General security

BEC Attacks: How Attorney Impersonation Works

Pedro Tavares
May 10, 2018 by
Pedro Tavares

Cases of attorney impersonation are on the rise and often, they are accompanied by fraudulent requests for money or sensitive information. Techniques, such as spoofing of email addresses, whereby an email address is impersonated in an effort to convince contacts to click on links or put themselves in similar online risk, are increasingly common in this era.

This article focuses on attorney impersonation, depicting one of the most critical variants of social engineering schemes in the business email compromise (BEC) landscape.

What should you learn next?

What should you learn next?

From SOC Analyst to Secure Coder to Security Manager — our team of experts has 12 free training plans to help you hit your goals. Get your free copy now.

Identifying the Target

Undoubtedly, executives are the best impersonation targets for cybercriminals. They commonly issue orders involving large sums of money or critical and sensitive data, and their orders are obeyed, sometimes without any question. Cyber attackers have learned to take advantage of this opportunity.

To carry out this crime, scammers go to great lengths to compromise or spoof company emails or to use social engineering to assume the identity of the CEO, executive, company attorney, trusted vendor or customer. The criminals do their homework to develop a good understanding of the victim's normal business practices.

How Attorney Impersonation Works

The scam is performed by compromising legitimate business email accounts through social engineering or computer intrusion techniques to conduct unauthorized transfers of funds. Many times, the attack starts by involving an executive as the initiator of the malicious request. The email account of the executive is accessed by crooks and the request is made through a hacked or spoofed email address (more information about account compromised can be observed in

this article).

At the time of receiving the contact, several situations can happen, but two of the most common are:

  • Situation A: Employee receives an email from the CEO or company executive, claiming to be handling a confidential or time-sensitive transaction.
  • Situation B: Employee receives an email directly from an attorney, who is impersonated by crooks.

The cyber attacker concocts a story in which the company is in the process of acquiring something very important and the issue is time-sensitive and confidential. This is the "perfect opportunity" for the unassuming junior employee to shine.

Cyber attackers usually take advantage of the two situations. Note these are not the only two possible situations, but they are the most common in terms of attorney impersonation.

Situation A

Cyber attacker compromises an executive's account and sends an email to an employee. The email states they will be contacted by an attorney later and that he/she was included in a confidential or time-sensitive transaction.

Later, the employee is contacted, usually, via email, phone call or SMS, informing them about the case and also on the next steps.

In this approach, the attacker uses the commitment of an executive account to give more strength to the malicious scheme. The situation is so elaborate that the employee doesn't doubt the legitimacy of the situation.

Situation B

This is the most common scenario used in an attorney impersonation scheme. The attacker contacts the employee directly as an attorney, stating he is being included in an important case for the company — there is no time to fail! And the process unfolds until the request is fulfilled by the employee.

In fact, the situation here depicted describes the general format of this type of social engineering attack, which aims to transfer funds to the account controlled by the attacker or get sensitive company information.

Final Thoughts

Security awareness training is one of the most effective tools for fighting attorney impersonation and other types of BEC scams. The business email compromise scam has caused companies and organizations to lose billions of dollars. However, as sophisticated as the fraud is, there is an easy solution to thwart it: using face-to-face or voice-to-voice communications.

According to the FBI, "The best way to avoid being exploited is to verify the authenticity of requests to send money by walking into the CEO's office or speaking to him or her directly on the phone."

Here are a few tips to help protect your organization against BEC attacks:

  • Train all employees about the risks and signs of BEC attacks. Attack simulations are a great way to educate teams about how BEC attacks work.
  • Ask all employees to question and verify all confidential requests, especially those deemed urgent by the CEO or attorney.
  • Carefully scrutinize all email requests for transfer of funds to determine if the requests are out of the ordinary — and do not be afraid to talk to colleagues about these cases.


Pedro Tavares
Pedro Tavares

Pedro Tavares is a professional in the field of information security working as an Ethical Hacker, Malware Analyst and a Security Evangelist. He is also Editor-in-Chief of the security computer blog

In recent years, he has invested in the field of information security, exploring and analyzing a wide range of topics, such as malware, reverse engineering, pentesting (Kali Linux), hacking/red teaming, mobile, cryptography, IoT, and security in computer networks. He is also a Freelance Writer.