Kyanite Blue
Threat Intelligence

Business Email Compromise at Law Firms: How Attackers Target Client Fund Transfers

Business Email Compromise (BEC) is the highest-value cybercrime category globally, and law firms are disproportionately targeted. The reason is structural: law firms routinely transfer large sums on behalf of clients, communicate primarily by email, and operate under time pressure that discourages verification calls. In 2023, the FBI reported BEC caused over $2.9 billion in losses globally — a figure that substantially undercounts UK losses reported to Action Fraud. For UK law firms, the threat is not theoretical.

FBI IC3: BEC caused $2.9 billion in reported global losses in 2023 — the single largest cybercrime category.

How BEC Attacks Target Law Firms Specifically

BEC against law firms takes several forms, each exploiting the trusted position solicitors occupy in financial transactions:

  • Impersonation of senior partners: attackers email accounts teams or secretaries appearing to be a senior partner requesting an urgent payment
  • Client account fraud: attackers impersonate clients requesting completion funds or settlement payments to be sent to alternative accounts
  • Supplier payment fraud: attackers impersonate barristers' chambers, expert witnesses, or court fees with substitute payment details
  • Invoice fraud: fake invoices from what appear to be existing suppliers the firm already pays
  • Account compromise: genuine email account access — so replies come from the real account — used to redirect payment instructions

The Attack Anatomy: Patience and Precision

Sophisticated BEC against law firms involves weeks of reconnaissance. Attackers map the firm's email domain, identify senior partners and accounts staff on LinkedIn, review court listings to know which matters are active, and monitor any open-source information about upcoming transactions. The resulting attack email is precisely tailored — correct names, current matter references, plausible urgency. Standard spam filters do not catch it because it contains nothing technically malicious.

Technical Controls That Defeat BEC

BEC defeats spam filters but can be stopped by the right combination of technical and procedural controls:

  • DMARC enforcement: prevents criminals from sending emails that appear to come from your domain
  • Lookalike domain monitoring: alerts when similar domains (kyanit3blue.com, kyaniteblue.co) are registered by attackers
  • Email header analysis: trained email gateways that flag display name spoofing, where the visible name matches staff but the email address does not
  • MFA on all email accounts: prevents account compromise that enables genuine-address BEC
  • Anomalous forwarding rule detection: attackers set up forwarding rules to monitor email — this should trigger alerts
  • Financial verification procedures: the procedural control that stops all the above: no payment instruction processed without an out-of-band verification call

Frequently Asked Questions

How do we distinguish a genuine client email from a BEC attack?

Check the actual email address, not just the display name. Call the client on a number you already have — not a number in the email. Be suspicious of any payment instruction or bank detail change that arrives with unusual urgency. Verify any request to change payment details, regardless of how legitimate the email appears.

Is BEC covered by cyber insurance?

Social engineering and fraudulent transfer coverage must be specifically added to most cyber policies — it is not included in standard cyber cover. Check your policy for "fraudulent instruction", "social engineering", or "funds transfer fraud" coverage. This is a common and expensive gap.

Does having a spam filter protect against BEC?

No. BEC emails typically contain no malware, no suspicious links, and no characteristics that trigger spam filters. They read like normal business emails because they are crafted to. Technical controls help with spoofed domains but cannot stop account compromise or sophisticated lookalike attacks. Process controls — verification calls for any payment instruction — are the only reliable defence.

Defend your firm against business email compromise

Kyanite Blue specialises in cybersecurity for iGaming operators. MGA-licensed operators across Malta trust our stack.

Get in touch

Featured Product

Coro

Learn more

Ready to secure your iGaming operation?

MGA-licensed operators across Malta trust Kyanite Blue.

Book a call Browse all guides