Ask Jack: Can Trusted Agents And Contractors Play An Unknowing Part In E-Mail Compromise Attacks?

By Jack McCalmon, The McCalmon Group, Inc.

We train our employees to be suspicious of internal requests for money transfers. Anything else I should be concerned about?


Training your employees is a great first step, but email compromise attacks are not limited to internal requests. In fact, external requests from trusted contractors and/or agents present a huge risk for organizations, especially if a contractor or agent is compromised.

For example, if an attorney's email system is hacked and controlled by a criminal agent and from the attorney's email address, you receive an email stating that a dispute the attorney is managing has just settled, and you need to wire an amount to the attorney to make payment, that is an email compromise scam. It is a highly effective because it is within the parameters of the attorney's authority as counsel and because the request comes from the attorney's legitimate email address, so it seems valid.

This type of scam is not a hypothetical. It happens quite a bit, especially in real estate transactions. In New York, a buyer of a property was recently scammed of $746,000 when her attorney's email system was hacked.

The final takeaway is that any request for wired money is a red flag. You need to have an authentication process in place, including with agents and contractors, before any person is allowed to wire money on your organization's behalf. 

Jack McCalmon, Leslie Zieren, and Emily Brodzinski are attorneys with more than 50 years combined experience assisting employers in lowering their risk, including answering questions, like the one above, through the McCalmon Group's Best Practices Help Line. The Best Practice Help Line is a service of The McCalmon Group, Inc. Your organization may have access to The Best Practice Help Line or a similar service from another provider at no cost to you or at a discount. For questions about The Best Practice Help Line or what similar services are available to you via this Platform, call 888.712.7667.

If you have a question that you would like Jack McCalmon, Leslie Zieren, or Emily Brodzinski to consider for this column, please submit it to Please note that The McCalmon Group cannot guarantee that your question will be answered. Answers are based on generally accepted risk management best practices. They are not, and should not be considered, legal advice. If you need an answer immediately or desire legal advice, please call your local legal counsel.


Finally, your opinion is important to us. Please complete the opinion survey:


IT Staff Burnout Adds To Security Risks: Steps To Provide Balance

Work in the cybersecurity industry is not hard to find, but is the boom leading to burnout? We examine. Read More

Is An Organization-Wide Shutdown A Smart Response To Cyber Threats?

The University of Michigan shut down internet access in response to a cyber incident. We examine why isolating an infected network is the first step to recovery. Read More

Weak Passwords Allow Cybercriminals To Go Through The "Front Door"

Employers must stress good password practices to minimize breach risks. We examine why reusing passwords is a risky practice. Read More