Trust Account Fraud in Canadian Law Firms: How It Happens and the 10-Minute Check That Catches It Early

In the spring of 2024, a two-partner Ontario law firm nearly lost a client's $340,000 closing deposit. The money was redirected to a third-party account through a series of emails that appeared to come from one of the firm's own partners — correct domain, correct tone, correct file references.

The wire instruction arrived on a Friday afternoon. The client followed it. By Monday morning, the real partner had no idea any of it had happened.

The attacker had been inside the firm's email for six weeks.

This is not a hypothetical. Variants of this incident are documented in Law Society of Ontario guidance, in Canadian insurance industry advisories, and in court records from firms that pursued recovery. The attack pattern is consistent enough that it has a name — business email compromise (BEC) — and law firms are among its most targeted sectors in Canada.

Understanding why, and what the attack actually looks like from the inside, is the starting point for stopping it.

Why Law Firms Are a High-Priority Target

From a fraudster's perspective, a law firm is a near-ideal target. Firms routinely handle:

• Large wire transfers on short timelines, where urgency suppresses verification
• Trust account instructions that clients have been pre-conditioned to follow
• Confidential correspondence that makes it easy to craft convincing impersonation emails
• Staff who manage high volumes of communication and are conditioned to act quickly

The firm doesn't need to be large. A two-person practice handling residential real estate closings has exactly the same exposure as a 40-lawyer firm — sometimes more, because smaller operations typically have fewer internal verification checks.

The Attack Chain: Six Weeks in an Inbox

The BEC attack on a law firm almost never starts with a sophisticated intrusion. It starts with a credential that already exists in a breach database.

Week 1: Initial access. A staff member — a paralegal, a legal assistant, a junior lawyer — has reused a password from a personal account that appeared in a breach months or years earlier. Maybe a streaming service, maybe a professional association portal. The attacker purchases that credential for a few dollars and tries it against the firm's Microsoft 365 login.

It works. Multi-factor authentication is not enabled on the account.

Weeks 1–5: Surveillance. The attacker does not do anything immediately detectable. They read email. They learn the names of partners, clients, and opposing counsel. They identify active matters. They note the language the firm uses in closing communications — "please find attached," "kindly confirm receipt," "as discussed." They wait for the right transaction to approach closing.

Week 6: The intervention. The attacker intercepts or monitors a thread about an upcoming closing. At the right moment — often late in the day, often when the responsible lawyer is traveling or unavailable — they send revised wire instructions from the compromised inbox, or from a spoofed domain that looks nearly identical to the firm's. The urgency is already built in: closings have hard deadlines.

The client follows the instructions. The funds leave.

The discovery. Sometimes it surfaces within hours when the funds don't arrive. More often, it surfaces days later. By then, recovery from most Canadian financial institutions is not guaranteed.

What the Law Society and Your Insurer Will Ask

If an incident occurs, two sets of questions follow almost immediately.

The Law Society will want to understand what controls were in place to protect client funds and confidential communications. "We didn't know the inbox was compromised" does not satisfy the professional conduct review — the question is what steps were taken to prevent unauthorized access in the first place.

Your professional liability insurer will ask whether the firm had MFA enforced, whether staff email credentials were monitored for breach exposure, and whether wire instruction verification procedures existed. These are not hypothetical questions. They are in underwriting checklists, and the answers affect coverage.

A documented security review — completed before an incident — is what creates an honest paper trail. It answers both sets of questions with specifics rather than impressions.

If your firm hasn't had an outside view of its email security and access controls, our assessment for law firms covers exactly these areas — credential exposure, email spoofing configuration, cloud account access, and insurer-readiness documentation.

Five Controls That Would Have Stopped the Attack Above

None of these are technically complex. All of them are verifiable in under an hour by someone with admin access to your Microsoft 365 or Google Workspace account.

1. Multi-factor authentication, enforced for all accounts. MFA is the single highest-leverage control for preventing unauthorized access. If the compromised staff credential in the scenario above had MFA enforced, the attacker's login attempt would have failed at the second factor. MFA needs to be enforced — not offered, not recommended, enforced — on every account, including shared mailboxes.

2. DMARC policy set to reject or quarantine. DMARC is a DNS record that tells receiving mail servers what to do with emails that fail authentication checks. A firm whose domain has no DMARC policy — or a policy set to p=none — can be spoofed: an attacker can send an email that appears to come from partner@yourfirm.ca that passes basic visual inspection. Setting DMARC to p=quarantine or p=reject closes that vector.

3. Staff credential monitoring. The attacker in a BEC incident uses credentials that already exist — often from a breach that has nothing to do with the firm. Monitoring your domain's email addresses against known breach databases catches these before attackers do. This is not a one-time check; new breach data surfaces continuously.

4. Inactive account audit. Staff turnover leaves behind active accounts. A paralegal who left 18 months ago may still have a live Microsoft 365 login with access to the firm's matter management system. Every departure should trigger an account deactivation checklist. In most firms we assess, it doesn't.

5. Wire instruction verification protocol. This is a process control, not a technical one, but it matters. Verbal verification of any wire instruction change — a call to a known number, not a number provided in the email — would have stopped the Friday afternoon scenario above. It is worth documenting, even for a small firm, because the documentation is what you point to in a post-incident review.

The 10-Minute Check You Can Do Now

If you have admin access to your Microsoft 365 or Google Workspace account, three checks take under 10 minutes:

1. Search your admin panel for accounts without MFA enrolled. In Microsoft 365: Admin > Users > Active Users, filter by "MFA status." Any account showing "Disabled" is a live risk.
2. Look up your domain's DMARC record. Use any public DMARC lookup tool (search "DMARC checker") and enter your firm's domain. If the result shows p=none or no record at all, your domain can be spoofed.
3. Check for accounts that haven't logged in for 90 days. In most enterprise mail platforms, this is a standard usage report. Any account with no activity that isn't a shared resource should be reviewed for deactivation.

These three checks don't replace a comprehensive review, but they tell you immediately whether the most common entry points are closed.

If you'd like an outside view of your firm's email security, credential exposure, and access controls — with a written report your insurer and Law Society can reference — our legal firm assessment is designed for exactly this. The Essential Exposure Review starts at $497 CAD and includes a 60-minute findings call.

There's also a free three-minute exposure check if you want to benchmark where your firm stands before going further.

CanadaSecure provides fixed-fee cybersecurity assessments for Canadian small and mid-sized businesses. We work with law firms, clinics, accounting practices, and financial services firms across Ontario and beyond. Contact us if you have questions about what a review covers or whether it's the right fit.