Beyond the Gateway: Why Traditional Email Security Can’t Stop BEC Attacks Targeting M&A Deals and Trust Accounts

The recipient sees what appears to be a legitimate conversation thread. Their email client threads it with other genuine emails about the same settlement. The "previous emails" they see quoted provide social proof that this change was discussed and agreed upon.

The devastating part: Those quoted "previous emails" never existed. The attacker fabricated them entirely. But without checking their sent folder or searching their complete email history, the recipient has no way to know that.

Multi-Party Orchestration: Creating a False Consensus

Sophisticated attackers don't rely on a single impersonation. They create multiple supporting communications that reinforce each other:

Scenario: Property settlement fraud

Email 1 (appearing from client's accountant): "Hi Sarah, I wanted to give you a heads up that [client name]'s banking arrangements have changed due to their refinancing. They've set up a new settlement account and will be sending through updated details. Just wanted you to expect that communication."

Email 2 (appearing from client): "Hi Sarah, as John mentioned, our banking has changed with the refinancing. Here are the new account details for Friday's settlement. Can you please confirm you've received these?"

Email 3 (appearing from accountant again): "Sarah, following up on the banking details [client name] sent through. Everything is correct on our end. Given Friday's deadline, can you please confirm you're ready to process to the new account?"

Each email reinforces the others. The accountant's first email primes the recipient to expect changed banking details. The client's email provides those details. The accountant's follow-up confirms them and adds urgency.

From the recipient's perspective, three different parties have confirmed this change. The multi-party verification that should provide security is actually orchestrated by a single attacker controlling compromised accounts or using lookalike domains for each party.

Even more sophisticated variants:

Attackers sometimes impersonate internal parties within the law firm or conveyancing practice:

• A "senior partner" emailing a junior solicitor: "I've spoken with the client about their banking change. Please update the settlement details as per their accountant's instructions."
• A "practice manager" confirming: "I've verified the new account details with the client. All approved for Friday's settlement."

Now the victim has both external verification (client and accountant) and internal verification (senior partner and practice manager). The false consensus becomes overwhelming.

Impersonation Attacks: Beyond Simple Spoofing

Impersonation targeting professional services has become frighteningly sophisticated. Attackers no longer rely on obvious spoofing that email gateways can catch. Instead, they use:

Account takeover: Compromising legitimate email accounts of accountants, real estate agents, mortgage brokers, or even clients themselves. When emails come from genuine accounts with proper authentication, they sail through all security checks.

Lookalike domains: Registering domains like "smith-accounting.com" instead of "smithaccounting.com" or using unicode characters that appear identical visually. Professional email signatures are copied perfectly, making detection nearly impossible.

Compromised vendor relationships: Targeting the weakest link in the professional service chain. A compromised real estate agent's email becomes the entry point for attacking all their clients' conveyancing transactions.

Display name deception: The "From" address might be legitimate, but the display name shows "John Smith - Senior Accountant" when it's actually an external account. Most email clients prominently display names, not addresses, making this surprisingly effective.

SEGs and M365 struggle with these because technically, there's nothing "wrong" with the emails. They're properly formatted, correctly authenticated (if from compromised accounts), and contain no malicious content.

AI-Powered Email Threats: The New Arms Race

Artificial intelligence has fundamentally changed the threat landscape, particularly for attacks targeting professional services where credibility and attention to detail matter enormously.

Generate perfect professional impersonations: Large language models can analyse a target's writing style from public sources, court documents, professional correspondence, and generate emails that match their tone, vocabulary, terminology, and communication patterns with uncanny accuracy.

An AI can study how a particular solicitor writes emails—their greeting style, sign-off preferences, use of legal terminology, even their habits around email formatting—and produce communications that colleagues and clients cannot distinguish from genuine correspondence.

Scale personalisation: What used to require hours of manual research per target can now be automated. AI can scrape LinkedIn, company websites, public property records, court filings, and professional registries to build detailed profiles and craft personalised attacks at scale.

An attacker can identify 50 upcoming property settlements, research all parties involved in each transaction, and generate perfectly contextualised emails for each scenario—all in the time it previously took to research a single target.

Adapt in real-time: AI-powered attacks can analyse responses and adjust their approach dynamically, maintaining consistency in multi-email exchanges.

