Phishing and BEC at Major UK Law Firms: Lessons from Hill Dickinson and the Legal Sector

How BEC Attacks Target Law Firms

BEC against law firms operates through several distinct attack patterns:

• Account compromise: attacker obtains genuine credentials for a partner or fee earner email account, monitors correspondence, and at the right moment intervenes to redirect a payment
• Domain spoofing: attacker registers a near-identical domain (hilldickinson.co vs hilldickinson.co.uk) and uses it to impersonate the firm to clients
• Supplier impersonation: attacker impersonates a supplier or barrister and requests a change to bank details for upcoming payment
• Client impersonation: attacker intercepts communications and impersonates the client, redirecting completion funds or settlement proceeds
• Internal impersonation: attacker impersonates a senior partner to finance staff, authorising an urgent wire transfer

The Technical Controls That Prevent BEC

BEC is one of the most preventable attack types — every effective control is well-understood and straightforward to implement:

• DMARC, DKIM, and SPF: email authentication standards that prevent domain spoofing — if your firm's domain has DMARC enforcement in place, attackers cannot send email that appears to come from your domain
• Multi-factor authentication: prevents account compromise by requiring a second factor even when credentials are stolen
• Email filtering: modern gateways detect impersonation patterns, suspicious reply-to addresses, and lookalike domain indicators
• Verified callback procedure: the single most effective process control — any request to change bank details must be verified by telephone to a known, pre-existing number before acting

Process Controls That Eliminate the Attack Vectors

Technical controls alone are insufficient — BEC specifically exploits the human element. Process controls must sit alongside technical defences:

• Four-eyes principle for all payments above a threshold: no single person can authorise a payment exceeding the firm's defined limit
• Bank detail change protocol: written policy requiring telephone verification using a pre-existing number for any bank detail change — no exceptions
• Client onboarding communication: informing every client in writing at outset that you will never change bank details by email
• Staff training: regular phishing simulation exercises and scenario-based training specifically covering BEC patterns
• Impersonation awareness: training fee earners to scrutinise reply-to addresses, domain names, and payment requests made with artificial urgency

When BEC Succeeds: Recovery and Reporting

When a BEC attack results in a misdirected payment, immediate action determines how much of the money can be recovered:

• Contact your bank immediately using the fraud hotline — banks have 24/7 fraud teams and can sometimes recall payments if caught quickly
• Contact the receiving bank's fraud team directly if you can identify it — Faster Payments can sometimes be reversed
• Report to Action Fraud immediately — obtaining a crime reference number supports insurance claims
• Notify professional indemnity insurer — BEC losses may be covered under PI or cyber policies
• Notify the SRA if client money has been misdirected — this is a mandatory notification
• Notify affected clients and consider your GDPR obligations if personal data was involved in the attack

Frequently Asked Questions