Key Takeaways:
- Business email compromise (BEC) scams resulted in $2.9 billion in reported losses in 2023 alone, with law firms increasingly targeted due to their role as custodians of client funds in trust and escrow accounts
- Every wire transfer from your trust account requires a mandatory verification protocol: confirm all wire instructions through a direct callback to a pre-verified phone number—never use contact information provided in the email requesting the transfer
- Attorneys face both malpractice liability and professional discipline for failing to implement reasonable cybersecurity measures under ABA Model Rules 1.1 (Competence), 1.6 (Confidentiality), and 1.15 (Safekeeping Property)—even when the firm itself is a victim of fraud
Let’s face it: you didn’t go to law school to become a cybersecurity expert. Yet here you are, responsible for safeguarding hundreds of thousands—sometimes millions—of dollars in client funds that pass through your trust account every year. And somewhere out there, a sophisticated criminal is crafting an email that looks exactly like it came from your client, your opposing counsel, or your title company, complete with wire instructions that will funnel those funds into an untraceable overseas account.
Here’s a number that should make every managing partner lose sleep: the FBI reported $2.9 billion in losses from business email compromise scams in 2023 alone. Law firms are prime targets because they’re custodians of highly sensitive information and regularly facilitate high-dollar transfers for transactional and litigation matters. One moment of misplaced trust in an email can wipe out a client’s life savings—and your firm’s reputation along with it.
The good news? Wire fraud is almost entirely preventable with the right protocols. The bad news? Most law firms still don’t have them. Let’s change that.
Understanding the Wire Fraud Threat to Law Firms
Wire fraud targeting law firms isn’t random—it’s calculated, patient, and devastatingly effective. Understanding how these attacks work is the first step toward preventing them.
How Business Email Compromise Attacks Work
Business email compromise (BEC) is the primary mechanism behind wire fraud attacks on law firms. These aren’t crude phishing attempts with obvious grammatical errors—they’re sophisticated, targeted operations that exploit trust relationships built over months or years.
The typical attack follows a predictable pattern. First, criminals gain access to someone’s email account in the transaction chain—it could be your client, opposing counsel, a real estate agent, or a title company. They then monitor email traffic, sometimes for weeks, learning the players involved, the timing of transactions, and the communication patterns between parties. Just before a wire transfer is scheduled, they strike—sending fraudulent wire instructions that appear to come from a trusted source.
The sophistication is chilling. Fraudsters use email addresses that differ by a single character, perfectly mimic writing styles and signatures, and often include legitimate-looking letterhead and formatting. They time their attacks for maximum confusion—typically late Friday afternoons when staff are rushing to complete transactions before the weekend.
Why Law Firms Are Prime Targets
Law firms present an irresistible target for wire fraud criminals. The combination of large dollar amounts, time pressure, and trusted relationships creates perfect conditions for exploitation. Your trust accounts hold client funds that can reach into the millions, making successful attacks extremely lucrative.
Several factors make law firms especially vulnerable:
- High-value transactions: Real estate closings, settlement disbursements, and M&A deals regularly involve six- and seven-figure wire transfers
- Time pressure: Legal transactions often have hard deadlines, creating urgency that criminals exploit
- Multiple parties: Complex transactions involve numerous participants, any of whose email could be compromised
- Trust relationships: Attorneys are trained to advocate for clients, not to suspect that client communications might be fraudulent
- Email-dependent workflows: Despite the risks, most legal transactions still rely heavily on email for document exchange and communication
The Emerging Threat: AI-Powered Fraud
If traditional BEC attacks weren’t concerning enough, artificial intelligence has supercharged the threat. In early 2024, an employee at engineering firm Arup was tricked into wiring $25 million after participating in a video conference with what appeared to be the company’s CFO and other executives. Every person on that call was a deepfake—AI-generated replicas convincing enough to fool a trained professional.
