Business email compromise at a law firm or CPA practice doesn’t always start with your firm. About half the time, from what the FBI’s IC3 reports show, the attacker compromises a vendor or a client first, and then uses that mailbox to defraud you.
Which means your own MFA, your own training, your own security stack, none of that saves you from this variant. The attacker is emailing you from a legitimate mailbox at a company you’ve worked with for years. Their password got stolen, not yours. You’re the target they picked because their relationship with you involves money.
The pattern is consistent enough that the FBI has a specific category for it in the 2023 Internet Crime Report, which logged nearly $3 billion in BEC losses last year. The variant most relevant to professional services firms is vendor email compromise, where an attacker controls the mailbox of someone your firm does business with and inserts fraudulent wire instructions into an existing thread.
Here’s what it looks like in practice.
Your firm is closing a real estate transaction. You’ve been emailing with the title company for weeks. The title company attorney has sent you drafts, invoices, schedule updates. You have a thread going with hundreds of messages, some from her, some from her paralegal, all from her firm’s domain.
On the morning of closing, you get an email from her. Same thread. Same signature. Same writing style. She says the wire for the purchase funds should go to a different account because their usual bank had a wire desk outage last night. She gives you the new routing and account numbers. She says they need it quick because closing is in two hours.
You send the wire. Closing happens. A week later the title company calls your office because the purchase funds never arrived.
The email from that morning wasn’t from her. An attacker had been in her mailbox for several weeks, watching this transaction develop. The reply that came back to you was sent by the attacker from her actual account. The thread history was intact. The spelling, grammar, and tone were correct because they’d been studying the conversation. They’d also set up mailbox rules so that her own replies to you didn’t arrive in her Sent folder, which is why nobody caught it on her end either.
The MFA thing doesn’t work here
This is the frustrating part. You can have MFA on every account at your firm. You can have conditional access policies, phishing training, endpoint detection, and a good IT provider. It doesn’t matter. The attacker isn’t logging into your systems. They’re in somebody else’s.
Which means the fix isn’t about your login screen. It’s about your process.
The protocol, at every firm handling client money, should be that no wire instruction is executed based on email alone. Not the first time, not the tenth time, not at close, not ever. Wire instructions get verified by voice call to a phone number you already had on file for that vendor or client. Not the phone number in the email signature. The phone number in your records from before this transaction started.
Yes, this is annoying. Yes, the transaction slows down by a few minutes. The title company attorney will understand when you call her, because she’s dealing with the same threats from her side. The client will appreciate that your firm takes protecting their money seriously. The underwriting side of your malpractice carrier loves this policy. Your cyber insurance loves this policy. Losing $400,000 on a misdirected wire is not a good look in any of those conversations.
The American Bar Association’s 2023 Legal Technology Survey showed that only about a third of firms have a documented procedure for verifying wire instructions by phone. A third. This in a profession that writes policy manuals for everything else.
The part that’s going to keep getting worse
Attackers are getting better at faking voices now too. AP News reported in 2024 and has continued to cover cases where voice-cloned deepfakes have been used in follow-up phone calls after a BEC attempt, so that when the victim calls to verify, the fake voice confirms the fraudulent instructions. This is still relatively rare and requires specific targeting, but it exists.
The workaround is to use a known-good phone number from before the transaction. The attacker’s fake voice needs to match up with the correct phone number, and if you dial your own records instead of the number the email suggested, the attacker’s chain doesn’t connect.
The other workaround is a simple code word or challenge question agreed to in advance between your firm and each significant vendor or client for wire verification. A shared piece of information that wouldn’t appear in the email thread. Feels a little like spycraft. It’s just good process.
Firms that are going to get hit hard by this in the next two years are the ones who believe the attacker has to get into their systems to steal their clients’ money. The attacker doesn’t. They just have to get into someone you trust.
Your perimeter isn’t where you think it is. The threads you’ve been carrying for months with vendors and clients are part of your attack surface, and you don’t control the other end. The only control you do have is whether the wire goes out based on an email alone or based on a human voice on a phone number you already had.