# Law Firm BEC and the Trust Account

> Business email compromise redirects wire transfers from law firm trust accounts. Why your firm can be liable to the client even after funds are recovered.

[Home](https://rankshieldlegal.com/) / [Blog](https://rankshieldlegal.com/blog/) / Firm Security Firm cybersecurity
# Business Email Compromise and the Trust Account: The Attack That Makes You Liable Even After Recovery
Business email compromise does not encrypt your files or lock your screen. It redirects your money. A spoofed or compromised email carrying fraudulent wire instructions can steer a client's trust-account funds into an account the attacker controls, and the danger runs deepest at the exact moments a firm moves large sums by email: real-estate closings and settlement disbursements. The sharp point for a law firm is that the duty to safeguard client funds does not depend on the outcome, so the firm can be answerable to the client for the loss whether or not the money is later recovered. The defense is a process, not a product: verify every payment instruction out of band before the money moves.

By [Jamie Kloncz](https://rankshieldlegal.com/about/), Founder, RankShield ** 20 min read ** Published July 10, 2026

A law firm exposed to business email compromise on its trust account faces a specific problem: an attacker who redirects client funds by sending fraudulent wire instructions, and a professional duty to safeguard those funds that can leave the firm liable to the client even if some or all of the money is recovered. The direct answer to what protects a firm is not a single piece of software. It is a written verification process, applied to every new or changed payment instruction, that confirms the payee and the instruction through an independent channel before any transfer is released.
This article explains how the attack reaches a firm, why trust accounts and closing disbursements are the favored target, what the FBI's own reporting says about the scale of the losses, and why the liability can survive a recovery. It then lays out the controls that actually break the attack, including out-of-band verification, dual control on disbursements, and email authentication, and describes where a verifiable record of that verification fits. The author is a security and engineering founder, not an attorney, and the piece is informational rather than legal advice.

## What business email compromise does to a law firm trust account
Business email compromise, often shortened to BEC, is a scam that targets businesses and individuals that regularly perform wire-transfer payments. The FBI describes it as a scheme carried out by compromising email accounts and other forms of communication through social engineering or computer intrusion, in order to conduct an unauthorized transfer of funds [[1]](#ref-1). In a law firm, the funds most exposed are the ones the firm holds for others: money in the client trust account, or IOLTA account, and the large sums that pass through the firm during closings and settlements.
The mechanics are quiet. There is no malware banner and no ransom note. An attacker who has read the right email thread sends a message that looks like it came from a client, a counterparty, a title company, or a member of the firm's own staff, and that message carries either a fresh set of wire instructions or a change to instructions everyone was already expecting. The firm follows the instructions, releases the transfer, and the client's money lands in an account the attacker controls. By the time anyone notices, the funds have usually moved again.
The reason this matters more for a law firm than for a typical business is the nature of the money. When a company wires its own operating funds to a fraudster, it absorbs its own loss. When a firm wires client funds held in trust, the loss lands on money the firm was obligated to protect, and the client is the party left short. That shift, from the firm's money to the client's money, is what turns a payment mistake into a professional-responsibility problem.
21,442 Business email compromise complaints reported to the FBI's Internet Crime Complaint Center in 2024 [1].

## How the fraud reaches a firm through spoofed instructions and the last-minute banking change
The pattern that catches firms is not a crude phishing blast. It is a patient, well-researched intrusion into an email conversation that is already in motion. The attacker either compromises a mailbox belonging to one of the parties, a form of intrusion that overlaps with the broader [law firm data breach and ransomware](https://rankshieldlegal.com/law-firm-data-breach-ransomware/) problem, or registers a look-alike domain that reads correctly at a glance, then waits until a real transaction is close to closing. At that point the fraudulent message arrives, and because it references genuine details of the deal, it does not trigger the suspicion a random request would.
Two signatures recur often enough to be worth naming. The first is the new instruction, where a party who has not previously supplied banking details sends them for the first time, framed as routine. The second, and the more dangerous, is the changed instruction: a message stating that the bank account first provided is no longer valid and that funds should now go to a different account. The change almost always arrives late, framed as urgent, and pushed with a reason to act quickly, because urgency is what discourages the one phone call that would expose it.
It helps to see the attack from the attacker's point of view. The work is front-loaded into reconnaissance, learning who is paying whom, how much, and when, so that the fraudulent instruction lands at the only moment it will be believed. Everything after that is a single email and a wait. A firm that treats an emailed change of banking details as ordinary correspondence, rather than as an event that must be independently confirmed, is relying on the attacker to make a mistake the attacker has already planned around.
The most reliable warning sign is not a spelling error. It is a change of banking details that arrives late in a transaction, carries a sense of urgency, and asks you to abandon instructions you already had.

