Go Back

The Reply-To Scam

The Reply-To Trap: How One Email Mismatch Can Put an IP Firm at Risk

A dangerous email does not always contain a malicious link.

Sometimes, it only requires you to reply to the wrong address.

In an IP practice, where instructions, invoices, deadlines and confidential documents move quickly between firms, clients and foreign associates, that small detail can have serious consequences.

The trap is often invisible

An email may appear to come from a trusted source — a client, foreign associate, colleague, or accounts contact.

The sender name looks familiar.
The message sounds routine.
The request fits ongoing work.

But when you hit reply, your response may go somewhere else entirely — to an address controlled by an attacker.

At that point, nothing has been “hacked”.
You have simply started a conversation with the wrong person.

A typical scenario in practice

Imagine this arrives in your inbox:

From: Accounts – Foreign Associate
Email: [email protected]
Subject:  FICPI - International Federation of Intellectual Property Attorneys

Dear [...],

I trust you are well.

I am contacting you in relation to a matter concerning FICPI, and I would greatly value your assistance if you are able to provide it. Please inform me at your earliest convenience regarding your availability to help.

Thank you for your consideration, and I look forward to your response.

Best regards,
[FICPI Member whose name you recognise]

Nothing obviously wrong.

But hidden behind the email:

Reply-To: [email protected]

The visible sender suggests one thing.
The reply path tells a different story.

Why this works in IP firms

FICPI members operate in fast-moving, trust-based environments:

  • frequent communication with known contacts

  • ongoing matters with familiar instructions

  • regular invoicing across jurisdictions

  • time pressure around filings and deadlines

In that context, people tend to scan emails quickly:

  • the name looks right

  • the matter sounds familiar

  • the request fits expectations

That is exactly what attackers rely on.

Once you reply, the exchange feels legitimate — because it sits inside a real-looking thread about real work.

How it becomes a financial or confidentiality risk

  1. Initial contact
    An email appears to come from a client, associate, or internal finance contact. It may simply ask you to confirm or acknowledge something.

  2. You reply
    Your response goes to the Reply-To address, not necessarily the visible sender.

  3. Trust builds
    The attacker continues the conversation, referencing invoices, matters, or deadlines.

  4. Pressure is introduced
    “Please process today.”
    “Updated bank details attached.”
    “We need this before close of business.”

  5. The change
    New payment instructions, amended invoices, or requests for sensitive documents are provided.

At that point, funds or confidential information can be misdirected — often without immediate detection.

The key point

The sender name is not proof of identity.

In an IP context, emails may appear to come from:

  • a known foreign associate

  • a long-standing client

  • internal accounts teams

  • external service providers

But what matters is:

  • the actual sending address

  • where your reply is directed

If those do not align, it is a warning sign.

What FICPI members should check

Before replying to any email involving payments, instructions, or sensitive information:

  • Check the full sender address
    Do not rely on the display name alone.

  • Check the Reply-To field
    If it differs — especially to a generic domain (Gmail, Outlook, etc.) — treat with caution.

  • Look closely at the domain
    Small variations can be easy to miss:

    • trustedassociate.com

    • trusted-associate.com

    • trustedassoc1ate.com

  • Be alert to changes in payment details
    Any update to bank information should be independently verified.

  • Watch for urgency
    Time pressure is a common tactic to bypass normal checks.

  • Verify outside email
    Use an existing, trusted contact method — not details provided in the email.

A practical rule for IP firms

No change to payment details should be accepted on the basis of email alone.

Not because every request is fraudulent — but because the consequences of getting it wrong are significant.

A quick verification call to a known contact can prevent a costly mistake.

Why this matters for the FICPI community

FICPI members work across jurisdictions, firms and clients, often relying on longstanding professional relationships built on trust.

That same trust is what these attacks attempt to exploit.

The “Reply-To trap” is effective precisely because it does not look like a traditional cyberattack.  It looks like everyday professional correspondence.

A simple habit that makes a difference

Before you reply, pause briefly and ask:

Where is this email actually directing my response?

That small check — of the Reply-To address, the domain, and the context — can be enough to stop a fraudulent exchange before it starts.

Because sometimes, the risk is not in what the email says…but in where your reply goes.

 

BECOME A MEMBER OF FICPI

FICPI is the only international NGO whose membership consists exclusively of IP attorneys in private practice. As a result, the FICPI community is driven by a shared interest to promote solutions and advocacy for private IP practitioners.
BECOME A MEMBER OF FICPI
MEMBER LOGIN