Rebootwe make IT work

Wire fraud aims at trust accounts

Last reviewed · July 14, 2026

Picture a Thursday closing. Funds due out at noon. Late the afternoon before, the buyer’s agent replies to the thread everyone has been on for weeks. Same subject line, same signature, same friendly sign-off: “Quick update: seller’s payoff account changed after their bank flagged the old one. Revised instructions attached. Can you confirm the wire still goes out by noon?”

The paralegal exhales. The change arrived before the deadline, on the real thread, from the person it should come from. The instructions get updated. The wire goes out on time.

The scene is a composite. The pattern it follows is a common one: wire fraud reaches a law firm as a well-timed reply.

Why the aim is at law firms

A trust account, IOLTA or otherwise, holds someone else’s money and sends it out in large single payments on instructions exchanged during the matter. That is also a precise description of what an attacker needs to happen exactly once. Closings and settlements add a deadline, so the urgency is already real; nobody has to manufacture pressure. And real estate matters are half-public. Listings, land records, and court dockets tell an outsider who the parties are and roughly where things stand; the mailbox supplies the rest, the dates and the payment instructions.

An email that appears to come from a lawyer gets acted on; people wire money on its say-so. In this scheme, your letterhead and your writing style are part of the disguise.

The FBI files this genre under business email compromise, and its guidance notes that every party in a real estate transaction gets targeted: agents, attorneys, title companies, buyers. The firm doesn’t have to be the one breached to be the one deceived.

The mechanism, start to finish

It starts well before the money moves, with a password. Someone on the transaction (at the firm, at the agency, at the title company) types their email password into a page that looked like the real login. If nothing but that password protects the mailbox, the attacker now reads everything in it, and keeps reading.

From inside, the attacker may add a mail rule: anything mentioning “wire,” “payoff,” or “closing” forwards a copy out, or lands in a folder the owner never checks. However long they stay, the mailbox behaves normally while they learn the matter: the parties, who answers quickly, who defers to whom, how the signatures look, when the money is scheduled to move.

The reply comes at the hour of maximum plausibility, late the day before or the morning of, and it arrives by one of two routes. If the attacker holds a real mailbox on the thread, the “updated instructions” simply arrive in-thread, from the true address. If not, they register a lookalike domain and count on nobody reading character by character; the FBI’s own example is john.kelly@ versus john.kelley@, one letter doing all the work. Either way the contents are the same: a new account number, a real bank’s name, a plausible reason for the change, and a nudge tied to a deadline that already existed.

The wire goes to an account the attacker controls and is moved onward from there. Because every step so far looked like normal correspondence, the fraud may not be discovered until someone downstream asks where the money is.

Basic filters read most of this as ordinary email and let it pass. Detection tuned for behavior catches more: a new forwarding rule, a login from the wrong country, a domain registered last Tuesday. Nothing in the scheme requires malware; patience does most of the attacker’s work.

It runs the other direction too. The same playbook aims at your clients with your name on it: a buyer receives what looks like the firm’s wiring instructions, sent from a domain one letter off yours. Nothing of yours was breached, and the client’s money still leaves on the strength of your letterhead.

Five habits a small firm can keep

None of the five is expensive and none is clever. Each interrupts a specific step of the mechanism above, and a five-lawyer firm can hold all five every week of the year; ambitious programs get abandoned by March.

The callback. Every payment instruction, and every change to one, gets verified by voice before money moves: call a number the firm already had (from intake, from the engagement letter, from the bank’s own website) and confirm the payee, the account digits, and the reason for any change. Never on a number the email provides. The habit has a name worth knowing when you interview providers: out-of-band verification, confirming on a channel the message didn’t arrive on. Make the rule unconditional, every first-time instruction and every change, no exceptions for people you know; a rule with exceptions gets skipped at 4:55 on a Friday. And know what the callback does: it exposes altered instructions. It does not replace mailbox security, dual control, or the bank’s own checks, which is why it travels with the other four. Whoever runs your email protection, the first question worth asking is who does the callback, and from which number on file.

MFA on email. A stolen password alone should not open a mailbox where wire instructions live; multi-factor authentication is what makes that true. It blocks the stolen-password route into the scheme. It does not stop a lookalike domain, and a well-built phishing page can still steal a signed-in session, which is why the callback stays unconditional even after MFA is on.

Dual control on trust money. The person who enters a disbursement is not the person who releases it, and a change to payee details needs the second set of eyes too. Ask your bank what it can enforce on its side of the same rule.

A domain that’s hard to fake. DMARC, an email-authentication policy, asks receiving mail systems to reject messages that claim to be your exact domain and fail authentication; at enforcement it makes your own name hard to forge. It does nothing about the one-letter-off cousins, so pair it with a watch on newly registered lookalikes. Technical to set up, mostly quiet afterward, though the reports deserve a look now and then.

A written understanding with your bank. Wire limits, who may initiate, callback procedures, what the bank verifies before releasing a payee change: ask which of these your bank supports, and agree on the set in writing while nothing is wrong.

Put the warning in writing

One sentence in the engagement letter and the closing instructions covers the reverse play. Something like: “We will not change our wiring instructions solely by email. If you receive a change, call us at the number on this letter before sending anything.” Ask counsel to tailor the wording to how the firm actually operates, and use it only if the firm follows it every time. What it buys: a client who receives the lookalike version has a reason to pause, and the file shows you warned them in writing.

If it happens: the first hour

Treat what follows as orientation: your bank, your carrier, coverage counsel, and ethics counsel give the binding instructions, and their word beats this page. The order is worth knowing before you need it.

The bank calls come first. Call your bank immediately, on a number you already have for it, report the fraud, and follow its recall process. Ask whether it will contact the receiving bank to request a freeze on whatever remains. A recall is a request, not a right; what comes back usually depends on funds still sitting in the account when the freeze lands, and that window is short.

The FBI, the same day. File at ic3.gov. The FBI’s Internet Crime Complaint Center runs a Recovery Asset Team that works with financial institutions to freeze fraudulently transferred funds, and for large international wires there is a further recovery process beyond it. Criteria and routing change over time; don’t study eligibility while the clock runs. Report promptly and follow the site’s current instructions.

Your insurer, on the policy’s terms. Cyber and crime policies carry notice conditions, and the channel matters: notify the way the policy says to notify, on the policy’s deadline. A call to your broker may or may not satisfy the carrier’s notice clause; if you’re not sure notice has properly landed, ask coverage counsel.

The mailbox question. Determine whether the attacker was inside a firm mailbox or only imitating one from outside. If they were inside, client confidences may have been exposed, and that raises duties beyond the money. ABA Formal Opinion 483 addresses a lawyer’s obligations after a breach, including acting promptly to stop and investigate it and communicating with clients where required. Connecticut’s breach-notification statute can apply where covered personal information about residents is involved, and it runs on its own definitions, exceptions, and deadlines. What applies in your case, and on what clock, is a first-week conversation with ethics counsel and your carrier.

Write the timeline down while it’s fresh: times, who said what, which emails. The bank, the carrier, and counsel will each ask for it; the version written on day one is the one that holds up.

Every option above works better in the first hours than in the first days, which is the argument for the habits. The version of this story that goes well is short: the reply lands, the paralegal dials the agent’s number from the matter file and hears, “What change?”


If you don’t know whether a changed payment instruction could clear your firm today without a callback to a number on file, that’s the fifteen-minute conversation to have: book a call. We’ll walk the email and detection side with you, and hand you the questions that belong to your bank and your counsel.

Built for the desks we describe here →Book a 15-minute call →