Source: FBI IC3 2024 Internet Crime Report; ABA Model Rule 1.15 Download SVG

## Why real-estate closings and settlement disbursements are the prime target
Real-estate closings and settlement payouts combine three things the fraud needs: a large sum, a fixed deadline, and instructions that travel by email across several organizations. That combination, not any single weakness, is what makes the trust account the target.
The attack concentrates where the money is largest, the timing is tightest, and the communication runs by email. Real-estate closings fit all three conditions at once. A closing brings together buyers, sellers, agents, lenders, and title companies, moves a large sum on a fixed date, and coordinates most of that movement through email threads that cross several organizations. Each additional party is another mailbox that can be compromised and another sender whose voice an attacker can imitate.
Settlement disbursements share the same shape. When a matter resolves, the firm holds the proceeds in trust and pays them out, sometimes to a client, sometimes to a lienholder, sometimes to co-counsel or a third party. Those instructions frequently arrive or change by email in the days before the transfer, which is exactly the window the fraud is built to exploit. The FBI's reporting includes real-estate transactions among its recovery cases, in one instance a complaint reporting a spoofed email from supposed real-estate agents requesting a wire of $956,342 to finalize a closing, discovered only two days after the transfer went out [[1]](#ref-1).
There is a structural reason the trust account sits at the center of this. It is the one place where a firm routinely moves other people's money in large amounts on someone else's schedule. Every property in that sentence, other people's money, large amounts, someone else's schedule, is a property the fraud depends on. That is why the closing table and the disbursement, rather than the firm's own payroll or vendor payments, are where the pressure concentrates.

## The scale of the loss in the FBI's own numbers
The most authoritative public figures come from the FBI's Internet Crime Complaint Center, which publishes an annual Internet Crime Report. In 2024, the center recorded 21,442 business email compromise complaints with reported losses of $2,770,151,146, placing BEC among the highest-loss cybercrime categories it tracks [[1]](#ref-1). Those figures reflect complaints filed with the FBI, so they represent reported losses rather than the full universe of incidents, many of which are never reported.
The center has also characterized the cumulative scope in a separate public service announcement titled Business Email Compromise: The $55 Billion Scam, which put global exposed losses at $55,499,915,582 for the period of October 2013 through December 2023 [[2]](#ref-2). Exposed losses in that figure include both actual and attempted transfers reported to the FBI and its international partners, so it is best read as a measure of the fraud's total footprint rather than of money confirmed gone.
The honest way to use these numbers is as direction and scale, not as a precise map of any one firm's risk. They establish two things that matter for the argument here. First, the fraud is large and sustained rather than occasional. Second, it operates through wire transfers and payment instructions, which is precisely the machinery a law firm runs every time it disburses from trust. A firm does not need to believe it is uniquely targeted to conclude that the category it participates in, high-value email-directed transfers, is exactly the category the fraud is built to attack.
$2.77B Reported business email compromise losses recorded by the FBI IC3 in 2024 [1].

