The $3 Million Email: How Law Firms Lose Fortunes to Wire Fraud and What Actually Stops It

THE SHORT ANSWER

Holland & Knight was sued over a $3 million wire to a Hong Kong account. Dentons lost $2.5 million the same way. O’Neill, Bragg & Staffin lost $580,000 and then lost again in court when they tried to recover it from their bank. These are not small firms with no resources. Business email compromise targeting law firms is a documented litigation pattern, not a hypothetical. he technical controls that stop these attacks 

IT Accuracy  |  Managed IT Services, Los Angeles  |  Date: April  2026  |  7 min read

Digital gavel on a network grid representing wire fraud law firms face through business email compromise and cybersecurity risks

AT A GLANCE

AT A GLANCE

Holland & Knight lost $3 million to a fraudulent wire. Dentons lost $2.5 million. O’Neill, Bragg & Staffin lost $580,000 and could not recover it from their bank in court
⚠️ BEC attacks on law firms are targeted and researched — attackers monitor active transactions for weeks before striking
⚠️ Recovery rate is under 30% even when reported to the FBI within 24 hours — once the wire moves, it is nearly gone
⚠️ California bar rules require cybersecurity competence — a firm without documented controls is exposed to both malpractice and bar complaints
DMARC at enforcement, MFA on every account, and advanced email filtering are the three controls that stop these attacks before the wire moves

Business email compromise targeting law firms is not a hypothetical risk. Holland and Knight, one of the largest firms in the United States, was sued after someone sent $3 million to a fraudulent account in Hong Kong. It has thousands of attorneys, a global footprint, and every resource a firm could want. In 2020 it was sued because someone sent $3 million to a fraudulent account in Hong Kong. If it can happen to Holland & Knight, your firm is not exempt from the math. Los Angeles law firms, handling high-value real estate transactions, personal injury settlements, and commercial disputes daily, sit at the center of exactly the kind of wire activity BEC attackers target.

Why Wire Fraud Law Firms Face Exceeds Every Other Industry

Wire fraud law firms face is not a mass phishing campaign. It is targeted, researched, and timed. The email infrastructure most firms are running was never built to stop it. It is targeted. Attackers research a specific firm, identify a transaction in progress, wait for the right moment, and intercept. Law firms are chosen deliberately because they combine everything an attacker wants in a single environment: large wire transfers, trusted relationships with multiple parties, time pressure that discourages second guessing, and email infrastructure that was never built for security. In Los Angeles, where real estate transactions regularly exceed seven figures and litigation settlements are substantial, the wire fraud law firms are exposed to makes them especially attractive targets.

Real estate closings are the most common attack vector. A transaction involving a $2 million property generates email chains between attorneys, title companies, lenders, and clients over weeks. Attackers monitor that chain, sometimes after compromising one party’s email account, and insert themselves at the wire instruction step. The email looks like it is from the title company. The account number is slightly different. The money is gone before anyone realizes what happened.

Litigation firms face the same exposure during settlement. Personal injury settlements, commercial disputes, and class actions all involve large lump sums moving between parties with established email relationships. That is exactly the attack surface BEC exploits.

What makes law firms uniquely exposed

Attorney client privilege creates a confidentiality culture that discourages verification calls and second guessing of instructions. That same culture is exactly what attackers count on when they tell you not to confirm the wire instructions by phone because the partner is in a deposition.

The Anatomy of a BEC Attack on Law Firms

Understanding how BEC actually works is the first step toward stopping it. The attack is not a lucky guess. It is a process with defined stages, and most firms are vulnerable at every one of them.

It starts with reconnaissance. Attackers research the firm online, review public court filings to identify active cases and opposing counsel, check LinkedIn for staff names and titles, and identify which transactions are active and who the counterparties are. This takes hours, not weeks.

The next stage is account compromise or domain spoofing. In higher sophistication attacks the attacker gains access to an actual email account, often through a phishing email that captures credentials, and monitors the inbox for weeks before acting. In simpler attacks they register a lookalike domain, something like firmname-law.com instead of firmnamelaw.com, and send from there. Both methods are effective because most law firm email systems are not configured to detect either.

Then they wait. The attacker watches for the wire instruction stage of a transaction and inserts a message that redirects funds to a controlled account. The email is timed to arrive when pressure is highest and verification is least likely.

Once the wire executes, recovery is nearly impossible. Banks move funds quickly. International accounts are beyond US jurisdiction. The FBI’s Internet Crime Complaint Center reports that wire fraud law firms suffer has a recovery rate of less than 30 percent even when reported within 24 hours.

Hand holding a phishing email envelope with a hook representing business email compromise attacks targeting law firms

THE NUMBERS BEHIND BEC TARGETING LAW FIRMS

FBI Reported BEC Losses in 2023

$2.9 billion

Across all industries. Law and real estate are top targets.

