Business Email Compromise: The $2.4B Threat Targeting Law Firms
One fraudulent email can redirect millions in settlement funds. Here's how Business Email Compromise attacks work and how to stop them. John Reeman, CEO of Cyooda Security and a former BigLaw CISO, shares his expertise on protecting law firms from Business Email Compromise (BEC) attacks. This cyber threat has cost Australian businesses over $2.4 billion in recent years. Having defended some of the country's largest legal practices, John explains why traditional security measures often fail and what actually works.
The Attack That Looks Legitimate
Business Email Compromise (BEC) has become the most financially devastating cyber threat facing Australian law firms. The Australian Cyber Security Centre reports BEC attacks cost Australian businesses over $2.4 billion between 2020 and 2023, with law firms representing disproportionately high-value targets due to trust account transactions and settlement payments.
Cyooda CEO John Reeman, former CISO of a top-tier law firm, explains: "I've seen sophisticated BEC attacks fool experienced partners and seasoned finance teams. Attackers aren't just sending spamβthey're doing reconnaissance, studying communication patterns, and striking at exactly the right moment."
How Law Firms Are Targeted
BEC attacks on legal practices follow a devastatingly effective pattern. Attackers research firms through LinkedIn, websites, and court records, identifying key personnel and communication styles. They learn when settlements occur, who approves payments, and when partners travel.
Using phishing or lookalike domains (think "yourfirm.com.au" vs "yourfirm-law.com.au"), they position themselves to intercept communications. At the critical momentβwhen settlement payment is imminentβthey send a legitimate-looking email requesting updated banking details from what appears to be a client, opposing counsel, or your own partner.
By the time the legitimate recipient inquires about payment, funds have moved through multiple jurisdictions and are unrecoverable.
Why Your Security Isn't Enough
BEC attacks succeed because they exploit human psychology rather than technical vulnerabilities. It's all about context and timing. Your firewall and antivirus can't detect these attacks because no malicious links are involved, emails come from convincing lookalike domains, and attackers strike when urgency overrides caution.
Firms with excellent technical security still fall victim to breaches. The attack vector isn't your technologyβit's your people and processes.
Building Effective BEC Defences
Adequate protection requires combining technology, process controls, and awareness:
Payment Verification Protocols: Implement mandatory out-of-band verification for changes to payments and large transfers. Any request to change banking details must be verified via a phone call to a known number. High-value transfers require dual approval with separate contact verification.
Email Authentication & Advanced Protection: Deploy and properly configure SPF, DKIM, and DMARC protocols and monitor them effectively. However, traditional email security isn't enough for sophisticated BEC attacks.
Behavioural AI: The Missing Layer Behavioural AI platforms understand relationships, communication norms, and anomalies. These systems build relational baselines, mapping who communicates with whom, how often, and with what tone.
They detect anomalies traditional security missesβflagging when a supposed accountant uses unfamiliar language or sends from unusual locations. They warn users contextually with flags, such as "This message cites prior conversation that does not match your email history," empowering recipients to pause and verify.
In professional services deployments, behavioural AI systems have blocked six-figure BEC attempts that passed every layer of traditional email security.
Targeted Staff Training: Staff need scenario-based training on identifying BEC red flags in legal contexts, your verification protocols, and what to do when suspicious activity is detected. Training should be regular and tested through simulations.
The Trust Account Risk
For law firms, BEC attacks carry additional professional and regulatory consequences. Trust account fraud can trigger professional indemnity claims, Law Society investigations, mandatory breach notifications, reputational damage, and personal liability for principals.
This makes BEC prevention a risk management and compliance imperative.
When Forensics Becomes Critical
When BEC attacks occur or are suspected, mobile forensic analysis is crucial. Mobile devices retain email metadata, deleted drafts, and communication patterns that can prove whether accounts were compromised. GPS data and device activity can establish whether a partner was actually positioned to send an urgent transfer request.
Cyooda's digital forensics team has supported numerous BEC investigations, helping firms establish facts, preserve evidence for legal action, and satisfy insurance and regulatory requirements.
Don't Wait for the Attack
Business Email Compromise attacks are increasing in sophistication and frequency. For law firms handling high-value transactions, the question isn't whether you'll be targeted; itβs whether you'll be ready.
BEC attacks are preventable with the right combination of technology, processes, and awareness. Firms that fall victim typically assume existing security is sufficient or treat BEC as an IT problem rather than an enterprise risk.
Protect your firm, your clients, and your reputation.
π Schedule Your Confidential BEC Vulnerability Review