## The liability that survives recovery: why the firm can owe the client either way
Here is the point that separates this fraud from most cyber incidents. A ransomware attack damages the firm's own systems, and the firm is largely the party that absorbs the harm. A misdirected trust disbursement harms the client, because the money that vanished belonged to the client and was held by the firm in a fiduciary capacity. That difference changes who is owed what afterward.
Lawyers have a duty to safeguard client property. The American Bar Association's Model Rules of Professional Conduct, in Rule 1.15, require a lawyer to hold client and third-party property, including funds, separately and with the care of a professional fiduciary [[3]](#ref-3). The duty attaches to the safekeeping itself. It is not a promise of a particular outcome, and it does not switch off because an attacker was clever. When firm-controlled funds are released on a fraudulent instruction, the question a client, a regulator, or an insurer will ask is whether the firm exercised the required care over those funds, not merely whether the firm was deceived.
This is why recovery does not settle the matter. Suppose the wire is caught in time, or a bank freezes the receiving account, or law enforcement claws back part of the transfer. Any recovery is welcome, but it is contingent, partial, and often slow, and it does not by itself answer the fiduciary question. If the funds are only partly recovered, the firm may still face a shortfall it is responsible for making whole. If they are fully recovered, the firm has still moved client money to a criminal on a forged instruction, and it will still need to account for how that happened. The exposure is tied to the safeguarding duty, which is why it can persist regardless of how the money story ends. None of this is a statement about any specific firm's legal position, which depends on jurisdiction and facts; it is the general reason the duty and the recovery are separate questions.
Recovery answers a money question. The fiduciary duty answers a different one: did the firm safeguard client funds. A firm can get the money back and still have to explain how it left.

## Mapping the attack to the control that breaks it
Because the fraud runs as a sequence, it can be defended as a sequence. Each stage the attacker relies on has a control that either stops it or makes it far harder, and no single control has to carry the whole load. The value of laying the stages side by side is that it shows where a firm's process has to hold, and it makes clear that the decisive break happens at the instruction stage, before any money moves, rather than in the aftermath when options narrow to recovery.
The table below pairs each stage of a typical trust-account BEC with the control that interrupts it. Read down the middle column to see the attacker's path, and down the right column to see where a firm's written procedure has to do its work. The single most important row is the instruction row, because verification there is the last point at which the fraud costs the firm nothing.
Attack stage What the attacker does Control that breaks the chain
Access Compromises or spoofs an email account belonging to a client, counterparty, title company, or firm staffer Multifactor authentication on email; staff training on spoofed-sender and look-alike-domain patterns
Reconnaissance Reads the thread to learn a pending closing or disbursement, its amount, and its timing Limited mailbox exposure; external-sender and look-alike-domain flagging
Instruction Sends new or changed wire details, usually framed as urgent and last-minute Out-of-band verification of every new or changed instruction before it is accepted
Disbursement Relies on the firm to wire client funds to the fraudulent account Dual control with a second approver required on every trust transfer
Aftermath Moves the funds onward while recovery remains uncertain A verifiable record showing that verification occurred before the money moved

## Out-of-band verification: the control that does the real work
If a firm adopts one habit, it should be this: never accept a new or changed payment instruction on the strength of the email that delivered it. Verify it through a separate channel first. Out-of-band verification means confirming the instruction using contact details you already held, obtained independently of the message in question, before any transfer is released. It is the control that most directly defeats the fraud, because the fraud depends entirely on the firm trusting the channel the attacker controls.
The discipline that makes this work is refusing to use any contact information supplied in the suspect message. The phone number in the signature block, the number in the email body, the reply-to address: all of them can be part of the fraud, and a call to the attacker's own number will cheerfully confirm the attacker's own instruction. The point of verifying out of band is to reach the real party through a path the attacker never touched. The steps below describe a procedure a firm can write down and apply to every transfer, without exception, so that the busiest closing day is handled the same way as the quietest.

- **Freeze on any new or changed instruction** Treat the first arrival of banking details, and any change to details you already had, as a stop event. No transfer is released and no instruction is accepted until verification is complete, no matter how urgent the message claims the deadline is.
- **Call a number you already had, never one from the message** Confirm the instruction by phone using a number sourced independently: from your own prior records, the engagement file, or an official directory. Never use a phone number, email, or link contained in the message you are checking, because the attacker may have supplied it.
- **Verify the instruction, not just the identity** Confirm the specific account number, routing number, payee name, and amount out loud with the known party. A caller who is genuinely the client or counterparty can confirm the actual figures; an attacker who has only compromised the email thread usually cannot.
- **Require a second approver before release** Apply dual control so that a second authorized person independently reviews the verification and approves the transfer. One person should not be able to both accept an instruction and release the funds against it.
- **Record that you verified before the money moved** Log who verified, the independent number or source used, who was reached, what was confirmed, and who gave second approval, with a timestamp that precedes the transfer. This record is what lets the firm later demonstrate that the safeguarding duty was met, not merely asserted.