Average Loss Per Incident

$137,000

Law firm incidents frequently exceed this by a wide margin

Fund Recovery Rate

Under 30%

Even when reported to the FBI within 24 hours

What the Email Actually Looks Like

The most effective BEC emails do not look suspicious. That is the entire point. They arrive from a domain that is one character different from the real sender. They reference the correct transaction, the correct property address, the correct parties, and the correct closing date. They explain the account number change with a plausible reason: a bank audit, a new escrow processor, a fraud alert on the old account.

The email may even have the correct signature block, including the phone number of the person being impersonated, routed through a call forwarding service the attacker controls so a callback goes nowhere or gets intercepted.

In account compromise attacks the email comes from the actual address of a real person at a real firm whose inbox was silently accessed weeks ago. There is nothing to detect visually. The sender is who they say they are. The account number is the only thing that changed. This is why email security controls that operate at the infrastructure level, not just the inbox level, are the only thing that reliably catches it.

These attacks are super common. The number is big, but I will tell you I have a few cases that are above a million dollars transferred right now.

Christopher Ballod, data security partner at Lewis Brisbois Bisgaard & Smith, speaking to The American Lawyer about the Holland & Knight wire fraud lawsuit, July 2020

What the Technical Controls That Stop Wire Fraud Law Firms Face Actually Are

This is where the wire fraud law firms conversation shifts from scary to solvable. BEC attacks exploit specific technical gaps, and those gaps have specific technical solutions. None of them are exotic. All of them are available. Most law firms have not implemented them because nobody with the authority to configure email infrastructure has reviewed the environment for these specific vulnerabilities.

The first layer is email authentication. Three standards work together to prevent domain spoofing: SPF, which specifies which mail servers are authorized to send on behalf of your domain; DKIM, which cryptographically signs outgoing mail so tampering is detectable; and DMARC, which tells receiving servers what to do when SPF or DKIM fail and sends you reports when someone tries to spoof your domain. A firm with all three configured at enforcement level is significantly harder to impersonate. This is a core part of what IT Accuracy’s email security service implements and monitors on an ongoing basis.

The second layer is advanced email filtering. Standard spam filters catch obvious threats. Sophisticated BEC emails are not obvious. Advanced filtering looks at sender reputation, domain age, lookalike domain detection, and behavioral anomalies like a known contact suddenly sending wire instructions for the first time. These tools exist and integrate with the Microsoft 365 and Google Workspace environments most firms already use.

The third layer is multi factor authentication on every email account. Account compromise, where the attacker uses real credentials from a real address, is stopped cold if MFA is enforced. A stolen password does not get an attacker into the inbox if accessing that inbox requires a physical device the attacker does not have. This is the single highest impact change most law firms are not making, and it is part of the baseline security posture IT Accuracy establishes for every law firm IT engagement.

The gap most firms have

SPF, DKIM, and DMARC all configured at enforcement. MFA enforced on every email account including shared mailboxes and former staff accounts that were never deprovisioned. Advanced email filtering that flags lookalike domains. Most law firms have partial implementation of one or two of these. Partial implementation stops nothing.

The Wire Fraud Law Firms Lawsuits Are Already Happening

Wire fraud law firms face is not a hypothetical risk. It is a documented litigation pattern with named firms and published outcomes, and the trend is moving in one direction.

In 2020, Holland & Knight, one of the largest law firms in the United States, was sued after allegedly sending $3 million to a fraudulent account in Hong Kong. The plaintiffs filed claims for breach of contract, negligence, and breach of fiduciary duty. Holland & Knight maintained its own IT system was not compromised and that it acted on wiring instructions received from the plaintiffs’ own email system. That defense has not reliably protected other firms.

In a 2017 case, Dentons’ Vancouver office was duped into transferring $2.5 million intended to pay off a client’s mortgage into a scammer’s Hong Kong account. The firm had received emails purportedly from the client instructing it to wire funds to an international account because the TD Canada Trust account was being audited. That explanation alone should have been a red flag. It was not caught. The funds were gone.

In the same year, Pennsylvania firm O’Neill, Bragg & Staffin lost $580,000 when a hacker impersonating a named shareholder directed another shareholder to wire funds to a Bank of China account in Hong Kong. The firm later sued its bank to recover the funds. A federal court dismissed the suit, finding the bank had not violated any agreement or law in executing the wire. The firm absorbed the loss.

The pattern across all three cases is the same. Funds sent. Recovery nearly impossible. Firms left holding the liability question. Clients and their attorneys arguing about who was in the best position to prevent it.

Magnifying glass over a legal document with a digital lock representing cybersecurity liability and data breach investigation for law firms

The legal standard that applies

Courts analyzing wire fraud losses consistently ask which party was in the best position to prevent the harm. For law firms that control the wire transfer process, handle client trust accounts, and manage the email environment through which instructions flow, the answer is almost always the firm. That framing is the foundation of most malpractice claims that follow a BEC loss.

