Wire Transfer Hijack: New Social Engineering Technique Targets Law Firms

Here at SOCBOX, we recently witnessed a new avenue for targeting law practices via social engineering. The cybercriminals would have made off with a nice payout; the only thing that stood in their way was a sharp-eyed attorney who knew what to look for.

As we dive into the details, keep these top-line takeaways in mind:

  • Law firms and individual attorneys are a tempting target because of the high value and nature of the work involved
  • Once cybercriminals have infiltrated an organization, they can be very patient, watching and waiting, and will only attempt the crime when they see a clear opportunity and understand how the organization operates
  • Online thieves are willing to put forth a lot of effort to create a deception if the payoff is big enough


The Scenario: Follow the Money

SOCBOX was involved in an investigation involving three separate law firms in communication with each other regarding a particular case. A long thread of emails had gone back and forth between multiple attorneys. When a settlement amount was agreed upon, the topic then turned to arrangements for a wire transfer of funds between two of the firms. This included directions and an account number for sending the funds. Shortly thereafter, an email arrived, saying, in short, ‘Please don’t wire the funds to the account we gave you earlier. The accounting department gave us new directions; please wire it to this account instead.’

As you might have guessed, this last email was a forgery, directing the firm to wire the funds to an account controlled by the thieves. They had covered their tracks carefully. The email contained the entire thread, including the signatures and quoted text duplicated perfectly, character-for-character. It appeared to come legitimately from the law firm that was to receive the funds.

fake wire transfer request via a disguised email address

Client and company names have been changed for privacy.

How They Pulled It Off

Of the three firms that were involved, one was to send the funds, one to receive the funds, and there was a third-party firm that was also included in the email thread.  The thieves had the login credentials for the email account of the involved attorney at the third-party firm. They either successfully phished the password or simply purchased the credentials on the dark web. They had been logging in regularly and reading the attorney’s inbox, waiting for the right moment to strike. The impending wire transfer presented the perfect opportunity.

Within a few hours, they purchased a lookalike domain name for the recipient firm and created a counterfeit email account for the domain, masquerading as the recipient firm’s attorney. They set up the account through Google apps, to get around any reputation-based spam filters that the firms might be using. Then they injected their own response to the thread.

Note that this isn’t your typical scam email that comes from out of the blue asking for a funds transfer. This was a legitimate wire transfer that was scheduled to happen. The knowledge from the compromised account and a bit of social engineering put the criminals in a position to intercept and redirect it.


Did They Get Away With It?

Almost. The attorney for the firm that was to send the funds noticed that the recipient firm’s email domain had a character missing and picked up the phone. She called her counterpart at the recipient firm, and upon receiving confirmation that the attorney hadn’t sent it, uncovered the trap.

This was a close call. The stakes are especially high for legal practices. The thieves could have been logging into the mailbox regularly, lurking and waiting for an opportunity for weeks or even months. They were privy to every email that the attorney had sent or received, and were able to read all kinds of privileged information about the firm’s clientele. The wire transfer was too good of an opportunity to pass up, since intercepting it would result in an immediate cash payout.  But the sensitive personal information they had access to could be used for an extremely effective spear-phishing attack, if not outright extortion.


How Could the Episode Have Been Prevented?

The compromised mailbox of the third-party firm provided the opportunity for the criminals. This firm was not a SOCBOX client. Had they been, they would have had protections in place. Monitoring the mailbox would have uncovered the unusual access patterns; the mailbox was being accessed from two different locations, and at times there were two logins to the mailbox at the same time. Either scenario would have triggered an alert.  We also monitor the dark web for stolen credentials on behalf of our clients.

We strongly recommend using multi-factor authentication anytime an email account is accessed from anywhere other than the corporate office. This would have made it significantly harder to use the stolen credentials.

Since this was ultimately a social engineering attack, knowledge and vigilance of the users is the best defense. And that’s where SOCBOX played our part in this episode; we provide security for the firm that was to send the wire transfer, and we’re proud to say that the sharp-eyed attorney who spotted the counterfeit domain name and acted on her suspicions is our client.


SOCBOX provides cybersecurity for law firms along with a wide range of services, including consulting, compliance audits, penetration testing, social engineering defense, remediation, and SOC-as-a-service. To learn more or schedule a consultation with one of our security engineers, contact us, email info@socbox.com, or call 877-284-7789.