Voice cloning technology now requires as little as 3-5 seconds of audio to create a convincing replica of someone’s voice. Documented deepfake fraud losses exceeded $200 million in Q1 2025 alone. The FBI has warned of “alarming increases in both the frequency and financial impact” of AI-powered fraud, with deepfake attacks surging 3,000% in recent years.
This means the callback verification that would have protected you five years ago may no longer be sufficient. When a criminal can clone your client’s voice and conduct a convincing phone conversation, traditional verification methods require significant upgrades.
Your Legal and Ethical Obligations
Wire fraud prevention isn’t just good practice—it’s a professional obligation. Attorneys who fail to implement reasonable cybersecurity measures face potential malpractice liability and disciplinary action, even when they’re also victims of the fraud.
ABA Model Rules Requirements
The ABA Model Rules of Professional Conduct establish clear obligations for attorneys regarding technology and client property:
Rule 1.1 (Competence): Requires attorneys to provide competent representation, which the ABA has clarified includes technological competence. Comment 8 to Rule 1.1 explicitly states that lawyers must “keep abreast of changes in the law and its practice, including the benefits and risks associated with relevant technology.” You can’t claim ignorance of wire fraud threats when they’ve been headline news for years.
Rule 1.6 (Confidentiality): Under Rule 1.6(c), attorneys must “make reasonable efforts to prevent the inadvertent or unauthorized disclosure of, or unauthorized access to, information relating to the representation of a client.” This extends to implementing security measures that protect against BEC attacks targeting client information and funds.
Rule 1.15 (Safekeeping Property): Perhaps most directly applicable, Rule 1.15 requires lawyers to safeguard client property. The Model Rules for Client Trust Account Records mandate maintaining “complete records” and providing “full accounting” for trust funds. Proper trust accounting practices now necessarily include fraud prevention protocols.
Malpractice and Liability Exposure
The liability exposure from wire fraud is substantial and growing. In a 2025 case, DeLuca et al. v. SutterWilliams LLC, a cybercriminal impersonated attorneys via email and tricked a law firm into wiring $442,600 from a decedent’s estate to a fraudulent account. The estate’s executor sued the attorneys for negligence, legal malpractice, breach of contract, and breach of fiduciary duty—even though the firm itself was a victim of the fraud.
This illustrates a critical point: being a victim doesn’t shield you from liability. Courts are increasingly holding that law firms, as fiduciaries, have a duty to implement basic verification and cybersecurity protocols. Failing to do so—even unknowingly—can expose you to direct legal liability for losses your clients suffer.
Adding insult to injury, many cyber insurance policies contain exclusions that leave firms without coverage for wire fraud losses. Custodial or escrow accounts—including IOLTA accounts—are often specifically excluded from standard cyber policies. When firms have sued their insurers over denied claims, courts have generally sided with the insurer.
Essential Wire Verification Protocols
Effective wire fraud prevention requires systematic verification at every step. These aren’t suggestions—they should be firm-wide policies with no exceptions.
The Golden Rule: Callback Verification
Never rely solely on email for wire instructions. This single principle, consistently applied, would prevent the vast majority of wire fraud losses. Before initiating any wire transfer from your trust account, you must verbally verify the instructions through a direct phone call.
But here’s where firms make a critical error: they call the number provided in the fraudulent email. That number goes straight to the criminal who sent the fake instructions. Your callback verification must follow these steps:
- Use a pre-verified phone number. Call the recipient using a phone number you obtained independently—from your firm’s records, a previous verified communication, or a trusted source like the company’s official website (not the email signature).
- Speak to a known contact. Don’t accept verification from someone you’ve never spoken with before. If your usual contact is unavailable, be suspicious and delay the transfer until you can reach them.
- Verify specific details. Don’t just ask “did you send wire instructions?” Read back the account number, routing number, and beneficiary name to confirm every detail.
- Document the verification. Record who you spoke with, when, and what was confirmed. This documentation protects you if questions arise later.
Treat Last-Minute Changes as Red Flags
Legitimate changes to established wiring instructions are rare. This is the single most important red flag to recognize. When someone asks you to send funds to a different account than originally specified, treat it as a potential fraud attempt until proven otherwise.
