A real estate attorney in Queens receives an email from what appears to be her client โ€” a buyer whose $480,000 closing is scheduled for Friday. The email says the wire instructions have changed; could she please use the new account? The email looks legitimate. The email address looks right. She forwards it to her paralegal. The wire goes out Thursday afternoon.

By Friday morning, the money is gone. The real client's email was compromised three weeks earlier. The attorney had no idea. The buyer had no idea. The wire was to a mule account in Eastern Europe that had already been emptied.

This scenario plays out dozens of times a year across New York metro-area law firms. Business Email Compromise โ€” BEC โ€” is the FBI's most financially damaging cybercrime category, and real estate and legal transactions are its primary hunting ground.

How BEC Attacks Actually Work

Understanding the mechanics helps you recognize the attack before it succeeds. BEC is not a technical hack in the Hollywood sense โ€” it's a social engineering attack that exploits trust, urgency, and routine business processes.

The most common variant targeting law firms follows this pattern. Attackers first compromise either the attorney's email account or a client's email account โ€” often through a phishing email that captures login credentials. They then spend days or weeks silently monitoring the inbox, reading emails, learning the names of clients, opposing counsel, paralegals, and the rhythm of active matters.

When a significant financial transaction is approaching โ€” a real estate closing, a settlement wire, an escrow disbursement โ€” the attacker strikes. They send an email impersonating one of the trusted parties, requesting a change to wire instructions. The email is convincing because it references real details from real conversations the attacker has been reading.

โš ๏ธ Critical fact: Once a wire transfer is sent, recovery is extremely difficult. The FBI's Internet Crime Complaint Center (IC3) estimates that only about 30% of reported BEC losses are ever recovered โ€” and that window closes within hours of the wire going out. Prevention is the only reliable protection.

Red Flags Every Law Firm Employee Must Know

The single most effective BEC prevention tool is a trained, skeptical staff. Every person in your firm who handles financial transactions or wire instructions needs to recognize these warning signs:

  • Any change to previously confirmed wire instructions โ€” this is the most reliable indicator of a BEC attempt. Legitimate parties rarely change wire details at the last minute.
  • Urgency and pressure โ€” "We need this wired today or the deal falls through." Urgency is manufactured to prevent verification calls.
  • Requests to keep the change confidential โ€” a legitimate client will never ask you not to verify wire changes with other parties.
  • Slight email address variations โ€” attackers often register domains like "smithlaw-firm.com" versus your client's real "smithlawfirm.com." One hyphen, one extra letter.
  • Requests that bypass normal procedure โ€” "Can you send this directly without going through the escrow company?"

The BEC Prevention Protocol for Law Firms

A written wire verification protocol is now considered a baseline professional requirement for law firms handling financial transactions. Here's what it needs to include:

Wire Transfer Verification Protocol

  • Establish wire instructions in person or by verified phone call at the start of the matter โ€” never by email alone
  • Any change to wire instructions must be verified by an out-of-band phone call to a previously verified number (not a number provided in the suspicious email)
  • Implement a two-person authorization rule for wires over a defined threshold
  • Enable multi-factor authentication on all email accounts โ€” this prevents the initial account compromise that enables BEC
  • Deploy advanced email security with DMARC, DKIM, and SPF authentication to block spoofed sender addresses
  • Train all staff on BEC recognition annually โ€” and after any near-miss incident
  • Post a laminated "Wire Verification Checklist" at every workstation that handles transactions

If You Think a BEC Attack Has Occurred

Speed is everything. If a wire has gone out and you suspect fraud, take these steps immediately โ€” every hour matters.

  • Call your bank immediately and request a SWIFT recall. Ask specifically for their wire fraud team. Have the wire details ready.
  • File a complaint with the FBI's IC3 at ic3.gov โ€” this initiates the Financial Fraud Kill Chain process, which can freeze receiving accounts if acted upon quickly enough.
  • Do not destroy evidence โ€” preserve all emails, including headers, exactly as they are. Don't forward, reply, or delete.
  • Call your IT provider immediately to determine whether your email accounts have been compromised and to contain any ongoing access.
  • Consult with a breach response attorney regarding your notification obligations to the affected client.

Does Your Firm Have a Wire Verification Protocol?

If you're not certain, you probably don't โ€” and that's a meaningful liability for any firm handling financial transactions. Let's talk about what your email security posture actually looks like and what it would take to close the gaps.

Book Free Email Security Review โ†’

Call: (516) 734-1515