If a solicitor responds with questions about the banking change, AI can generate contextually appropriate follow-up responses that address concerns, provide plausible explanations, and maintain the deception through multi-turn conversations.

Evade detection: Machine learning models can be trained to generate content that specifically avoids triggering security filters, constantly evolving to stay ahead of rule-based detection.

Create flawless fabricated email history: AI can generate the "previous conversation" quoted in thread-manipulated emails, ensuring that fabricated exchanges use appropriate professional language, realistic timing, and contextually sensible content.

The result? Emails targeting conveyancing transactions and trust accounts that are indistinguishable from legitimate communication, even to experienced legal professionals. If a trained solicitor can't reliably spot the attack, rule-based systems have no chance.

QR Code Phishing: The Blind Spot in Every SEG

QR code phishing ("quishing") has exploded in popularity precisely because it exploits a fundamental gap in email security architecture—and it's increasingly being used to compromise the professional services sector.

Why QR codes are devastatingly effective in professional services:

1. Invisible to traditional scanning: SEGs scan URLs and attachments, but a QR code is just an image. Security tools see a harmless PNG or JPG, not the malicious URL encoded within it.

2. Mobile device exploitation: Professionals scan QR codes with personal mobile devices that often lack enterprise security controls. The attack bypasses corporate network protections entirely.

3. Professional legitimacy: QR codes are now commonly used for secure client portals, document signing, payment verification, and two-factor authentication. Legal and accounting professionals are conditioned to trust and use them.

4. No hover-to-preview: With traditional links, users can hover to see the destination URL. QR codes provide no such preview—you only discover the destination after scanning.

Real-world attack scenario targeting conveyancing:

• Attacker sends email appearing to be from the client's bank: "Verify settlement account details for 123 Main Street transaction"
• Email includes QR code for "secure mobile verification via our banking app"
• Solicitor scans with personal phone, bypassing law firm's network security
• Lands on convincing fake banking portal
• Enters client account details and verification code
• Credentials captured, attacker gains access to legitimate client account information
• Attacker now has real account details to make their subsequent banking change request appear more legitimate

Traditional email security never saw the malicious URL because it was encoded in an image. M365's Safe Links never engaged because there was no clickable link to analyse.

The Silo Problem: Why Context Is Everything

Here's the fundamental issue with traditional email security: it analyses emails as isolated artefacts rather than contextual communications within complex professional relationships.

Consider two identical emails sent to a conveyancing solicitor:

Email A: "Banking details for settlement have changed. Please use the following account: [details]. Confirmed by client and accountant as per previous correspondence."

Email B: "Banking details for settlement have changed. Please use the following account: [details]. Confirmed by client and accountant as per previous correspondence."

A traditional SEG analyses both emails and finds:

• No malware ✓
• No malicious URLs ✓
• Authenticated sender ✓
• Proper email formatting ✓
• Professional language and terminology ✓

Both emails pass through to the inbox.

But what if you knew:

Email A context:

• Sender is the client's long-time accountant with 3+ years of email history
• Recipient has handled multiple previous transactions for this client
• Previous emails (actually existing in the mailbox) show discussion about refinancing and account changes
• The requested account matches the client's name and previous account patterns
• Banking institution is the same one used in previous transactions
• Email sent during business hours from accountant's usual location
• Communication style matches accountant's historical patterns
• Client has independently confirmed via phone

Email B context:

• Sender claims to be client's accountant but email originated from unusual geographic location
• This is the first transaction this solicitor has handled for this client
• No previous emails in the mailbox match the "quoted previous correspondence" in the thread
• The quoted emails reference conversations that never happened
• Requested account name doesn't quite match client name (subtle variation)
• Banking institution is one never previously used by this client
• Email sent at 2 AM in recipient's timezone
• Communication style differs from accountant's patterns in previous legitimate transactions with other clients
• Timing coincides with client being overseas (discovered via LinkedIn posts)
• Follow-up "confirmation" emails from "client" came from newly created lookalike domain

The content is identical, but the context makes Email B obviously fraudulent. Yet SEGs and M365 have no access to this contextual intelligence—they only see the email itself, not the web of relationships, patterns, and anomalies that define legitimacy in professional services.

