Cases of attorney impersonation are on the rise and often, they are accompanied by fraudulent requests for money or sensitive information. Techniques, such as spoofing of email addresses, whereby an email address is impersonated in an effort to convince contacts to click on links or put themselves in similar online risk, are increasingly common in this era. This article focuses on attorney impersonation, depicting one of the most critical variants of social engineering schemes in the business email compromise (BEC) landscape.
Identifying the Target
Undoubtedly, executives are the best impersonation targets for cyber criminals. They commonly issue orders involving large sums of money or critical and sensitive data, and their orders are obeyed, sometimes without any question. Cyber attackers have learned to take advantage of this opportunity.
To carry out this crime, scammers go to great lengths to compromise or spoof company emails or to use social engineering to assume the identity of the CEO, executive, company attorney, trusted vendor or customer. The criminals do their homework to develop a good understanding of the victim’s normal business practices.
How Attorney Impersonation Works
The scam is performed by compromising legitimate business email accounts through social engineering or computer intrusion techniques to conduct unauthorized transfers of funds. Many times, the attack starts by involving an executive as the initiator of the malicious request. The email account of the executive is accessed by crooks and the request is made through a hacked or spoofed email address (more information about account compromised can be observed in
At the time of receiving the contact, several situations can happen, but two of the most common are:
- Situation A: Employee receives an email from the CEO or company executive, claiming to be handling a confidential or time-sensitive transaction.
- Situation B: Employee receives an email directly from an attorney, who is impersonated by crooks.
The cyber attacker concocts a story in which the company is in the process of acquiring something very important and the issue is time sensitive and confidential. This is the “perfect opportunity” for the unassuming junior employee to shine. Figure 1 represents the two most commonly seen scenarios in BEC attacks.
Figure 1: Two attorney impersonation scenarios frequently used in BEC attacks.
Cyber attackers usually take advantage of the two situations presented in Figure 1 above. Note these are not the only two possible situations, but they are the most common in terms of attorney impersonation.
Cyber attacker compromises an executive’s account and sends an email to an employee. The email states they will be contacted by an attorney later and that he/she was included in a confidential or time-sensitive transaction.
Later, the employee is contacted, usually via email, phone call or SMS, informing them about the case and also on next steps.
In this approach, the attacker uses the commitment of an executive account to give more strength to the malicious scheme. The situation is so elaborate that the employee doesn’t doubt the legitimacy of the situation.
This is the most common scenario used in attorney impersonation scheme. The attacker contacts the employee directly as an attorney, stating he is being included in an important case for the company — there is no time to fail! And the process unfolds until the request is fulfilled by the employee.
In fact, the situation here depicted describes the general format of this type of social engineering attacks, which aims to transfer funds to the account controlled by the attacker, or get sensitive company information.
Security awareness training is one of the most effective tools for fighting attorney impersonation and other types of BEC scams. The business email compromise scam has caused companies and organizations to lose billions of dollars. However, as sophisticated as the fraud is, there is an easy solution to thwart it: using face-to-face or voice-to-voice communications.
According to the FBI, “The best way to avoid being exploited is to verify the authenticity of requests to send money by walking into the CEO’s office or speaking to him or her directly on the phone.”
Here are a few tips to help protect your organization against BEC attacks:
- Train all employees about the risks and signs of BEC attacks. Attack simulations are a great way to educate teams about how BEC attacks work.
- Ask all employees to question and verify all confidential requests, especially those deemed urgent by the CEO or attorney.
- Carefully scrutinize all email requests for transfer of funds to determine if the requests are out of the ordinary — and do not be afraid to talk to colleagues about these cases.
- How Business Email Compromise Attacks Work: A Detailed Case Study, InfoSec Institute
- Business E-mail Compromise: the 3.1 Billion Dollar Scam, FBI
- As Email Fraud Diversifies, DMARC Protects Employees and Consumers, DMARC
- Cyber-Enabled Financial Fraud on the Rise Globally, FBI
- BEC Attacks to Exceed $9B in 2018, Prince Law Offices
Article published in Infosec Institute by Pedro Tavares
Pedro Tavares is a professional in the field of information security working as an Ethical Hacker/Pentester, Malware Researcher and also a Security Evangelist. He is also a founding member at CSIRT.UBI and Editor-in-Chief of the security computer blog seguranca-informatica.pt.
In recent years he has invested in the field of information security, exploring and analyzing a wide range of topics, such as pentesting (Kali Linux), malware, exploitation, hacking, IoT and security in Active Directory networks. He is also Freelance Writer (Infosec. Resources Institute and Cyber Defense Magazine) and developer of the 0xSI_f33d – a feed that compiles phishing and malware campaigns targeting Portuguese citizens.
Read more here.