An attorney at a mid-size Oklahoma City firm receives an email from a long-standing client. The subject line references an active matter. The body asks her to wire settlement funds to a new account — the client's bank "changed routing numbers." She forwards it to accounting. The wire goes out by end of day. By the next morning, the real client calls asking where the money is. The email was a forgery. The funds are gone.
This is Business Email Compromise — and it happens to law firms every week. The attack doesn't require sophisticated hacking. It requires an email that looks right, arrives at the right moment, and asks your staff to do something they do routinely: move money on a client's instruction.
Why Law Firms Are Phishing's Favorite Target
Attorneys communicate constantly by email — with clients, courts, opposing counsel, and title companies. High-value transactions like wire transfers, settlements, and trust account movements are routine parts of your practice.
Staff turnover means inconsistent security training. A new paralegal may not know your firm's wire verification process. And urgency is normal in legal work — "I need this filed before the hearing" is a sentence your staff hears weekly. Attackers exploit that urgency deliberately.
The 5 Types of Phishing Attacks Hitting Law Firms Right Now
1. Business Email Compromise (BEC)
An email appears to come from a client or partner requesting updated wire transfer instructions. The sender address may be one character off from the real address — [email protected] instead of [email protected] — or the display name matches a known contact while the actual address is unrelated. The goal is always the same: get your firm to send money to an account the attacker controls.
2. Spear Phishing
Personalized attacks using real case names, client names, or matter numbers scraped from public court filings, LinkedIn profiles, or your firm's website. These emails reference specific details that make them feel legitimate — "Regarding the Henderson closing" or "Updated docs for the Smith divorce." Personalization is a red flag, not reassurance.
3. Credential Harvesting
Fake login pages for Clio, MyCase, NetDocuments, or Microsoft 365. The email says your session expired or a shared document needs review. You click the link, enter your credentials on a page that looks identical to the real one, and the attacker now has access to your email and case files.
4. Voicemail/Callback Phishing (Vishing)
A voicemail or email says your Microsoft account has been compromised and instructs you to call a number to verify your identity. The person who answers walks you through "verification steps" that involve giving them your password or approving a login prompt on your phone. Real IT providers and software vendors don't operate this way.
5. Vendor Impersonation
Fake invoices from "your IT provider," "your court reporter," or "your copier company." The invoice includes updated payment instructions — a new bank account. Your accounts payable person processes it because the vendor name is familiar and the amount is plausible.
When in doubt about a wire instruction: hang up and call the client on a number you already have — not the one in the email.
Red Flags Every Attorney and Staff Member Should Know
Any single red flag is enough to pause. Two or more means you verify through a separate channel before taking action.
What Technical Controls Actually Stop Phishing
DMARC, DKIM, and SPF records prevent attackers from sending email that appears to come from your firm's domain. Without them, anyone can forge an email that looks like it came from a partner at your firm.
Advanced email filtering catches threats that default Microsoft and Google spam filters miss — lookalike domains, newly registered sender addresses, and links to known phishing pages. MFA means stolen credentials alone aren't enough to access your systems — MFA is also one of the controls cyber liability insurers require — see our full breakdown of cyber insurance requirements. And phishing simulation training builds the muscle memory your staff need to recognize attacks in the moment — not six months after an annual compliance video.
The Human Layer: Training That Actually Works
Annual security videos don't work. Frequent, short simulated attacks do. When your staff receive realistic phishing tests regularly, they develop the habit of pausing before clicking — the same habit that stops real attacks.
Reward staff for reporting suspicious emails. Don't punish people for falling for simulated drills — that's how you teach them to hide mistakes instead of reporting them. Create a simple internal rule: if you're unsure, call the sender directly on a known number.
Attorneys need tailored training with legal-specific scenarios — fake wire instructions from clients, forged opposing counsel emails, compromised court filing notifications. Generic corporate phishing examples don't prepare your team for the attacks they'll actually face.
How ABT Cyber Helps
We deploy advanced email filtering, configure DMARC/DKIM/SPF to stop domain spoofing, and run ongoing phishing simulation programs built around legal-specific attack scenarios. Your staff get practical training. Your firm gets technical controls that catch what humans miss. See our email security and anti-phishing protection services.