The Abnormal Security Approach: Behavioural AI and Contextual Intelligence

This is where platforms like Abnormal Security represent a paradigm shift. Rather than treating emails as isolated objects to be scanned, Abnormal uses behavioural AI to understand the context, relationships, and patterns that define normal communication—particularly crucial for protecting high-stakes professional services transactions.

Building a Behavioural Baseline

Abnormal doesn't start by looking for "bad" emails. It starts by understanding what "normal" looks like for your organization and the professional relationships you maintain:

Identity and relationship mapping: Building a comprehensive map of relationships—who communicates with whom, how frequently, about what topics, and with what patterns. For professional services, this includes:

• Client-solicitor relationships and their communication patterns
• Professional service provider networks (accountants, brokers, agents)
• Transaction-specific communication chains
• Internal hierarchies and approval workflows

Communication pattern analysis: Understanding typical email volume, timing, tone, and content for each user and relationship:

• How does this accountant typically communicate with this solicitor?
• What does normal conveyancing correspondence look like for this practice?
• How are banking details typically shared and verified?
• What's the standard timeline for settlement communications?
• Has there been any brute force password attempts on the accounts involved?
• Is the email being sent from a different location (country) than normal?

Transaction context awareness: Learning the rhythms of professional services work:

• Typical settlement timelines and communication patterns
• Standard practice for changing banking details
• Normal verification procedures
• Expected parties in different transaction types

Historical analysis: Analysing months of email data to establish baselines that account for natural variations in communication while identifying patterns specific to professional services workflows.

This creates a rich, dynamic model of normal behavior that's specific to your organization and the professional services you provide. Every practice operates differently, so a generic rule-based approach will always miss context-specific anomalies.

Detecting Anomalies, Not Just Threats

With behavioural baselines established, Abnormal identifies anomalies—deviations from expected patterns that are particularly critical in high-value transactions:

Sender anomalies:

• Known accountant suddenly using new email address or domain
• Client's email originating from unusual location (especially problematic if client is overseas)
• First-time sender claiming existing relationship and requesting urgent banking changes
• Compromised account exhibiting behavioural changes (different writing style, unusual sending patterns)
• Email authentication passes but behavioural patterns don't match historical norms

Content and thread manipulation anomalies:

• Quoted "previous conversation" that doesn't exist in recipient's mailbox history
• References to discussions or phone calls that have no supporting evidence
• Thread headers that claim to continue conversations but show discontinuities
• Language patterns inconsistent with sender's historical communication style
• Urgency that doesn't align with normal settlement timelines
• Banking change requests that don't follow established verification procedures

Relationship anomalies:

• Multiple "new" parties appearing simultaneously in a transaction chain
• Accountants or lawyers who've never communicated with this practice before
• Communication patterns suggesting coordinated impersonation (multiple parties reinforcing the same narrative in suspicious timing)
• Claimed relationships that don't match any historical communication patterns

Transaction-specific anomalies:

• Banking details that don't match patterns from previous legitimate transactions
• Account names with subtle variations from expected format
• Banking institutions inconsistent with client's historical patterns
• Settlement amounts or timing that don't align with transaction documentation
• Verification processes bypassed or rushed in unusual ways

Timing and coordination anomalies:

• Messages sent at unusual hours (middle of the night for recipient's timezone)
• Suspicious timing around known organisational events (key staff on vacation, end of financial year pressure)
• Multiple confirmatory emails arriving in rapid succession (suggesting orchestrated campaign)
• Timing coinciding with client being unavailable or overseas

Multi-Signal Analysis: Beyond Email Content

Here's where Abnormal's approach truly diverges from traditional security. The platform doesn't just analyse email—it correlates multiple intelligence signals that are absolutely critical for protecting professional services:

Identity verification: Cross-referencing claimed identities against organisational directories, past communications, external data sources, and professional registries. When someone claims to be John Smith from XYZ Accounting, Abnormal can verify:

• Does this email address match previous legitimate communications from XYZ Accounting?
• Does the sending infrastructure align with XYZ Accounting's normal email patterns?
• Are there any lookalike domain indicators?
• Does the communication style match John Smith's historical patterns?

