After maintaining this blog for over fourteen years the most common question posted in the comments is, "what’s the scam?" In today's digital age, a very simple, tried and tested way to scam the legal profession (and their staff) is a phishing scam. Attorneys and law firms have become prime targets for these phishing scams. In this blog post, I will explain how attorneys often fall victim to phishing scams and what steps they can take to protect themselves and their clients.
Understanding Phishing:
Phishing is a deceptive technique employed by cybercriminals to trick individuals into revealing sensitive information such as passwords, credit card numbers, or personal identification details. These scams usually come in the form of seemingly legitimate emails, messages, or websites that mimic trusted entities or individuals. In the case of attorney email scams, the trick is to get the attorney to deposit a large settlement check into their IOLTA. Shortly after getting hired (sometimes before any substantial work can be done, but usually no more than a demand letter goes out), the opposing party reaches out and says they will settle and that they are sending in settlement. Lawyer gets the check and tells the new client. Hooray!
Unsuspecting lawyer deposits the check in IOLTA. The Phisher tells the lawyer to send him a check, less the attorneys fees. Sometime later (2-3 weeks), the banks catch up, realize the settlement cashier’s check is fraudulent, and place a negative balance on the account. But the lawyers check has already been cashed and the Phisher has disappeared. FBI and other law enforcement agencies will not do much. Actually, we have never heard of law enforcement doing anything other than take a report.
Why Attorneys Are Vulnerable:
Trusting Nature: Attorneys often receive a high volume of emails and communication from clients, colleagues, and opposing parties. Their work relies heavily on responding promptly to messages, making it easier for phishing emails to slip through the cracks.
Lawyers Want Clients: The potential client looks well funded and the issue is within their practice area.
Busy Schedules: The demanding nature of legal work often leads attorneys to multitask, which can reduce their vigilance when scrutinizing emails and messages.
Common Phishing Scenarios for Attorneys:
Impersonation of Potential Clients: Cybercriminals will impersonate clients, sending emails that appear genuine, and request to start a case.
Common terms and style: They often will say, “in your jurisdiction” and other
turns of phrase that allow them to reuse the letter as a template and the name and address of the company is often times in a different font.
Real Businesses and Websites: They often use local businesses (in your jurisdiction) and they often have their own, fairly legit looking website.
No Retainer: I have rarely seen a retainer check sent before the other side "settles." When they do, it is a cashiers check that will eventually bounce. See more on that below.
Protecting Attorneys from Phishing Scams:
Verify Email Sources: Always double-check the sender's email address and be cautious of any discrepancies or unusual requests, especially those related to money transfers.
Employee Training: Law firms should invest in cybersecurity training programs to educate their staff about phishing risks and best practices for identifying and mitigating such threats. Most IT programs provide this training for this type of scam for free.
Beware of Urgency: Always take a moment to pause and verify any urgent or high-pressure email requests, especially those related to financial transactions or confidential data. Once you wire funds, you can never get them back.
Google Emails: Almost everyone that ends up at this blog had the good sense to google a portion of the email when their "spidey senses" started going off. They found themselves here. Do some sleuthing before taking on clients.
Look at Patterns: A majority of the phishing emails look like the ones you see here. But often times they include contracts and other information lending it credibility. Gone are the days of being able to spot scammers with bad grammar and spelling errors.
MOST IMPORTANT
Never Send Money That Has Not Cleared: We are taught that cashiers checks are as good as cash. We are not taught that it is easy to create fraudulent cashiers checks and the banks will not catch this when they are initially deposited. Make sure that your bank has confirmed the check has cleared, preferably in writing before refunding money.
Add to the conversation: If you got sent a variation of one of these scams, add it to the comments. That is how we stop these creeps and protect each other.
Conclusion:
It's crucial for legal professionals to remain vigilant and adopt cybersecurity measures to protect themselves from falling victim to these scams. By staying informed, educating staff, and being diligent, attorneys can continue to navigate the digital landscape.