## Dual control, email authentication, and the rest of the layered defense
Out-of-band verification is the center of the defense, but it works best surrounded by controls that reduce how often a fraudulent instruction reaches a person in the first place, and that add a second set of eyes when one does. None of these is exotic, and none requires a large security budget. What they require is that the firm decide, deliberately, that moving client funds is a controlled process rather than a clerical task, and that this process sits inside the firm's wider [law firm cybersecurity](https://rankshieldlegal.com/law-firm-cybersecurity/) program rather than beside it.
The supporting controls fall into a short, practical list. Each one closes a gap that the verification step alone does not, and together they turn a single point of judgment into a system that can absorb an individual lapse.

- Dual control on disbursements, so that no single person can both approve an instruction and release the transfer against it.
- Multifactor authentication on every firm email account, which is the strongest single barrier to the mailbox compromise the fraud often begins with.
- Email authentication using SPF, DKIM, and DMARC, which makes it harder for an attacker to spoof the firm's own domain and helps flag inbound messages that fail to authenticate.
- Staff training focused on the specific pattern of the urgent, last-minute change of banking details, so the people handling closings recognize the move on sight.
- A written wire-verification procedure that applies to every transfer, so the control does not depend on who happens to be handling the file that day.
- Look-alike-domain monitoring and external-sender flagging, so a near-match domain does not read as the real counterparty at a glance.

## Building a record that you verified before the money moved
A verification process protects the client's funds. A record of that verification protects the firm's account of what happened. These are related but distinct: the first stops the fraud, and the second lets the firm prove, afterward, that it did what the safeguarding duty required. When a disbursement is later questioned, the difference between a defensible position and a difficult one is often whether the firm can show a contemporaneous record that verification occurred before the transfer was released, rather than reconstructing events from memory.
The broader RankShield thesis is straightforward: verify before money moves, and keep evidence that you did. The record that matters is the one created at the moment of verification, showing the independent channel used, the details confirmed, the second approval, and a timestamp that precedes the wire. A firm can capture that in its own systems today. RankShield Legal's role is the [verifiable evidence](https://rankshieldlegal.com/security/) layer on top of it, sealing such records so they are tamper-evident and independently verifiable rather than resting on files that could be edited after the fact. Where specific capabilities are still on the RankShield roadmap rather than shipped, they are labeled as such, and no part of this record layer prevents the underlying fraud; it makes the firm's account of its own diligence checkable.
The value of an independently verifiable record shows up precisely when trust is strained. If a transfer is disputed and the firm's internal logs are the only proof that verification happened, those logs are only as persuasive as the assumption that no one altered them. A record sealed so that any change would be detectable removes that assumption from the conversation. It lets the firm answer the question that follows a misdirected wire, did you verify before you moved the money, with evidence a client, regulator, or insurer can check rather than with an assurance they are asked to take on faith.

## Where verifiable evidence fits, and where it does not
Precision about scope matters, because overclaiming here would undercut the point. A verifiable record of verification does not stop a business email compromise. It does not detect the spoofed domain, it does not block the fraudulent wire, and it does not recover funds that have already left. Those jobs belong to the process controls described above, to the firm's bank and its fraud-recovery channels, and to law enforcement. Anyone positioning an evidence layer as a substitute for out-of-band verification, dual control, or email authentication is describing something that does not exist.
What a record layer adds sits after the controls have done their work: the ability to demonstrate that the controls were applied. Prevention lives in the verification step, before the money moves. Response lives with the bank and law enforcement once a fraudulent transfer is discovered. Verifiable evidence lives in a third position, proving after the fact that the firm met its safeguarding duty on a given transaction. Keeping those roles distinct is what keeps the claim honest, and it is why the process, not any tool, is the thing a firm should build first.
A closing note on what this article is. It is general information from a security and engineering perspective, written by a founder who is not an attorney, about how a specific fraud reaches law firms and what controls reduce the risk. It is not legal advice, not an ethics opinion, and not a statement about any particular firm's obligations or liability, which turn on jurisdiction, facts, and professional rules. Treat it as a starting point for a conversation with qualified security and legal professionals who can assess your firm's own systems, trust-accounting duties, and risk.