Professional relationship intelligence: Maintaining awareness of legitimate professional relationships and their communication patterns:

• Which accountants typically work with which clients?
• What's the normal communication cadence between parties in a conveyancing transaction?
• How do legitimate banking detail changes typically get communicated and verified?
• Which real estate agents, brokers, and other professionals are part of this practice's regular network?

Thread integrity verification: Unlike traditional email security, Abnormal can verify whether quoted "previous correspondence" actually exists:

• Do the claimed previous emails exist in the recipient's mailbox?
• Are there gaps or inconsistencies in thread continuity?
• Do the quoted messages match legitimate historical communication patterns?

Financial transaction context: Understanding normal payment workflows, approval chains, and financial controls specific to professional services:

• How are banking details typically provided and verified?
• What approval processes exist for updating account information?
• What verification steps are standard practice before settlement transfers?
• Are there red flags in how this banking change is being requested versus normal procedure?

Multi-party correlation: When several emails arrive from different parties all supporting the same narrative (client, accountant, broker all confirming banking changes), Abnormal can detect patterns suggesting coordinated impersonation:

• Are multiple parties communicating in unusually coordinated timing?
• Do the various confirmatory messages exhibit similar language patterns (suggesting single author)?
• Are claimed relationships between parties verified by historical communication?
• Is the multi-party verification itself anomalous (e.g., more confirmation than normally occurs)?

Threat intelligence integration: Incorporating external threat data about known conveyancing fraud campaigns, compromised accounting firms, and emerging attack patterns targeting professional services.

Geographic and temporal analysis: Detecting when communications originate from unexpected locations or at suspicious times:

• Accountant's email coming from country where they don't operate
• Communications timed to when key parties are unavailable (client overseas, recipient's senior partners on leave)
• Patterns matching known fraud campaigns targeting specific regions or practice types

This multi-dimensional analysis creates a holistic view that makes sophisticated fraud attempts obvious even when individual signals might seem benign.

Advanced Capabilities for Modern Threats

QR code detection and analysis: Unlike traditional SEGs, Abnormal can detect QR codes embedded in images, extract the encoded URLs, and analyse them for malicious intent—all before the email reaches the inbox. This is critical for protecting professionals who increasingly encounter QR codes in legitimate banking and client portal communications.

AI-generated content detection: Behavioural AI can identify when email content, while grammatically perfect and professionally written, exhibits patterns inconsistent with the purported sender's historical communication style—a telltale sign of AI-generated impersonation. This is particularly valuable in professional services where subtle communication differences can indicate fraud.

Thread manipulation detection: Abnormal's unique capability to verify whether quoted "previous conversations" actually exist in the recipient's mailbox is game-changing for detecting fabricated email history—one of the most effective fraud techniques targeting conveyancing.

Multi-party impersonation detection: By analysing communication patterns across multiple supposedly distinct senders, Abnormal can identify coordinated campaigns where a single attacker impersonates multiple parties (client, accountant, broker) to create false consensus.

Account takeover detection: When legitimate accounts are compromised, Abnormal detects the behavioural changes—different communication patterns, unusual recipients, content anomalies, geographic inconsistencies—that indicate the account is no longer under the legitimate user's control. This is critical because compromised accountant or agent accounts are common entry points for conveyancing fraud.

Vendor email compromise (VEC): By understanding normal vendor and professional service provider communication patterns, Abnormal can detect when a legitimate accountant's, broker's, or agent's email has been compromised and is being used to target your organization with fraudulent settlement instructions.

Automated Response and Remediation

Detection is only half the battle. Abnormal provides automated response capabilities that are particularly valuable for time-sensitive professional services transactions:

Pre-delivery blocking: High-confidence threats are automatically blocked before reaching inboxes, with no user interaction required. This stops fraudulent settlement instructions before solicitors even see them.

Post-delivery remediation: If a threat is detected after delivery (perhaps as more context becomes available or after behavioural patterns fully emerge), Abnormal can automatically remove it from all recipient inboxes. This is critical when a compromised accountant's email is used to send fraudulent instructions to multiple solicitors—all malicious emails can be removed simultaneously.

