This is not phishing. It is something more patient.
Most security awareness training focuses on phishing: a link, a fake login page, a request to enter credentials. That threat is real, and it is the entry point for many incidents. But in professional services, the more damaging variant is what happens after that initial access is gained.
Business email compromise (BEC) in professional firms is not a smash-and-grab. It is a patient operation. An attacker who has gained access to a partner's or fee earner's mailbox does not immediately act. They read. They observe who the firm acts for, what matters are in progress, who controls client funds, and when a transaction is expected to complete.
Then, at a moment of their choosing, they introduce a fraudulent instruction. It arrives in the right thread, uses the right language, and is addressed to someone who has been dealing with the firm for months. The client transfers the funds. The fraud is rarely discovered until the real instruction arrives days later and the discrepancy surfaces.
Once funds have been transferred to a mule account, they typically move internationally within hours. UK Finance data consistently shows that the recovery rate for authorised push payment fraud of this kind is below 50%, and for complex BEC cases, substantially lower. The window to act is measured in minutes, not days.
Why professional services firms are specifically targeted.
Attackers follow value and access. Professional services firms offer both in unusual concentration.
High-value transactions are routine. A conveyancing solicitor handles completion funds every week. An accountancy firm submits payments on behalf of clients. A financial adviser coordinates fund movements. These are not exceptional events that might attract scrutiny: they are the ordinary business of the firm. A fraudulent instruction blends into the noise.
Email is authoritative. In most professional services relationships, an instruction from a partner or fee earner's known email address is treated as legitimate. There is rarely a secondary verification step for routine transactions. The attacker exploits the trust that has been built up over months or years of genuine correspondence.
The inbox is the entire relationship. Client matters, financial details, personal circumstances, legal positions, business strategies: in a professional services firm, the email chain is often the most comprehensive record of everything the client has shared. A compromised mailbox does not just expose one transaction. It exposes the full history of every matter the account holder is involved in.
Firms are under-resourced for detection. A large bank or insurer has security operations tooling that flags unusual login patterns, impossible travel, or unexpected rules changes within minutes. A 20-person accountancy firm or a 40-fee-earner legal practice almost never does. Compromises can persist for weeks before anyone notices.
How a mailbox compromise unfolds: step by step.
The pattern is consistent enough that it can be mapped as a sequence. Understanding each stage makes the controls at the end of this briefing easier to apply.
Initial access
Access is gained via a phishing email that harvests credentials, a credential stuffing attack using passwords leaked from another service, or through a third party with delegated access to the target's account. The majority of initial compromises involve accounts without multi-factor authentication.
Silent observation
The attacker reads the inbox without taking any action. They identify active matters, payment patterns, the language the account holder uses, who their clients are, and what the forthcoming transaction calendar looks like. This phase can last days or weeks. No alerts fire because no unusual action has been taken.
Persistence and concealment
The attacker sets up a mail forwarding rule that sends copies of incoming messages to an external address, ensuring they maintain visibility even if the original access is disrupted. They may also create rules that auto-delete certain incoming messages to conceal their activity from the account holder. These rules often survive password changes if sessions are not fully revoked.
Interception and instruction
At a moment of maximum plausibility, the attacker sends a payment instruction or intercepts a genuine one and substitutes fraudulent account details. The message arrives in the right thread, at the expected time, using the correct language and referencing the correct matter. The recipient has no reason to doubt it.
Discovery and impact
The fraud is typically discovered when the genuine instruction arrives and the client queries it, or when a payment confirmation does not match expectations. By this point the funds have moved. The firm now faces a regulatory obligation to notify the ICO if personal data was exposed, a potential SRA or FCA notification depending on structure, a client conversation, and an insurance claim that may or may not succeed depending on policy conditions. The technical incident takes hours. The consequences take months.
The confidentiality dimension: what most post-incident analyses miss.
When a mailbox compromise results in a successful payment diversion, the financial loss dominates the firm's response. That is understandable. But it is not the whole picture, and in professional services it is often not even the most significant part.
During the observation phase, the attacker has had unrestricted access to everything in the compromised inbox. In a solicitor's account, that might include conveyancing files, contested estate correspondence, personal injury case details, or commercially sensitive business transaction records. In an accountant's account, it might include management accounts, tax positions, shareholder disputes, and the personal financial circumstances of multiple individuals.
All of that data has been exfiltrated, whether or not the attacker chose to use it. The firm may not know what was read. The attacker may hold it, trade it, use it for follow-on fraud against the firm's clients, or deploy it in a targeted social engineering attack months later.
This creates a notification problem. Under UK GDPR, a personal data breach must be reported to the ICO within 72 hours of the organisation becoming aware, if it is likely to result in a risk to individuals' rights and freedoms. A mailbox containing client personal data, accessed without authorisation by a third party, almost certainly meets that threshold. The 72-hour clock starts from the point the firm becomes aware, not from the point it finishes investigating.
