Business Email Compromise (BEC) Part 5 of 5: Attorney Impersonation

by | May 14, 2019 | Cyber Fraud

We have come to the fifth and final genre of BEC identified in the FBI’s 2018 Internet Crime Report. This final type is one that shares many elements with Account Compromise because one use of this scam is to steal settlement payments. However, because of the professional/legal space in which it operates, it has its own designation.

Attorney Impersonation

Typical Target: Any business employee. The business is usually in litigation, or has a previous litigation with a settlement to pay.

Method of Manipulation: By posing as an attorney or a representative of a law firm, the impostor is cloaked in the guise of an individual who is generally believed to be in the business of needing confidential information. Attorneys and law firms are often perceived to have the authority to ask for answers to personal questions, and to be able to dole out legal recourse if he/she does not receive it. This can pressure people to expose information they should guard. The scam may be initiated by either a phone call or a professional-looking email.

Generalized Scam Steps:

  1. A legitimate law firm falls prey to a malware that infiltrates their email account.. (see BEC Part 3 of 5: Account Compromise)
  2. The hacker, now having access to a law firm’s email account, lurks there, waiting for desired communiqués that mention whatever they are after: top secret case file information for an upcoming trial, or information regarding the receiving of settlement funds.
  3. If money is the objective, the hacker might spoof the email address of the law office and email the business responsible for paying the settlement funds. Or, they might call the business. Whether with a phishing email or a well-crafted phone conversation, the objective is to “verify” the bank account information from which the settlement funds are to be withdrawn. Armed with the business’ bank account information, the fraudster empties the account – directly into the fraudster’s own account.

    If the scam is to acquire confidential information, the method is very similar. If, for instance, a scam of this sort was initiated by a rival law firm, communiqués will be for the purpose of stealing critical information in order to win an upcoming case. Employees of businesses involved in law suits need to be particularly careful who they speak with and what information they share – by email or phone.

  4. Everyone finds out they were scammed the moment the legitimate law firm contacts the business to either 1) inquire why the money transfer was never made (only to find out it was made, and went to the scammers) or 2) to investigate how it came to be that rival counsel in a court case got their hands on certain information or evidence.

Objective: Data Theft Scam is at the heart of this scam’s objective, the only twist is the impersonation of counsel. For companies involved in any kind of litigation, this scam can be particularly menacing.

ALERT: IRS warns of new phone scam using Taxpayer Advocate Service numbers.

Educating Employees to Recognize Attorney Impersonation

There are three easy steps to confirm whether the email or phone call is from a legit attorney or law firm:

  1. Confirm that the alleged attorney’s name is, in fact, listed in the directory of the state bar. You can access this easily by your state bar’s website.
  2. Confirm that the person identifying himself/herself is, in fact, that attorney. This may be done by a quick check of the attorney’s website, and then a quick call to that firm.
  3. For every email you receive from a law firm, verify the email addresses is a legit email address – that every jot and tittle of the address is correct. An email “ is not the same email as ““. Check the spelling carefully. Spoofed emails are often off by just one little character.
  4. Phone numbers can be spoofed, too. Services like FireRTC offer online phone calling abilities, but these services can be used so that you can make phone calls from numbers other than your own. Fraudsters will make calls and texts using the phone number of other people and businesses as a disguise. If someone calls claiming that they are from the attorney’s office, find out what they want and tell them you will call them back with the information they request. A phone call to the attorney’s office, by independently looking up the attorney’s phone number (also found on the state bar website) will confirm two things: not only will it confirm that the attorney is legit, it will also confirm that the attorney’s business with you is legit. Do not simply trust that whatever number the caller gives you for the callback number is legit – look up the law firm’s number independently and call that one instead.
  5. Any official documentation an attorney shows you should be independently verified. Keep in mind always that if it can be put on paper – or on a website, or in an email – it can be forged.

Email Security Solutions are Available

A comprehensive Email Security Solution prevents a multitude of malicious email scams. Email being the most prolific attack vector for cybercriminals, we certainly recommend having it as part of any company’s defense profile.

Final Thoughts: Malicious links or attachments in emails are not necessary in many of these schemes!

Please notice that the majority of scenarios depicted did not require that the email contain a link or an attachment. Phishing is a huge problem, but a confidence artist might find another avenue to get what they want out of you. Links and attachments in emails are often the bait they want you to take, but con artists are not limited to phishing if they think there is a better way to hook you. What matters most to them is that they dupe you into trusting them. All scenarios require prey who will be gullible to fall for the charade, and be willing to divulge sensitive information that the impostor requests. This is why it’s called social engineering, after all. Don’t let these social engineers rig you.

Hybrid VDI - Total Economic Impact of VMWare End User Computing