Red flags that should trigger heightened verification include:
- Any request to change wire instructions, especially close to closing or settlement
- Urgency or pressure to complete the transfer immediately
- Instructions to wire to an international account
- Email addresses that look similar but aren’t identical to known contacts
- Requests to keep the transaction confidential or bypass normal procedures
- Contact information in the email that differs from your records
- Requests received outside normal business hours
Dual Authorization Requirements
No single person should have the authority to initiate and complete a wire transfer. Dual authorization creates a critical checkpoint that can catch fraud attempts that slip past individual verification.
Effective dual authorization requires:
- Separation of duties: The person who receives wire instructions should not be the same person who verifies them or initiates the transfer
- Independent verification: Both authorizers should independently verify the wire instructions—not simply confirm that the other person approved
- Dollar thresholds: Consider requiring additional authorization levels for large transfers (e.g., partner approval for amounts over $50,000)
- Bank coordination: Work with your bank to establish callback protocols where they contact a designated official for final approval before releasing funds
Building Comprehensive Firm-Wide Protocols
Individual vigilance isn’t enough. Your firm needs documented policies, systematic training, and technological safeguards that work together to prevent wire fraud.
Developing Written Policies
Your wire transfer policy should be documented, distributed to all staff, and enforced without exception. Key elements include:
- Clear verification requirements: Specify exactly what verification is required before any wire transfer can be initiated
- Authorization hierarchy: Define who can authorize transfers at different dollar amounts
- Documentation standards: Require written records of all verification steps
- Exception procedures: Define what happens when normal verification can’t be completed (answer: the transfer waits)
- Incident response plan: Document exactly what to do if fraud is suspected or confirmed
Client Communication and Education
Your clients need to understand the wire fraud threat and your firm’s verification procedures. This serves two purposes: it helps protect them from fraud, and it protects your firm by establishing clear expectations.
Consider implementing:
- Engagement letter disclosures: Include wire fraud warnings and your verification procedures in engagement letters
- Pre-transaction warnings: Send written notice before any anticipated wire transfer explaining that you will never change wire instructions via email without phone verification
- Standard language: Include wire fraud warnings in email signatures: “WIRE FRAUD ALERT: Before wiring funds, call us at [verified number] to confirm instructions. We will NEVER send changes to wire instructions via email.”
- Secure communication options: Offer clients secure portal access for sensitive communications rather than relying solely on email
Technology Safeguards
Technology should support—not replace—human verification. Understanding your accounts receivable management processes helps identify where technology can provide additional protection. Key technology measures include:
- Multi-factor authentication (MFA): Require MFA on all email accounts—this is non-negotiable. Phishing attacks that compromise email credentials are the entry point for most BEC schemes
- Email security: Use paid email services with robust security features rather than free consumer email. Implement DMARC, DKIM, and SPF authentication
- Secure portals: Use encrypted client portals for sharing sensitive documents and wire instructions rather than email
- Wire verification software: Consider dedicated wire fraud prevention platforms that verify recipient identity through multi-factor authentication before wire details are shared
- Account validation services: Work with your bank to implement account validation that confirms the account name matches the account number before funds are released
Staff Training Requirements
Research shows that 74% of all security breaches involve human interaction and manipulation. Your staff are simultaneously your greatest vulnerability and your most important line of defense. Investing in their training isn’t optional—it’s essential.
Effective training programs should include:
- Regular phishing simulations: Test employees with realistic phishing attempts and provide immediate feedback. Note that 72% of title companies don’t conduct phishing tests—don’t be part of that statistic
- Real-world case studies: Review actual fraud attempts—both successful and prevented—so staff understand how attacks unfold in practice
- Deepfake awareness: Train staff on AI-powered threats including voice cloning and video deepfakes. Emphasize that even phone calls and video conferences may not be trustworthy
- Escalation procedures: Ensure everyone knows how to escalate suspicious situations without fear of reprisal for delaying a transaction
- Annual refreshers: Fraud tactics evolve constantly. Training should be ongoing, not a one-time event
Insurance Coverage and Incident Response
Even with robust prevention protocols, you need a safety net. Understanding your insurance coverage—and its limitations—is critical, as is having a clear plan for when fraud is suspected.