Test yourself
## Test yourself: defending the trust account
Four questions on how BEC reaches a firm and the control that breaks it.

- 1 Why can a firm be liable to the client even if the money is recovered? Because insurance requires it Because the duty under Rule 1.15 attaches to safekeeping, not the money outcome Because recovery is illegal **Answer:** Because the duty under Rule 1.15 attaches to safekeeping, not the money outcome Rule 1.15 requires holding client funds with a fiduciary's care; the question is whether the firm exercised that care, which is separate from whether the funds later return.
- 2 What is the single control that most directly defeats BEC wire fraud? Antivirus software Out-of-band verification of every new or changed payment instruction A faster wire system **Answer:** Out-of-band verification of every new or changed payment instruction Out-of-band verification confirms the instruction through an independent channel before release, defeating a fraud that depends on the firm trusting the email channel the attacker controls.
- 3 When verifying a payment instruction, which phone number should you use? The number in the email signature A number you already had from independent records Any number that answers **Answer:** A number you already had from independent records Never use contact details supplied in the suspect message; call a number sourced independently, because the attacker may have supplied the one in the email.
- 4 Does RankShield prevent business email compromise? Yes, it blocks fraudulent wires No, it seals verification records so the firm's diligence is checkable Yes, it recovers stolen funds **Answer:** No, it seals verification records so the firm's diligence is checkable RankShield is not an anti-fraud filter; prevention lives in the process controls and the firm's bank. The evidence layer proves, after the fact, that verification occurred before the money moved.
Honest self-check. There is no sign-up, and nothing is stored.

Questions answered
## Straight answers to the common questions
The questions readers ask about this topic, answered directly. **No forms, no sales pitch.**

JAMIE KLONCZ · SEO AGENCY NAPLES ************** ONLINE
Pick a question on the left, or search above. You will get the direct answer, the way an answer engine would give it.

← PREV NEXT → [REQUEST ACCESS →](https://rankshieldlegal.com/contact/)

- **What is business email compromise, and how does it threaten a trust account?** Business email compromise, or BEC, is a scam that targets parties who regularly send wire transfers. The FBI describes it as compromising email accounts or other communication channels through social engineering or intrusion in order to conduct an unauthorized transfer of funds. For a law firm, the danger concentrates on the client trust account, because that is where the firm moves other people's money in large amounts. An attacker sends fraudulent or changed wire instructions that look like they came from a client, counterparty, title company, or staffer, and if the firm follows them, client funds held in trust are wired to an account the criminal controls. The loss lands on money the firm was obligated to safeguard.
- **Why can a firm be liable to the client even if the money is recovered?** Because the exposure is tied to the duty to safeguard client funds, not to the final money outcome. Under the American Bar Association's Model Rule 1.15, a lawyer must hold client property, including funds, with the care of a professional fiduciary. That duty attaches to the safekeeping itself and does not switch off because an attacker was skilled. If a firm releases client funds on a forged instruction, the fiduciary question is whether it exercised the required care, which is separate from whether the money later comes back. Recovery is welcome but often partial and slow, and even a full recovery still means client money was wired to a criminal. This is general information, not legal advice; specific liability depends on jurisdiction and facts.
- **What is out-of-band verification, and why is it the key control?** Out-of-band verification means confirming a payment instruction through a channel separate from the one that delivered it, before any transfer is released. In practice, when a new or changed set of wire instructions arrives, you call the known party using a phone number you already had, sourced from your own records or an official directory, never a number from the suspect message. You confirm the actual account number, routing number, payee, and amount out loud. It is the decisive control because the fraud depends entirely on the firm trusting the email channel the attacker controls. A call on an independent line reaches the real party through a path the attacker never touched, which is what exposes the forged instruction before money moves.
- **How large are business email compromise losses according to the FBI?** The FBI's Internet Crime Complaint Center recorded 21,442 BEC complaints with reported losses of $2,770,151,146 in its 2024 Internet Crime Report, placing BEC among the highest-loss cybercrime categories it tracks. In a separate public service announcement titled Business Email Compromise: The $55 Billion Scam, the center put global exposed losses at $55,499,915,582 for October 2013 through December 2023, a figure that includes both actual and attempted transfers. These numbers reflect what was reported to the FBI, so they understate the full picture. They are best read as direction and scale: the fraud is large, sustained, and operates through exactly the wire-transfer machinery a firm runs when it disburses from trust.
- **Why are real-estate closings and settlement disbursements the most targeted?** Because they combine the three conditions the fraud needs: a large sum, a fixed deadline, and instructions that travel by email across several organizations. A closing links buyers, sellers, agents, lenders, and title companies, each an additional mailbox that can be compromised. Settlement disbursements are similar, with proceeds paid from trust to clients, lienholders, or co-counsel on instructions that often arrive or change by email in the final days. The FBI's own recovery cases include real-estate transactions, such as a complaint reporting a spoofed email from supposed agents requesting a $956,342 wire to finalize a closing, discovered two days too late. The trust account sits at the center because it routinely moves other people's money in large amounts on someone else's schedule.
- **Does RankShield prevent business email compromise?** No. RankShield Legal is not an anti-fraud filter, a wire-blocking service, or a recovery service, and it does not stop a fraudulent transfer or detect a spoofed domain. Preventing the fraud is the job of the process controls, out-of-band verification, dual control, multifactor authentication, and email authentication, together with the firm's bank and law enforcement once a transfer is discovered. RankShield's role is the evidence layer: sealing the firm's own verification records so they are tamper-evident and independently checkable. That lets a firm later demonstrate, with evidence rather than assertion, that it verified an instruction before releasing funds. Features still on the RankShield roadmap rather than shipped are labeled as such. The record layer answers the question that comes after a fraud, not instead of preventing one.

