BEC Protection for Law Firms: How Melbourne Firms Stop Business Email Compromise

Business email compromise (BEC) targeting law firms isn’t a vague threat — it’s a well-documented, high-frequency fraud pattern with average per-incident losses in Australia that regularly exceed $100,000 and frequently reach $500,000 or more. Melbourne conveyancing firms, in particular, are a primary target.

This article explains exactly how BEC attacks against law firms work, why the losses are so large, and what the technical and procedural controls look like that actually stop it.

What Business Email Compromise Is

Business email compromise is a category of fraud where an attacker impersonates a trusted party in an email exchange to redirect a payment or extract information. Unlike phishing attacks that use malicious links or attachments, BEC relies entirely on trust — the email looks legitimate, comes from a trusted address, and contains a plausible instruction.

For law firms, the typical scenario is a conveyancing settlement. The attacker — having either spoofed your domain or compromised an email account — sends a message to the purchaser or their solicitor in the days before settlement, updating the bank account details for the settlement funds. The instruction looks like it came from your firm. The recipient transfers the money. The funds are gone.

There is no malware to detect. No suspicious link to click. No attachment to scan. The attack succeeds purely because the email appears authentic.

Why Law Firms Are the Primary Target

Law firms combine two characteristics that make them uniquely attractive for BEC attacks:

They handle very large, time-sensitive transactions. Settlement funds for residential property transactions regularly exceed $500,000. The transactions happen under time pressure — a redirected payment discovered after settlement is almost impossible to recover because funds move offshore within hours.

They communicate regularly with counterparties about payment details. Clients, agents, solicitors on the other side, lenders, and PEXA all exchange payment information and bank account details as part of normal conveyancing operations. An instruction to update a bank account is not inherently suspicious — it is routine.

Australian law firm BEC incidents are tracked by the ACCC’s Scamwatch and ACSC. Conveyancing-related BEC is consistently among the highest-value categories of business fraud in Australia year-on-year.

How the Attack Is Delivered

BEC attacks targeting law firms use one of two delivery methods:

Domain Spoofing

The attacker sends an email that appears to come from your domain but doesn’t. They spoof the From address to display as partner@yourfirm.com.au while the actual sending domain is something like yourfirm-au.com or an entirely unrelated server.

Without DMARC enforcement at your domain, this is trivially easy. Any attacker can configure their email server to send mail claiming to be from any address — there is no verification required by default. Recipients see your firm’s name and address and have no indication the email isn’t genuine.

Account Compromise

More sophisticated attacks involve actually compromising a staff member’s Microsoft 365 account — typically through a successful phishing attack on that individual, or through credential stuffing using a password that appeared in a prior data breach. The attacker then monitors the compromised inbox, waits for an active matter with a pending settlement, and sends the fraudulent payment instruction from the genuine account.

Account compromise attacks are harder to detect because the email genuinely comes from your domain and your mail infrastructure. Technical email authentication controls won’t stop it — the attack must be addressed with MFA enforcement, anomalous login detection, and staff training.

DMARC: The Primary Technical Control

DMARC (Domain-based Message Authentication, Reporting & Conformance) is an email authentication protocol that tells receiving mail servers what to do with messages that fail authentication checks.

DMARC works in conjunction with two other protocols:

• SPF (Sender Policy Framework): Lists which mail servers are authorised to send email on behalf of your domain
• DKIM (DomainKeys Identified Mail): Cryptographically signs outbound email so recipients can verify it hasn’t been tampered with

When DMARC is set to p=reject, any email claiming to be from your domain that fails both SPF and DKIM verification is rejected before it reaches the recipient’s inbox. The attacker’s spoofed email never arrives.

Why Monitoring Mode Isn’t Enough

DMARC has three policy settings: none (monitoring only), quarantine, and reject. Many Melbourne law firms have DMARC published in monitoring mode — it generates reports about mail sources, but it does nothing to block spoofed email. A firm can have DMARC configured for years in monitoring mode and remain completely vulnerable to domain spoofing attacks.

Moving to p=reject requires first identifying every legitimate source of email from your domain — your mail server, marketing platforms, practice management systems that send automated email, court notifications, and so on — and ensuring they are all properly authorised via SPF and DKIM. Done incorrectly, a p=reject policy can cause legitimate email to bounce. Done correctly, it stops domain spoofing completely.