The ICO does not expect perfection. It expects reasonable controls and a proportionate response. Firms that have documented their security measures, notified promptly, and taken steps to contain the damage are treated differently from firms that had no controls and delayed notification. The documentation and the response matter as much as the incident itself.
For SRA-regulated firms, there is a further obligation to consider whether the Solicitors Regulation Authority should be notified depending on the nature of the matter affected. For FCA-regulated advisers, the FCA's incident reporting requirements may apply. None of these processes are simple, and none of them can be managed well under pressure without a pre-agreed procedure.
Five controls that reduce the risk substantially.
None of these require an internal IT department or enterprise-grade tooling. They are straightforward controls that close the most common attack pathways.
Multi-factor authentication on every email account
MFA is the single most effective control against credential-based mailbox compromise. If an attacker obtains a password, they cannot use it without the second factor. This includes every account in the firm: partners, fee earners, admin staff, shared mailboxes, and accounts used on mobile devices. Partial MFA deployment means partial protection. A firm where partners have MFA but admin staff do not has protected the wrong accounts: admin staff often have broader delegated access than their seniority suggests.
Out-of-band verification for all payment instructions
Any instruction to make a payment, change account details, or divert funds should be verified via a second channel before it is processed. A phone call to a known number, using a contact already in the firm's records, not a number provided in the email. This sounds obvious. It is also the control that is most consistently absent in firms that have been defrauded. The verification call should be a firm-wide policy, not an informal habit that relies on individual judgement under time pressure.
DMARC, DKIM, and SPF configured on your email domain
These three technical controls, which your IT provider or email host can configure in an afternoon, make it substantially harder for an attacker to send email that appears to come from your domain. They do not prevent compromise of a real account, but they reduce impersonation attacks where an attacker sends a fraudulent instruction from an address that merely looks like yours. DMARC also provides reporting that can alert you to spoofing attempts before they succeed.
Regular audit of mail forwarding rules and login locations
The persistence mechanism in most mailbox compromises is a forwarding rule. A quarterly review of all active forwarding rules across the firm's accounts will catch most of these before they cause damage. Look for any rule forwarding mail to an external address that was not set up by the account holder. Alongside this, enabling login notifications or reviewing login audit logs for unexpected locations and devices gives you early warning of a compromise before the attacker has taken action.
Staff who recognise the pattern and know what to do
Controls one to four are technical and procedural. This one is human. Everyone in the firm who handles client communication or financial instructions should understand what a BEC attempt looks like and have a clear, specific route to report it without hesitation. That means a named person to contact, a process that does not involve embarrassment or blame, and the knowledge that acting on a suspicion quickly is always better than waiting to be certain. Most successful frauds contain a moment where someone almost stopped it.
MFA enforcement and out-of-band payment verification, consistently applied, would prevent the majority of successful BEC frauds against UK professional services firms. These are not complex controls. They are consistently absent because no one has made them a firm-wide requirement with a named owner.
If you think a compromise is happening right now.
First-hour priorities
If you suspect a mailbox has been compromised, or a fraudulent instruction has been sent or received, act in this order. Speed matters, but so does not making the situation worse.
Do these first:
- Call the intended recipient of any fraudulent instruction immediately. If a payment instruction has been sent, the recipient needs to be reached before they act on it. Every minute matters. Use a phone number you already have, not one from any recent email.
- Contact your bank's fraud team directly if any funds have already moved. Quote the account details the payment was sent to. Banks have a limited window to attempt a recall.
- Revoke all active sessions on the compromised account via your Microsoft 365 or Google admin console. This terminates any active attacker session. This is different from changing the password, which does not always expire existing sessions.
- Check and remove mail forwarding rules on the affected account before re-enabling access. The rule survives a password change and the attacker will retain visibility until it is deleted.
- Document what you know and when you knew it. Time-stamped notes are important for any ICO notification, insurance claim, or regulatory report that follows.
Do not do these:
- Do not delete emails, logs, or forwarding rules before preserving them. These are evidence. The ICO, your insurer, and any external investigator will need them. Screenshot and export before you delete.
- Do not simply change the password and continue. A password change without session revocation and a forwarding rule audit leaves the attacker's access mechanisms intact.
- Do not delay notifying the ICO while you wait for more certainty. If personal data was in the compromised mailbox, the 72-hour notification clock is running from the point you became aware of the breach, not from the point your investigation is complete. An incomplete early notification is better than a late one.
- Do not handle this entirely internally if the matter involves client funds, regulatory obligations, or potential litigation. Get specialist IR support involved early. The decisions made in the first 24 hours affect what you can recover, what you owe clients, and what you can tell regulators.