## References

- FBI Internet Crime Complaint Center (IC3). 2024 Internet Crime Report. 2025. [https://www.ic3.gov/AnnualReport/Reports/2024_IC3Report.pdf](https://www.ic3.gov/AnnualReport/Reports/2024_IC3Report.pdf)
- FBI Internet Crime Complaint Center (IC3). Business Email Compromise: The $55 Billion Scam (Alert Number I-091124-PSA). September 11, 2024. [https://www.ic3.gov/PSA/2024/PSA240911](https://www.ic3.gov/PSA/2024/PSA240911)
- American Bar Association. Model Rules of Professional Conduct, Rule 1.15: Safekeeping Property. 2024. [https://www.americanbar.org/groups/professional_responsibility/publications/model_rules_of_professional_conduct/rule_1_15_safekeeping_property/](https://www.americanbar.org/groups/professional_responsibility/publications/model_rules_of_professional_conduct/rule_1_15_safekeeping_property/)

Written by
## [Jamie Kloncz](https://rankshieldlegal.com/about/)
Founder, RankShield
Jamie Kloncz is the founder of RankShield, the verifiable AI and quantum security platform behind RankShield Legal. An engineer by training, he built RankShield after his own devices and business were attacked, including an AI voice-cloning scam that targeted his family, on one conviction: unverifiable security is the real danger, so every consequential action should leave a receipt anyone can independently check.
[More about Jamie →](https://rankshieldlegal.com/about/)

Try it · Free
## Check a citation against live case-law
Paste a citation from an AI-drafted brief and see whether the case actually exists, resolved against live case-law. Free, no sign-up. Then request early access to certify a full filing.
[Try the citation checker](https://rankshieldlegal.com/ai-legal-citation-checker/)

Keep reading
## Related guides
[Firm Security Outside counsel guidelines are adding AI clauses: what clients now demand Read guide →](https://rankshieldlegal.com/blog/outside-counsel-guidelines-ai-clauses/)[Firm Security How to Verify a Legal AI Vendor's "We Don't Train on Your Data" Claim Read guide →](https://rankshieldlegal.com/blog/verify-legal-ai-vendor-no-training-claim/)[Firm Security How to vet a legal AI vendor: the security questionnaire that protects clients Read guide →](https://rankshieldlegal.com/blog/vet-legal-ai-vendor-security-questionnaire/)