This configuration work is what most firms skip or defer indefinitely. It is not technically complex, but it requires someone to actually do it methodically.

The Full BEC Defence Stack

DMARC at reject policy stops domain spoofing. It doesn’t stop account compromise, doesn’t stop an attacker who has gained access to a genuine mailbox, and doesn’t stop a staff member from being deceived by a compromised counterparty’s account. A complete BEC defence requires multiple layers:

Email Authentication (DMARC/SPF/DKIM)

As described above — the foundational control for domain spoofing prevention. Should be configured to p=reject on all domains used by the firm, including any legacy domains used for email signatures or letterhead.

Microsoft Defender for Office 365

Microsoft 365 Business Premium and above includes Defender for Office 365 (Plan 1), which adds:

• Safe Links: Rewrites and scans URLs in real time when clicked, not just when received
• Safe Attachments: Detonates attachments in a sandbox before delivery
• Anti-impersonation rules: Detects when external senders attempt to impersonate your partners, clients, or specific staff members by name

Anti-impersonation is particularly valuable for BEC scenarios where an attacker impersonates a known contact using a lookalike domain (petern@your-firm.com.au instead of petername@yourfirm.com.au). These attacks pass SPF and DKIM checks because the email genuinely comes from that domain — anti-impersonation catches the name match against your contacts.

Multi-Factor Authentication

MFA on all Microsoft 365 accounts closes the most common account compromise vector — credential theft. Even if an attacker obtains a staff member’s password through phishing or a credential breach, they cannot access the account without the second factor.

MFA should be enforced via Entra ID Conditional Access policies, not left as optional self-enrolment. Many firms have MFA nominally enabled but with significant gaps in coverage because it was rolled out as opt-in.

Staff Training — Targeted at the Right People

Conveyancing staff and anyone who handles settlement accounts are the primary BEC targets. General security awareness training is less effective than targeted training that uses realistic scenarios specific to their role — simulated phishing emails that mimic the exact type of BEC attack described above.

Staff should also be trained on the procedural control: any change to bank account details for a settlement must be verbally verified by phone to the known contact before acting on it, regardless of how legitimate the instruction appears.

Payment Verification Procedures

This is the procedural control that catches BEC attacks that slip past technical defences. Firms should implement a policy requiring callback verification — using a phone number previously on record, not a number provided in the suspicious instruction — before acting on any change to bank account details during an active settlement.

This procedure is simple, costs nothing to implement, and would prevent most successful BEC attacks if consistently followed. The challenge is maintaining the discipline under time pressure when a settlement is imminent and an instruction arrives that seems legitimate.

What Happens After a Successful BEC Attack

The immediate response is to contact your bank and attempt to recall the funds. In most cases, this fails — BEC funds are moved offshore through multiple accounts within hours. Recovery rates are very low.

Beyond the direct financial loss, the law firm faces:

• Professional indemnity claim: The firm may be liable for the client’s loss, depending on the circumstances
• LIV trust account audit: A BEC incident involving trust account funds triggers LIV scrutiny
• Client notification obligations: Under the Privacy Act and professional conduct rules, affected clients must be notified
• Reputational damage: High-value BEC incidents in legal practices are occasionally reported in legal industry media

Cyber insurance may cover BEC losses, but policy coverage for social engineering fraud varies significantly. Some policies require specific endorsements for BEC coverage that many firms do not carry.

Assessing Your Firm’s Current Exposure

To understand your current BEC exposure, three quick checks:

1. Check your DMARC policy: Enter your domain at dmarcian.com or similar tool. If the result shows p=none or no DMARC record, your domain can be spoofed.
2. Check your MFA coverage: Ask your IT provider or administrator how many active Microsoft 365 accounts do not have MFA enrolled. Any gap is an exposure.
3. Review your payment verification procedure: Ask your conveyancing staff what they would do if they received an email during a settlement updating the settlement account details. If the answer is “action it if it looks legitimate,” the procedure is insufficient.

CX IT Services provides DMARC configuration, Microsoft 365 security hardening, and BEC-specific staff training for Melbourne law firms. Learn more about our cybersecurity for law firms service or visit our IT support for law firms hub to see the full picture. Book a Right Fit Call to discuss your firm’s current exposure.