hacker instructed Paul to “wire funds ASAP” as part of an important loan transaction. The hacker previously collected bits of information about the deal, and sprinkled a few details into the email to Paul, giving Paul no reason to think it was anything other than a legitimate request. As instructed, Paul transferred $1 million dollars to a bank in Asia. Just hours later, by the time Bill and Paul realized they had been duped, it was too late for the firm’s bank to reverse the transfer. A judge would later find that the bank did nothing wrong in executing the transfer since Paul confirmed the instructions for the bank before the wire was sent.

Bill and Paul are not alone in falling for such a ploy. BEC is big business, and the perpetrators are sophisticated. Alarmingly, it’s not just private criminals using BEC. Nation-states are starting to use it, too. The FBI estimates that during a roughly five-year period, the global cost of BEC attacks rose to more than $43 billion globally, including $9.1 billion domestically.

Ten BEC red flags to watch out for

Fortunately, there are specific clues that law firms, their clients, their employees, and their suppliers can watch for to avoid falling prey to one of these costly scams.

  1. “Innocuous” questions. Before making their “big ask,” the bad guys will often try to get you to disclose seemingly innocuous information which they use to execute their fraud. Beware of these “simple questions,” like “how do you process invoices?” These questions may be accompanied by a scrap of information the hacker picked up elsewhere, adding to your comfort level. In the rush of the day, you might simply answer such questions, but they could be coming from criminals fishing for pieces of the puzzle or code that will unlock your email system and drain your account.
  2. A sense of urgency. Fraudsters will often fabricate a sense of alarm, making you believe you must act fast to hit a deadline or avert calamity. For example, their request may arrive at 4 p.m. on a Friday before a holiday weekend with instructions that “we really need to get this done by 5 p.m.” Again, they may be posing as a senior member of your firm. The timing before a weekend also gives the fraudster more time to move the money before it gets noticed.
  3. A crisis in progress. BEC scams sometimes coincide with natural disasters, whether it's a wildfire or hurricane or pandemic. This plays to the urgency of a request and exploits chaotic situations during which decisions may be made without the usual rigor, contemplation, or adherence to protocol.
  4. Misspellings. Who among us has not sent an email with a typo or a dreaded misspelling? But when common words, proper nouns, or basic grammar are not correct, this should signal to you that the sender may not be a senior partner at your firm.
  5. Email variations. BEC hackers are adept at making email addresses look legitimate, but they may contain slight variations either in the format of the email or the domain name. For example, FirstIntialLastName@yourlawfirm.com may present as FirstName.LastName@yourlawfirms.com. Close, but not correct.
  6. New phone numbers. Bad actors will often ask that you call them back at a number they provide. While this may appear to be for your convenience, you may find out that the number belongs to a criminal. Often these calls will only go to voicemail. A new cunning tactic are using is to grab recorded snippets of a person’s actual voice, then cut and paste them into voicemails they leave you. Be wary of instructions left on voicemail recordings and be sure to connect with the colleague or client live.
  7. Process deviations. To get you to transfer funds or approve a transfer, the BEC fraudsters often ask their targets to deviate from their usual way of doing business. They may suggest another level of approval is “unnecessary in this instance” because of the “sensitivity of the matter” or, again, due to exigent circumstances.
  8. Elements of truth. Adept BEC fraudsters will include information that makes it sounds like they are part of your organization or involved in one of your projects. Some of that information could simply be publicly available, or something they misappropriated through another seemingly innocuous but fraudulent request.
  9. Changes in attitude. Even if you have access to someone’s email account, it’s difficult to mimic the tone of their writing or their approach to written communications with people who know them well. If the email you receive is uncharacteristically friendly or oddly curt, this should raise a red flag.
  10. Changes in players. If there is suddenly a new contact person mentioned in an urgent email, that may be because they don’t exist. Conversely, the sudden removal of an email recipient from an email chain could also signal that something sinister is going on.

Knowing these red flags, and sharing them widely with your lawyers, staff, clients, and service providers may help to reduce the risk of your firm from falling victim to business email compromise. To learn more about protecting your organization from cyber threats, contact your relationship manager.

Related Content

FBI Internet Crime Complaint Center. 2022. “Business Email Compromise: The $43 Billion Scam.” Accessed January 9, 2023.

The information provided in this document is intended solely for general informational purposes and is provided with the understanding that neither Huntington, its affiliates nor any other party is engaging in rendering tax, financial, legal, technical or other professional advice or services or endorsing any third-party product or service. Any use of this information should be done only in consultation with a qualified and licensed professional who can take into account all relevant factors and desired outcomes in the context of the facts surrounding your particular circumstances. The information in this document was developed with reasonable care and attention. However, it is possible that some of the information is incomplete, incorrect, or inapplicable to particular circumstances or conditions. NEITHER HUNTINGTON NOR ITS AFFILIATES SHALL BE LIABLE FOR ANY DAMAGES, LOSSES, COSTS OR EXPENSES (DIRECT, CONSEQUENTIAL, SPECIAL, INDIRECT OR OTHERWISE) RESULTING FROM USING, RELYING ON OR ACTING UPON INFORMATION IN THIS DOCUMENT OR THIRD-PARTY RESOURCES IDENTIFIED IN THIS DOCUMENT EVEN IF HUNTINGTON AND/OR ITS AFFILIATES HAVE BEEN ADVISED OF OR FORESEEN THE POSSIBILITY OF SUCH DAMAGES, LOSSES, COSTS OR EXPENSES.

Lending and leasing products and services, as well as certain other banking products and services, may require credit application approval.

Third-party product, service and business names are trademarks/service marks of their respective owners.