It started with an email that looked completely ordinary, and ended with a six-figure wire transfer to an account no one could trace. Here is how a 14-person law firm lost $98,000 in a single afternoon, and the three controls that would have stopped it for almost nothing.

The setup

The firm handled real-estate closings, which meant large client wires were routine. Attackers know this. Weeks earlier, an associate had reused a password that showed up in a breach dump. The attackers quietly logged into her mailbox, set a hidden forwarding rule, and simply read, learning the firm’s tone, its clients, and the timing of an upcoming closing.

The trigger

On closing day, the bookkeeper received an email, from the associate’s real address, with “updated wire instructions” for the title company. It referenced the correct file number and the correct amount. The only thing that had changed was the destination account. The money was gone before the real associate ever saw the thread.

Why it worked

• No MFA. A stolen password was all it took to get inside.
• No out-of-band verification. Wire changes were trusted over email alone.
• No alerting on mailbox rules. The malicious forwarding rule ran for weeks, unseen.

The fix, and what it would have cost

Three controls, none of them expensive, would have broken this chain: multi-factor authentication on email, a call-back rule for any change to payment details, and automated alerts for new inbox forwarding rules. Combined cost: a few dollars per user per month. The loss: $98,000 and a very uncomfortable call to the client.

The hard part isn’t the tools, it’s knowing which few controls matter most for a business your size, before you need them.