Contextual user warnings: For ambiguous cases where certainty isn't 100%, Abnormal can tag emails with warnings providing specific context about why the email might be suspicious:

• "This email claims to continue a previous conversation, but no matching previous emails were found in your mailbox"
• "The sender's communication style differs significantly from their historical patterns"
• "Banking details are being changed unusually close to settlement date"
• "Multiple parties are confirming this change in coordinated timing, which is unusual"

These contextual warnings help professionals make informed decisions while still allowing access if the communication is actually legitimate.

Suspicious banking detail alerts: Specific detection and warnings for banking detail changes in settlement communications, helping professionals pause and verify before processing high-value transfers.

Real-World Impact: What Changes for Professional Services

When professional services organizations move beyond traditional email security to behavioural AI platforms, the results are dramatic—particularly in preventing the devastating fraud that targets client trust accounts and high-value transactions:

Catching What Others Miss

Law firms and conveyancing practices using Abnormal alongside existing SEGs and M365 consistently report that 40-60% of threats blocked by Abnormal were not caught by their previous solutions. These aren't marginal threats—they're sophisticated BEC attempts specifically designed to defraud client settlements, impersonate trusted professionals, and manipulate transaction communications.

The fraudulent emails that result in six-figure or seven-figure losses? Those almost always passed through traditional email security without triggering any alerts.

Detecting Thread Manipulation

One of Abnormal's most valuable capabilities for professional services is detecting when attackers fabricate "previous correspondence" to make their banking change requests appear legitimate. By verifying whether quoted previous emails actually exist in the recipient's mailbox, Abnormal catches a technique that is completely invisible to traditional email security.

A solicitor receives what appears to be a continuation of an ongoing conversation about settlement banking details. Traditional security sees nothing wrong. Abnormal identifies that the "previous emails" quoted in the thread don't actually exist—immediate red flag, immediate block.

Identifying Multi-Party Orchestration

When attackers impersonate multiple parties (client, accountant, broker) to create false consensus around fraudulent banking changes, Abnormal's ability to correlate communications and detect coordinated campaigns becomes invaluable.

Rather than examining each confirmatory email in isolation, Abnormal recognises patterns suggesting that the "client," "accountant," and "broker" emails are actually part of a coordinated attack—perhaps they exhibit similar language patterns, arrive in suspicious timing, or reference relationships that don't match historical communication patterns.

Protecting Compromised Accounts

When an accountant's or real estate agent's email is compromised, Abnormal detects the behavioural changes even though the emails come from a legitimate, authenticated account. This is critical because account takeover is a common entry point for attacking multiple conveyancing transactions simultaneously.

Traditional security trusts the authenticated account. Abnormal notices that the account is suddenly sending emails with different patterns, unusual timing, or content anomalies—and blocks the fraudulent settlement instructions before any funds are transferred.

Reducing False Positives

Traditional email security generates significant false positives in professional services, where legitimate banking changes, urgent settlement communications, and multi-party coordination are routine. Behavioural AI's contextual approach dramatically reduces false positives because it understands what's actually unusual for your specific practice and professional relationships, not just what matches generic threat patterns.

A legitimate last-minute banking change for a complex commercial transaction might look suspicious to rule-based systems but is recognised as normal by Abnormal because it matches the patterns, parties, and communication style of genuine client communications.

Closing the Remediation Gap

When account takeover is detected, speed is critical in professional services where settlement deadlines loom. The ability to automatically remove malicious emails sent from compromised accounts—across all recipient inboxes—can prevent fraudulent instructions from being acted upon before the practice even knows an attack occurred.

If a real estate agent's account is compromised and used to send fraudulent settlement instructions to 15 different solicitors handling that agent's transactions, Abnormal can identify the compromise and remove all 15 fraudulent emails simultaneously—before any settlements are processed.

Protecting the Mobile Perimeter

By detecting and analysing QR codes, Abnormal protects professional services from quishing attacks that completely bypass traditional email security. This is particularly important as mobile banking verification, client portal access, and secure document sharing increasingly use QR codes that professionals scan with personal devices.

Adapting to AI Threats

As attackers increasingly use AI to craft sophisticated impersonation emails that perfectly match professional communication styles, only AI-powered defences can keep pace. Rule-based systems will always lag behind adversaries who can rapidly iterate and adapt their techniques to sound exactly like real accountants, solicitors, or clients.

