The Email That Cost a Chicago Law Firm $200K

This happened in Chicago. I'm not making it up.

Small firm. Six attorneys. Solid reputation. They'd been practicing for over 20 years. One of their paralegals got an email from what appeared to be opposing counsel in an active case. The email said "Updated settlement wiring instructions attached. Please forward to your client."

The paralegal forwarded it. The client wired the money to the account listed in the attachment. That account belonged to a criminal in Eastern Europe. Two hundred thousand dollars, gone in about 11 minutes.

The email address was off by one letter. One letter. Instead of @lawfirm.com it was @lawflrm.com. The "i" was replaced with a lowercase "L." In the font their email client uses, those two characters are visually identical.

No malware was involved. No system was breached. No vulnerability was exploited. Someone just sent an email and it worked.

Business email compromise is the most expensive cybercrime in America.

That's not hyperbole. The FBI's Internet Crime Complaint Center reported that BEC attacks caused $2.9 billion in losses in a single year. That's more than ransomware. More than investment fraud. More than everything else except investment scams.

And those are just the ones that get reported. Most small businesses eat the loss quietly because they're embarrassed or don't even realize what happened until the real vendor calls asking where the payment is.

BEC works because it doesn't set off any technical alarms. There's no malicious attachment for your antivirus to catch. No suspicious link for your email filter to flag. It's just a normal-looking email with wrong information in it. The attack happens entirely in the gap between what the email says and what's actually true.

Why law firms specifically.

I work with a lot of law firms and I'll tell you exactly why they get targeted more than almost any other small business.

They move money. Real estate closings, settlement disbursements, trust account transfers. Large amounts on tight timelines. Attorneys are constantly emailing about wire transfers. It's part of the job.

They handle sensitive data. Client communications are privileged. Case files contain financial records, medical records, Social Security numbers. If an attacker gets into a law firm's email, they don't just get one person's data. They get every client's data.

They operate under time pressure. Deadlines are real. Courts don't care if you need another day to verify a wire instruction. That urgency is exactly what attackers exploit. "This needs to happen today" is the most dangerous sentence in a phishing email.

They trust email. The entire legal profession runs on email. Attorneys email opposing counsel, clients, courts, and vendors all day long. The volume makes it impossible to scrutinize every single message. Attackers know this.

Most small firms have no security training. I've walked into firms where the managing partner's password is on a sticky note on their monitor. Where the Wi-Fi password is the firm name. Where nobody has ever heard of multi-factor authentication. These aren't bad people. Nobody ever told them this stuff mattered.

How to protect your firm. Or any business that moves money.

Verify every wire instruction change by phone. Period. No exceptions. If a vendor, client, opposing counsel, or anyone else sends you updated banking details by email, you call them at a number you already have on file and confirm. Not the number in the email. A number you looked up yourself. This single rule would have prevented the $200K loss I described above.

Implement DMARC on your email domain. DMARC tells receiving email servers how to handle messages that fail authentication checks. Without it, anyone can send an email that appears to come from your domain and there's nothing stopping it from landing in someone's inbox. Your clients are trusting that emails from you are actually from you. Don't let that trust be exploitable.

Train your staff on what BEC looks like. Show your paralegals, assistants, and office managers real examples. Not hypothetical ones. Show them actual BEC emails with the subtle differences highlighted. One changed letter in a domain name. A slightly different signature block. A sense of urgency that doesn't match the situation.

Use a separate verification channel for financial transactions. If the request came by email, verify by phone. If it came by phone, verify by email. Never use the same channel to both receive and confirm a financial instruction. This is basic operational security and it costs nothing.

Flag external emails. Most email systems can add a banner to the top of every email that comes from outside your organization. Something like "[EXTERNAL] This message originated outside the firm." It's a small visual cue that reminds people to be more careful. Takes 5 minutes to configure.

Get cyber insurance with BEC coverage. Not all policies cover social engineering losses. Some only cover "computer fraud" which technically excludes BEC because no computer was defrauded. A human was. Read the policy carefully. Make sure social engineering and wire fraud are explicitly covered.

This isn't about technology.

I keep coming back to this because it's the most important point. The $200K that firm lost wasn't a technology failure. Their firewall worked fine. Their antivirus was up to date. Their email was encrypted. None of that mattered because the attack targeted a person, not a system.

If your security strategy is "buy the right software and hope for the best," you're going to lose. The attacks that are costing small businesses real money right now are all people attacks. Social engineering. Phishing. Pretexting. Business email compromise.

The fix is training. Regular, realistic, specific to your industry. Not a checkbox. Not an annual video. Ongoing practice that builds the instinct to pause, verify, and question before acting.

We do this for law firms, medical practices, financial services, and every other small business in Chicago that handles sensitive data or moves money. The first conversation is free and there's no pitch.

(773) 417-9994 or southsidechisolutions.com