Understanding Insurance Gaps
Many law firms assume their malpractice insurance or cyber policy will cover wire fraud losses. This assumption is often wrong—and discovering the gap after a loss is devastating.
Common coverage gaps include:
- IOLTA/escrow exclusions: Many cyber policies explicitly exclude coverage for funds held in trust or escrow for clients. The policy covers your firm’s direct losses, not client funds you’re holding as a fiduciary
- Social engineering limits: Standard crime and cyber policies often have sub-limits for social engineering fraud that are far below the potential exposure from a single wire fraud incident
- Authorized transfer exclusions: Because the firm employee voluntarily initiated the transfer (albeit based on fraudulent instructions), some policies exclude coverage since there was no “unauthorized access”
- Malpractice coverage uncertainty: Whether malpractice insurance covers wire fraud losses varies by policy and circumstances. Don’t assume coverage exists
Action item: Review your current policies with your insurance broker specifically asking about coverage for: (1) wire transfers induced by fraudulent instructions, (2) client funds held in IOLTA accounts, and (3) social engineering attacks. Consider dedicated wire fraud insurance if gaps exist.
When Fraud Is Suspected: Immediate Response Steps
Speed is critical when wire fraud is suspected or discovered. The FBI’s Recovery Asset Team successfully froze funds in 71% of fraudulent transfers reported to them—but only when reported quickly. Once funds move to secondary accounts (often within hours), recovery becomes nearly impossible.
If you suspect wire fraud:
- Contact your bank immediately. Request an emergency recall of the wire transfer. Every minute counts.
- Contact the receiving bank. If your bank won’t contact the recipient institution, do it yourself. Request that they freeze the funds.
- File an FBI IC3 complaint. Report the incident to the FBI’s Internet Crime Complaint Center (ic3.gov) immediately. The Recovery Asset Team can work with banks to freeze funds.
- Contact local law enforcement. File a police report with your local jurisdiction.
- Notify your insurance carrier. Many policies have strict reporting deadlines. Late reporting can result in claim denial.
- Document everything. Preserve all emails, phone records, and communications related to the fraudulent instructions.
- Notify affected clients. Your ethical obligations require prompt notification to clients whose funds were affected.
Implementation Checklist
Use this checklist to assess and improve your firm’s wire fraud prevention measures:
Policies and Procedures
- Written wire transfer policy requiring verbal verification through pre-verified phone numbers
- Dual authorization requirement for all wire transfers
- Documented escalation procedures for suspicious requests
- Written incident response plan
- Regular policy review and updates (at least annually)
Technology
- Multi-factor authentication on all email accounts
- Professional email service with enterprise security features
- Secure client portal for sensitive communications
- Bank callback protocols established
- Account validation services enabled
Training
- Initial wire fraud training for all staff
- Regular phishing simulations
- Annual refresher training
- Deepfake and AI threat awareness training
Insurance and Recovery
- Insurance policy reviewed for wire fraud coverage
- IOLTA/escrow fund coverage confirmed
- Social engineering coverage limits adequate
- Emergency contacts documented (banks, FBI IC3, insurance carrier)
Taking Action Today
Wire fraud prevention isn’t optional—it’s a professional obligation and a matter of firm survival. The cost of implementing robust verification protocols is minimal compared to the potential losses from a single successful attack. More importantly, it’s your duty to protect the clients who have entrusted their funds to your care.
Start today. Review your current practices against the protocols outlined in this guide. Identify gaps and create a plan to address them. Train your staff. Update your policies. Review your insurance. These steps won’t just protect your clients—they’ll protect your firm’s reputation, finances, and future.
