Business Email Compromise Is the Biggest Cybersecurity Threat to Professional Services Firms
A wire transfer request lands in your inbox. It looks like it came from a client you have worked with for years — same name, same tone, same email signature. The request is urgent: move funds to a new account before end of day. Everything checks out. Except it does not. The email is a forgery, and the money is gone in minutes.
This is business email compromise (BEC), and it is the most financially damaging form of cybercrime targeting professional services firms right now.
What Is Business Email Compromise?
Business email compromise is a type of cyberattack where criminals impersonate a trusted contact — a client, a partner, a vendor, or an executive within your own firm — to trick someone into transferring money, sharing sensitive data, or changing payment instructions. Unlike ransomware, BEC does not rely on malware or encrypted files. It relies on trust.
Attackers study your firm’s communication patterns, monitor email threads, and strike at the exact moment a request seems routine. They may spoof an email address, compromise a legitimate account through stolen credentials, or register a domain that is one letter off from the real one.
The FBI’s Internet Crime Complaint Center (IC3) reported that BEC caused $2.77 billion in losses in 2024 alone, making it the second most costly form of cybercrime. Over the past decade, BEC losses have exceeded $55 billion globally.
Why Professional Services Firms Are Prime Targets
BEC is not random. Attackers choose their targets deliberately, and professional services firms check every box.
You Handle Other People’s Money
CPA firms process tax payments and manage client accounts. Law firms handle escrow, real estate closings, and settlement disbursements. Financial services firms move investment capital, fund loans, and facilitate deal transactions. Every one of those activities involves wire transfers — exactly the mechanism BEC attackers exploit.
You Operate on Trust and Urgency
Professional services run on tight deadlines. A tax filing deadline, a deal closing date, or a court-ordered payment creates pressure to act fast. Attackers know this. They time their fraudulent requests to coincide with moments when your team is most likely to process a payment without pausing to verify.
Your Firm’s Name Is Its Greatest Asset
A data breach or fraud event at a CPA firm, law firm, or financial advisory does not just cost money. It destroys client confidence. Clients trust you with their most sensitive information — tax returns, legal strategies, M&A data, financial statements. One successful BEC attack can unravel years of earned trust.
You Face Regulatory Consequences
- CPA firms must comply with IRS Publication 4557 and the FTC Safeguards Rule, both of which require documented security controls for client financial data.
- Law firms are bound by ABA Model Rules of Professional Conduct (particularly Rule 1.6) and state bar ethics opinions requiring reasonable efforts to protect client information.
- Financial services firms face oversight from the SEC, FINRA, DFPI, and CFPB — each with cybersecurity requirements. Institutional investors and limited partners now include IT security questions in their due diligence questionnaires.
A successful BEC attack can trigger regulatory scrutiny, audit failures, and malpractice exposure on top of the direct financial loss.
How to Protect Your Firm from Business Email Compromise
BEC is a human-targeted attack, which means your defenses need to address people, processes, and technology together. Here is where to start.
1. Verify Every Wire Transfer Request by Phone
Establish an ironclad policy: no wire transfer, payment change, or account update is processed based solely on an email. Every request must be verified through a phone call to a known number — not the number in the email. This single step stops the majority of BEC attacks.
2. Enable Multi-Factor Authentication on Every Account
Multi-factor authentication (MFA) prevents attackers from accessing email accounts even when they have stolen a password. MFA is now required by most cyber insurance carriers and several regulatory frameworks, including the FTC Safeguards Rule.
3. Implement Advanced Email Security
Basic spam filters are not enough. Look for email security solutions that include:
- Domain impersonation detection (flagging lookalike domains)
- AI-powered analysis of email behavior patterns
- Automatic quarantine of suspicious messages
- DMARC, DKIM, and SPF authentication to prevent domain spoofing
4. Train Your Team Regularly
Security awareness training should happen quarterly, not annually. Focus on:
- Recognizing urgent or unusual payment requests
- Spotting subtle email address discrepancies
- Reporting suspicious emails immediately, without fear of being wrong
- Understanding that BEC emails often contain no malicious links or attachments — they look completely normal
5. Monitor for Compromised Credentials
If an attacker gains access to a real email account within your firm, they can intercept ongoing conversations and insert fraudulent instructions at the perfect moment. Dark web monitoring and credential compromise detection can alert you before an attacker uses stolen credentials against you.
6. Establish Financial Controls
Require dual authorization for any wire transfer above a set threshold. Separate the person who initiates a payment from the person who approves it. These internal controls create a second checkpoint that catches fraudulent requests even when the initial email looks legitimate.
What to Look for in an IT Partner for BEC Protection
Not every IT provider understands the specific risks facing professional services firms. When evaluating a partner, ask:
- Do they configure and enforce DMARC, DKIM, and SPF on your email domain?
- Do they provide email security beyond basic spam filtering?
- Do they offer dark web monitoring for compromised credentials?
- Do they conduct regular phishing simulations tailored to your industry?
- Do they understand the regulatory requirements specific to your firm type — whether that is IRS 4557, ABA ethics rules, or SEC cybersecurity mandates?
An IT partner who serves professional services firms should already know why BEC is your highest-priority threat and have a documented plan to address it.
The Bottom Line
Business email compromise is not a technology failure — it is a trust exploit. It targets the relationships, urgency, and financial workflows that define professional services. Protecting your firm requires a combination of verified processes, trained staff, and the right email security technology. The firms that take BEC seriously now will avoid the devastating financial and reputational losses that follow a successful attack.
Frequently Asked Questions
What is business email compromise and how does it work?
Business email compromise (BEC) is a cyberattack where criminals impersonate a trusted contact — such as a client, vendor, or executive — to trick someone into transferring funds or sharing sensitive information. Attackers typically study a firm’s communication patterns and exploit email to send fraudulent requests that appear legitimate. According to the FBI IC3, BEC caused $2.77 billion in reported losses in 2024.
Why are accounting firms, law firms, and financial services firms targeted by BEC?
These firms are targeted because they regularly handle wire transfers, manage sensitive client data, and operate under tight deadlines — all conditions that BEC attackers exploit. The combination of high-value transactions and trust-based relationships makes professional services firms particularly attractive to criminals. Regulatory obligations around client data protection also mean a successful attack can create compliance exposure beyond the direct financial loss.
How can a small professional services firm prevent business email compromise?
The most effective prevention measures include requiring phone verification for all wire transfer requests, enabling multi-factor authentication on every email account, deploying advanced email security with domain impersonation detection, and conducting quarterly security awareness training. Internal financial controls — such as dual authorization for wire transfers — add another layer of protection that catches fraudulent requests before money moves.
