The Complete Guide to Phishing, BEC & Spoofing Defense for Law Firms

Prevent wire-fraud and account takeovers with layered email security, MFA, and attorney-focused training. A practical guide for law firms.

1) How Phishing and BEC Target Law Firms

• Settlement and escrow redirection

• Spoofed partner emails requesting urgent payments

• Vendor impersonation in eDiscovery and expert portals
  

2) Technical Controls (Layered)

• Advanced email security: Impersonation/BEC detection, DMARC/DKIM/SPF, URL detonation.

• Identity security: MFA everywhere, conditional access, risky login policies.

• Browser isolation/safe links: Neutralize malicious landing pages.

• Account hygiene: Disable legacy protocols (POP/IMAP), enforce passwordless.
  

3) Process and Culture

• Out-of-band verification for any payment changes.

• Dual approval for wire transfers.

• “Report phish” button with a rapid SOC response.

• Monthly micro-training and realistic simulations.
  

4) Playbook: When Someone Clicks

1. Quarantine mailbox; reset credentials; invalidate refresh tokens.

2. Search/recall malicious messages; notify affected clients if required.

3. Review OAuth/app passwords; rotate API keys.

4. Post-mortem + refresher training.
   

Attorney-Focused Quick Tips

• Slow down: confirm sender address and domain.

• Watch for tone mismatch and urgent money requests.

• Don’t bypass verification—even for partners and VIP clients.