The Malpractice Exposure Wire Fraud Law Firms Never See Coming

When a law firm loses a client’s funds to wire fraud, the ethical exposure does not wait for the litigation to resolve. Bar associations in California and across the country have established through formal opinions that cybersecurity competence is part of the duty of competence under the rules of professional conduct. A firm that could not demonstrate reasonable protective measures at the time of the loss is not just a victim. It is a potential respondent in both a malpractice proceeding and a bar complaint. A documented security posture is the only defensible position.

ABA Formal Opinion 483 established that lawyers have an obligation to monitor for data breaches and notify clients when their information is compromised. The California State Bar has issued its own guidance, and its fraud alert page specifically references the wire transfer threat as a priority concern for California attorneys. ABA Formal Opinion 477 additionally requires lawyers to adopt reasonable cybersecurity measures to protect client data and property. None of these opinions treat the existence of a technical solution as optional.

The cyber insurance question compounds this further. Carriers have dramatically tightened BEC coverage requirements. Many policies now require documented proof of MFA enforcement, DMARC at enforcement policy, and employee security training as conditions of coverage. A firm that assumed it was covered and then files a BEC claim may find the claim denied because the required controls were absent at the time of the incident. Worse, some firms discover that their professional liability policy, general liability policy, and cyber policy each exclude wire fraud losses in ways that leave the loss entirely uncovered.

That conversation, with your client, your insurer, and the state bar, is the version of this story you do not want to have. The version you want is the one where the spoofed email was flagged before it reached anyone, and nothing happened, because the system handled it before it became a problem.

Two attorneys reviewing documents and laptops at a conference table representing law firm cybersecurity protocol review

HOW IT ACCURACY PROTECTS LAW FIRMS FROM BEC

The email security and compliance controls your firm is probably missing

IT Accuracy implements and manages the full stack of email security controls that stop business email compromise before it reaches your attorneys. We start with a complete audit of your current email environment, identify every gap, and build a prioritized remediation plan. Then we close the gaps and monitor on an ongoing basis so new vulnerabilities do not go unaddressed.

For law firms specifically, we also ensure your IT environment aligns with California State Bar cybersecurity guidance and standard cyber insurance requirements, so your coverage is defensible when you need it.

SPF, DKIM, and DMARC configured at enforcement with ongoing reporting
MFA enforced across all accounts including shared and legacy mailboxes
Advanced email filtering with lookalike domain detection
Email continuity so a disruption never stops your firm from operating
Security posture documentation aligned with bar ethics and insurance requirements
Ongoing monitoring with alerts when impersonation attempts are detected

The Practical Steps Your Firm Can Take This Week

You do not need to wait for a full managed IT engagement to start reducing exposure. There are three things a managing partner or office administrator can verify right now that will give you an honest picture of where the firm stands.

First, ask your current IT provider or IT contact to pull your DMARC policy. If they cannot tell you what it is within a few minutes, or if the answer is that you do not have one set to enforcement, that is a critical gap. Free lookup tools exist at mxtoolbox.com where you can check your own domain in under a minute.

Second, confirm that MFA is enforced on your firm email platform, not just available but required, including for any shared inboxes like info@ or billing@ and any accounts belonging to former staff that were not fully deprovisioned. Former employee accounts left active are one of the most common entry points for account compromise attacks.

Third, review your wire transfer protocol. Does your firm have a written policy requiring a verbal confirmation by phone using a number on file, not a number provided in the email requesting the wire, before any wire instruction is executed? If not, that policy takes one afternoon to write and zero technology to implement, and it stops a significant percentage of BEC attempts before any technical control is even needed.

Those three steps do not replace a comprehensive security posture. But they tell you immediately whether the most fundamental protections are in place, and in most law firms the answer to at least one of them is no. If you want a full picture of where your firm stands, IT Accuracy offers a no-obligation security assessment built specifically for legal environments.

Law firm IT security topic cluster

IT Accuracy Service

Email Security and Continuity Services for Los Angeles Businesses

Access Chain Security

The Avatar Movie Leaked Because of an Access Chain Failure. That Is Always How It Happens.

IT Accuracy Service

Cybersecurity and Penetration Testing Services

IT Security Prevention Los Angeles

A Japanese Floodgate. Y2K. And Why Los Angeles Businesses Keep Skipping the Most Important IT Investment

TAGS

Business Email Compromise Law Firms Law Firms Los Angeles Email Security Email Security Los Angeles Wire Fraud Cybersecurity Managed IT Los Angeles Managed IT Services

IT Accuracy

Managed IT Services — Los Angeles, CA

IT Accuracy provides cybersecurity and security awareness training, managed network services, cloud solutions, and help desk support for businesses across Los Angeles and nationwide.