The Integration Advantage

Abnormal doesn't require ripping out existing infrastructure. It integrates via API with M365, Google Workspace, and other email platforms, augmenting rather than replacing current protections. This means:

• No MX record changes or mail flow disruptions
• Existing SEGs continue providing malware and spam filtering
• Native email platform features remain active
• Behavioural AI adds a layer that catches what others miss
• No changes to user workflows or email clients
• Seamless deployment without disrupting daily operations

This is particularly important for professional services firms where any disruption to email communication could impact client service, miss settlement deadlines, or create compliance issues.

The defense-in-depth approach combines the strengths of multiple security layers while addressing gaps that no single traditional solution can close. Your SEG blocks malware, M365 filters spam, and Abnormal protects against the sophisticated BEC attacks that specifically target high-value transactions.

The Professional Services Imperative: Why This Matters More Than Ever

The stakes for professional services firms couldn't be higher. A single successful conveyancing fraud doesn't just mean financial loss—it can mean:

Career-Ending Consequences

Solicitors have lost their practicing certificates after falling victim to sophisticated BEC attacks. Regulatory bodies take client fund losses seriously, and even when the attack was highly sophisticated, practitioners face investigations, sanctions, and reputation damage that can end careers built over decades.

Practice-Destroying Financial Impact

Professional indemnity insurance may not cover all losses, particularly if investigators determine that "reasonable precautions" weren't taken. When a law firm must repay £500,000 to a client whose settlement funds were misdirected, the financial impact can force practice closures, especially for smaller firms.

Many practices have closed their doors not because of the immediate financial loss, but because of the insurance premium increases, client exodus, and reputation damage that follows a publicised fraud incident.

Cascading Client Impact

One successful attack often affects multiple parties:

• The buyer loses their deposit or purchase funds
• The seller doesn't receive payment
• Lenders face complications with mortgage disbursement
• Real estate agents lose their commission
• Other professionals in the chain face delays and complications

The ripple effect of a single compromised transaction can damage relationships with dozens of clients and professional partners.

Regulatory Scrutiny and Compliance Consequences

Law societies and professional oversight bodies are increasingly focused on cybersecurity practices. Firms that fall victim to BEC attacks face:

• Mandatory reporting requirements
• Detailed investigations into security practices
• Potential findings of negligence or inadequate safeguards
• Requirements to implement additional controls
• Ongoing monitoring and compliance obligations

The regulatory burden that follows an incident can be more damaging than the financial loss itself.

The Duty of Care Evolution

Courts are increasingly recognising that professionals have a duty to implement reasonable cybersecurity measures to protect client funds. As BEC attacks become more common and well-known, the standard for "reasonable measures" is rising.

Relying solely on traditional email security may no longer meet the duty of care standard when sophisticated BEC attacks are a known and growing threat. Demonstrating that your practice has implemented advanced, behaviour-based email security becomes part of showing due diligence in protecting client interests.

Case Study: How Context Catches What Content Cannot

Consider this real-world scenario (details anonymised):

The Setup: A mid-sized conveyancing practice was handling a £680,000 residential property settlement. The transaction involved standard parties: buyer, seller, buyer's solicitor (the target practice), seller's solicitor, real estate agent, and buyer's mortgage broker.

The Attack: Three weeks before settlement, an attacker compromised the real estate agent's email account through a credential phishing attack. The attacker monitored communications about multiple transactions, identifying high-value settlements approaching their deadlines.

Day 1: Email appears to come from the real estate agent to the buyer's solicitor: "Just wanted to give you a heads-up that the seller has changed their banking arrangements. The seller's solicitor will be sending updated details shortly. Everything else on track for settlement on the 15th."

Day 3: Email appearing to come from the seller's solicitor (using a lookalike domain): "Updated banking details for settlement attached. As mentioned by [real estate agent], the seller's banking has changed. Please confirm receipt and update your settlement records."

Day 5: Email appearing to come from the seller directly (using a compromised personal email): "Just confirming the banking details my solicitor sent through. Can we please ensure settlement processes on the 15th as planned? We have our own purchase settlement on the 16th that depends on these funds."

Day 7: Follow-up email from the fake "seller's solicitor": "Can you please confirm you've updated the banking details? Settlement is next week and we need to ensure everything is in order."