The criminals are sophisticated, patient, and well-funded. But they’re not invincible. A firm that follows consistent verification protocols, trains its staff, and maintains appropriate safeguards will stop the vast majority of attacks before they succeed. Proper trust account management now necessarily includes fraud prevention as a core component.
Don’t wait for a fraud attempt to test your defenses. Act now.
Frequently Asked Questions
What should I do if wire instructions come from a client I’ve worked with for years?
Follow the same verification protocol regardless of relationship history. Long-standing clients are actually higher-value targets because criminals know you’re more likely to trust communications from them. The fraudster may have monitored your communications for months, learning exactly how your client writes and what transactions are pending. Call your client at a number you’ve previously verified—not one provided in the email—and confirm the wire instructions directly before sending any funds.
Our bank has security measures. Isn’t that enough protection?
No. Banks are largely protected by UCC Article 4A when they follow commercially reasonable security procedures—but those procedures typically don’t include verifying that you intended to send money to a particular recipient. If you authorize a wire transfer to a fraudulent account, the bank has fulfilled its obligation by executing your instruction. The liability falls on you and your firm. Bank security is a helpful layer, but it’s not a substitute for your own verification protocols.
How do I verify wire instructions when dealing with international transactions?
International transactions require heightened verification given the difficulty of recovering funds once they cross borders. Establish the receiving party’s contact information through independent channels before the transaction begins. Consider using secure wire verification platforms that authenticate recipient identity across borders. For large international transfers, you might require video calls with known contacts, though be aware this alone isn’t foolproof given deepfake technology. When possible, establish ongoing verification protocols with repeat international counterparties.
What if my client insists on sending funds immediately and won’t wait for verification?
Document the client’s insistence and explain the risks clearly, but do not bypass verification procedures. If the request truly is legitimate, a brief delay for verification won’t materially harm the transaction. If the request is fraudulent, that “urgent” pressure is exactly what the criminal is counting on to bypass your defenses. Your engagement letter should specify that wire transfers require verification regardless of urgency, which helps manage client expectations before situations arise.
How often should we update our wire fraud prevention training?
Conduct comprehensive training at least annually, with brief refreshers quarterly. Fraud tactics evolve rapidly—AI-powered attacks that were theoretical two years ago are now causing multi-million dollar losses. Whenever a significant new threat emerges (like deepfake video calls), update your training promptly. Phishing simulations should occur more frequently, ideally monthly, to keep staff vigilant and identify those who need additional coaching.
Are small firms at less risk than large firms?
No—in some ways, small firms face greater risk. While large firms may handle more high-value transactions, small firms often have fewer resources for cybersecurity, less formal verification procedures, and smaller staffs where a single compromised employee can authorize significant transfers. Criminals also know that smaller firms may assume they’re “not worth targeting” and therefore have weaker defenses. Wire fraud prevention is essential regardless of firm size.
What verification is necessary if I’m receiving wire instructions by phone?
Voice cloning technology means phone verification alone is no longer sufficient for high-value transactions. If receiving wire instructions by phone, require: (1) a callback to a pre-verified number rather than accepting an inbound call, (2) verification through a secondary channel such as email or text to a known address, and (3) for large transfers, consider video calls with known contacts, challenge questions based on information not publicly available, or in-person verification. The key is using multiple verification channels that would all need to be compromised for fraud to succeed.
Sources
- FBI Internet Crime Complaint Center (IC3) – 2023 Internet Crime Report
- American Bar Association – Model Rules of Professional Conduct and Client Trust Account Records
- CertifID State of Wire Fraud Report 2024 – Wire Fraud Statistics and Trends
- Integreon – Cybersecurity, Wire Fraud, and Attorney Liability Analysis
- Qualia 2025 Wire Fraud Special Report – Real Estate Wire Fraud Trends
- TransUnion – BEC and Wire Fraud Incident Analysis
- ABA Journal – Trust Account Guidelines Updates
- North Carolina State Bar – Wire Fraud Discipline and Best Practices
- Deepstrike.io – Deepfake Fraud Statistics 2025
