In 2023, the FBI’s Internet Crime Complaint Center reported that business email compromise caused $2.9 billion in losses. Not ransomware. Not crypto scams. Email. It’s been the most expensive category of cybercrime for years running, and it hits professional services firms harder than almost anyone because those firms move real money on behalf of clients who trust them completely.
Here’s what it looks like when it actually happens.
A paralegal at a small firm gets what looks like a DocuSign notification from opposing counsel. She clicks the link. She lands on a page that looks exactly like the Microsoft login screen. She enters her credentials. Nothing weird happens. She goes back to work.
That’s the whole attack. Everything after this is just consequences.
What happens in the three weeks nobody notices
The attacker logs into her mailbox from overseas. First thing they do is create an inbox rule. Every incoming email gets silently forwarded to an external address. This rule runs in the background, survives password changes, and doesn’t trigger any notification. If you don’t know to look for it, you won’t find it.
For the next few weeks, the attacker reads everything. Client communications. Settlement discussions. Billing records. They learn how the firm talks to its clients, who handles what, and what kind of money moves through the accounts. They’re patient. They’re not in a hurry.
This is exactly what happened in a case documented by the Oregon State Bar, where attackers monitored a real estate closing and intercepted wire instructions at the exact right moment. The FBI has flagged this pattern repeatedly. Attackers sit in the mailbox, learn the relationships, and then strike when real money is in motion.
When the timing is right, they send wire instructions to a client. The email comes from the paralegal’s actual email address. It references a real matter. The dollar amount is reasonable for that case. The client wires the money. It’s gone.
The firm finds out when the client calls to ask why they received a second set of wire instructions.
Two things would’ve stopped this
The first is multi-factor authentication. If the paralegal’s account had MFA turned on, the stolen password would’ve been useless. The attacker would’ve hit a wall at the login screen and moved on. MFA is free in Microsoft 365. It takes about 15 minutes to set up per user. It’s the single most effective thing you can do to prevent account takeover, and Microsoft has said it blocks 99.9% of automated attacks.
The second is mailbox rule monitoring. Attackers almost always create forwarding rules or inbox rules to hide their tracks. Your IT provider should be alerting on new forwarding rules the same day they’re created. Not reviewing them quarterly. Not checking when something goes wrong. Same day. If they’re not doing that, ask them why.
That’s it. MFA on every account, no exceptions. Forwarding rule alerts, same day. Neither one is expensive. Neither one is hard. Neither one requires new software or a big project. They require someone to actually set them up and verify they’re working.
The part that doesn’t make the news
The firm’s malpractice carrier paid the claim. Their cyber insurance rates tripled at renewal. Three clients left. The paralegal felt terrible about something that wasn’t really her fault. The fake DocuSign page was genuinely convincing. You would’ve clicked it too. I probably would’ve clicked it too.
The American Bar Association’s 2023 TechReport found that only 44% of law firms use multi-factor authentication. Less than half. For a profession built on protecting client confidences, that number is genuinely difficult to explain.
The technology didn’t fail here. Nobody set it up. That’s the part that keeps happening.