What Traditional Security Saw:

• ✓ No malware in any email
• ✓ No malicious links
• ✓ First email from legitimate, authenticated account (real estate agent's compromised account)
• ✓ Professional formatting and language throughout
• ✓ Proper email threading and subjects
• ✓ All four emails delivered to inbox without alerts

What Abnormal Detected:

Email 1 Analysis (Real Estate Agent):

• Sender authenticated correctly BUT behavioural analysis flagged anomalies:
  • Email sent at 2:47 AM (agent typically only sends business hours emails)
  • Geographic origin didn't match agent's normal sending patterns
  • Communication style subtly different (more formal than agent's typical casual tone)
  • First time agent proactively mentioned banking changes (historically, they forward such information, don't initiate it)
• Risk Score: MEDIUM - Flagged for monitoring

Email 2 Analysis ("Seller's Solicitor"):

• Domain analysis revealed lookalike domain registered 48 hours earlier
• Claimed law firm name didn't match any previous communications with this practice
• No historical relationship between this "solicitor" and the target practice
• Banking institution in the attached details never previously seen in this practice's settlement history
• Email referenced previous communication from real estate agent (Email 1) which was already flagged as suspicious
• Risk Score: HIGH - Blocked before delivery with alert to recipient: "This email claims to be from a solicitor firm but uses a newly registered lookalike domain. The email also references a previous communication that exhibited suspicious behavioural patterns."

Email 3 Analysis ("Seller"):

• Email from personal account with no previous communication history
• Timing coincided with Email 2 (coordinated pattern)
• Communication style analysis revealed language patterns inconsistent with casual personal email (too formal, suggesting professional attacker rather than actual seller)
• Referenced banking details that were already blocked in Email 2
• Multi-party correlation detected coordination between Emails 2 and 3 (arrived within hours, referenced same banking change, exhibited similar formal writing style)
• Risk Score: CRITICAL - Blocked before delivery

Email 4 Analysis ("Seller's Solicitor" Follow-up):

• From same lookalike domain already identified
• Part of coordinated campaign with previous blocked emails
• Risk Score: CRITICAL - Blocked automatically

The Outcome:

With traditional security, all four emails would have been delivered. The multi-party verification (agent, seller's solicitor, seller, follow-up confirmation) would have appeared convincing. The practice would likely have updated banking details and processed settlement to the fraudulent account. £680,000 would have been lost.

With Abnormal, the first email was flagged for behavioural anomalies even though it came from a legitimate, compromised account. The second email was blocked entirely based on domain analysis and relationship intelligence. Emails 3 and 4 were blocked as part of a detected coordinated campaign.

The practice was immediately alerted to the sophisticated attack attempt. They contacted the real estate agent who discovered their account compromise. They verified actual settlement banking details directly with the seller via phone. The transaction proceeded successfully with the legitimate banking information.

Critical insight: Every single email in this attack would have appeared legitimate to content-based security. No malware, no suspicious links, proper formatting, professional language. Only behavioural analysis and contextual intelligence revealed the fraud.

The Bottom Line: Professional Services Need More Than Email Content Security

Email security that only looks at email content is fundamentally insufficient for protecting professional services from the BEC attacks that specifically target high-value transactions, client trust accounts, and conveyancing settlements.

Attackers have studied how legal, accounting, and conveyancing practices operate. They understand the communication patterns, the parties involved in transactions, the urgency around settlement deadlines, and the trust relationships that make these sectors vulnerable. They've adapted their techniques specifically to bypass content-based security:

• No malware means SEGs find nothing to block
• No suspicious links means Safe Links never triggers
• Authenticated senders (from compromised accounts) means SPF/DKIM/DMARC checks pass
• Professional language and formatting means spam filters see legitimate business communication
• Thread manipulation makes fabricated conversations appear genuine
• Multi-party coordination creates false consensus that overwhelms skepticism
• Perfect impersonation (often AI-generated) means communication style matches expected patterns

The difference between a legitimate last-minute banking change and a sophisticated fraud attempt isn't in the content—it's in the context:

• Does this relationship exist historically?
• Do the quoted previous conversations actually exist?
• Are multiple parties coordinating suspiciously?
• Does the communication pattern match historical norms?
• Is the timing anomalous given settlement workflows?
• Are there geographic or behavioural indicators suggesting compromise?
• Does the requested banking information align with patterns from legitimate transactions?

