Black Tower Cyber
Back to Blog
Business Email Compromise

Why Law Firms Are the #1 Target for Business Email Compromise

Law firms handle wire transfers, sensitive client data, and trust accounts — making them the perfect target for BEC attacks. Here's what attackers know that most attorneys don't.

Business Email Compromise Black Tower Cyber June 2025 7 min read

Business Email Compromise (BEC) is the highest-grossing cybercrime category the FBI tracks. In 2023 alone, it accounted for over $2.9 billion in reported losses — and that's only what gets reported. Legal professionals are disproportionately targeted, and the reasons are structural, not random.

$2.9BBEC losses reported to FBI in 2023
29%of all BEC victims are professional services firms
72hrsmedian time before wire fraud is discovered

What Makes Law Firms Such an Easy Mark

The answer isn't that lawyers are careless. It's that the way law firms operate makes them structurally vulnerable in ways that general IT advice doesn't address.

  • Attorneys regularly send and receive large wire transfers on behalf of clients — real estate closings, settlements, trust disbursements
  • Wire instructions frequently arrive by email, which is trivially easy to intercept or spoof
  • Law firms operate with high urgency and strict deadlines — attackers exploit time pressure to bypass verification
  • Client confidentiality culture can delay internal reporting of suspicious emails
  • Many small-to-mid firms still run on legacy email configurations with no DMARC, DKIM, or SPF enforcement
Real Scenario

A Connecticut law firm received an email that appeared to come from a client, requesting a change to the wire transfer destination for an upcoming real estate closing. The email domain was a single-character typo from the real client domain. The request was processed. $7M nearly left the firm's escrow account before Black Tower Cyber's monitoring triggered an alert. The transfer was stopped — but only by 11 minutes.

How BEC Attacks Against Law Firms Actually Work

// Phase 1: Reconnaissance

Attackers don't guess. They research. Using LinkedIn, court filings, state bar directories, and your firm's own website, they map out which attorneys handle transactions, who their clients are, and what deals are in progress. This phase can last weeks.

// Phase 2: Email Account Compromise or Spoofing

Either they compromise a real email account — often through a phishing attack on a paralegal or associate — or they register a lookalike domain and spoof the sender display name. Both are effective. The compromised account route is harder to detect because the email actually comes from a legitimate mailbox.

// Phase 3: The Intercept

If they've compromised an account, they set inbox rules to silently forward and delete emails related to active transactions. The attorney never sees the real wire instructions. Instead, they see instructions the attacker has substituted, arriving at the exact right moment in the deal timeline.

// Phase 4: The Wire

The fraudulent wire goes out. The real payee eventually notices they haven't been paid. By then, the funds have already been layered through multiple accounts and are effectively unrecoverable. FBI's CISA reports that on average, only 29 cents on the dollar is recovered in BEC fraud cases.

The Email Settings That Protect You (That Most Firms Skip)

  • DMARC policy set to p=reject — prevents spoofing of your domain in outbound email
  • DKIM signing enabled — cryptographically authenticates your firm's outbound mail
  • SPF record configured and enforced — defines which servers are allowed to send as your domain
  • M365 Safe Links and Safe Attachments enabled — catches malicious links before attorneys click them
  • Mailbox auditing enabled and monitored — surfaces the forwarding rules attackers create to stay hidden
  • MFA on every mailbox — the single most effective control to stop account compromise at the front door

What to Do Right Now

Even without an immediate incident, there are three things every law firm can implement this week:

  • Call-back verification protocol — any wire instruction change must be verbally confirmed via a phone number on file, not a number in the email
  • Domain spoofing check — run your domain through MXToolbox or similar to see if DMARC, DKIM, and SPF are properly configured
  • Inbox rule audit — pull an export of all mailbox forwarding rules in your M365 tenant and flag anything unexpected

These three controls cost nothing to implement and would have prevented the majority of the BEC cases we've responded to. The gap isn't budget — it's awareness.

When Awareness Isn't Enough

BEC attacks have become sophisticated enough that no amount of training fully closes the risk. Attackers are patient, well-researched, and specifically targeting the moments when your staff is under the most pressure. The only reliable layer beneath awareness training is technical control — email authentication, behavioral monitoring, and continuous mailbox auditing.

Black Tower Cyber specializes in exactly this for professional services firms. If you want to understand what your current exposure looks like, a one-hour M365 security review will tell you more than most generic IT assessments ever will.

Need help validating your environment? Book a consultation and Black Tower Cyber can review your exposure, identity controls, and incident readiness before attackers find the gap first.

Related Reading

More Insights
Browse All Black Tower Cyber Articles
Read more practical incident response, Microsoft 365, and cybersecurity guidance.
Microsoft 365
Five Microsoft 365 Misconfigurations Attackers Look for First
Review common identity and mailbox configuration gaps attackers target first.

Need help before this becomes an incident?

Black Tower Cyber helps professional services firms investigate incidents, harden Microsoft 365, and close the security gaps attackers actually use.

Schedule Consultation Report Incident