Traditional email security gateways and M365's built-in protection provide valuable baseline defense, but they operate without the contextual intelligence necessary to detect the sophisticated BEC attacks targeting professional services. They're watching for known bad content, but today's threats exploit trusted relationships, legitimate accounts, and carefully constructed social engineering that content analysis cannot detect.

Taking Action: Protecting Your Practice and Your Clients

For professional services firms—particularly those handling client funds, conveyancing transactions, or any high-value financial transfers—the question isn't whether you need email security. You already have that. The questions you should be asking are:

Can your current email security detect when attackers fabricate previous conversation history to make their requests appear legitimate?

No traditional SEG or M365 can verify whether quoted "previous emails" actually exist in your mailbox. This single capability would prevent a significant portion of sophisticated BEC attacks targeting settlements.

Can your security identify when multiple parties are impersonating different roles in a coordinated campaign?

When the "client," "accountant," and "broker" are all actually the same attacker creating false consensus, content-based security examines each email in isolation and misses the orchestration. Only behavioural correlation can detect these patterns.

Does your security understand the normal communication patterns for your practice's professional relationships?

Generic rules can't distinguish between a legitimate urgent banking change and a fraudulent one. Context-aware security that knows how your accountants typically communicate, how banking details are normally shared, and what's genuinely unusual for your practice can make that distinction.

Can your security detect when legitimate professional accounts have been compromised and are being used to send fraudulent instructions?

When emails come from your accountant's real, authenticated email address but behavioural patterns indicate compromise, content-based security sees nothing wrong. Behavioural AI detects the anomalies.

Are you protected against QR code phishing that bypasses all traditional email security?

As banking and client portals increasingly use QR codes, and attackers exploit them to harvest credentials via mobile devices, can your security even detect when QR codes in emails lead to malicious destinations?

Can your security adapt to AI-generated impersonations that perfectly mimic communication styles?

As attackers use large language models to create emails that match your clients' and colleagues' writing styles with frightening accuracy, rule-based detection becomes obsolete. Only AI-powered behavioural analysis can detect AI-generated impersonation.

The Duty to Your Clients

Ultimately, this comes down to your professional duty to protect client interests. When you hold client funds in trust accounts, when you process settlement transactions worth hundreds of thousands or millions, when clients rely on your practice to safeguard their life savings, the obligation to implement reasonable security measures isn't optional—it's fundamental to your professional responsibility.

Traditional email security was reasonable when attacks used malware and obvious phishing. But as attacks have evolved to exploit trust, relationships, and context—specifically targeting the professional services sector with sophisticated social engineering—the standard for "reasonable security measures" must evolve as well.

Platforms like Abnormal Security represent that evolution. Not as a replacement for existing security, but as the essential layer that addresses the sophisticated, context-dependent, relationship-exploiting attacks that traditional content-based security fundamentally cannot detect.

Your email gateway is still checking for malware. Microsoft 365 is still filtering spam. But who's analysing whether that urgent banking change request actually makes sense given the historical relationship? Who's verifying that the "previous conversation" quoted in the thread actually occurred? Who's detecting when multiple parties are coordinating their confirmations suspiciously? Who's identifying when your trusted accountant's account has been compromised and is being used to send fraudulent settlement instructions?

Without behavioural AI and contextual intelligence, the answer is: no one.

And that gap—the space between content security and contextual security—is exactly where attackers are operating to steal client funds, compromise trust accounts, and defraud conveyancing transactions.

The question isn't whether your practice can afford to implement advanced email security. Given the career-ending, practice-destroying consequences of a single successful BEC attack, the question is whether your practice can afford not to.

Because in the world of Business Email Compromise targeting professional services, the devil isn't in the malicious attachment or suspicious link. It's in the fabricated conversation history, the coordinated impersonation, the exploited trust relationship, and the contextual anomalies that only behavioural intelligence can detect.

Your traditional email security is watching the content. But without Abnormal, nothing is watching the context and context is everything.

If you would like to see a demo or learn more please get in touch below.